CVE-2019-11885

Vulnerability

The eyeDisk USB flash drive, which uses iris recognition for authentication, transmits the unlock password in cleartext over USB when the device is unlocked. The password can be recovered by anyone who can sniff USB traffic, for example by using a USB monitor or a custom USB device that sends a specific SCSI command: 06 05 52 41 01 b0 00 00 00 00 00 00 [1]. The cleartext password is sent as part of the authentication protocol, bypassing any encryption of the credential itself. Affected versions include all eyeDisk devices shipped as of the publication date (May 2019) [1].

Exploitation

An attacker with physical access to the eyeDisk USB stick can plug it into a computer and use a USB protocol analyzer (such as Wireshark with USBPcap) to capture USB traffic during the unlock process [1]. Alternatively, the attacker can send the aforementioned SCSI command to the device, which causes it to output the cleartext password [1]. No authentication is required to initiate the capture; the attacker only needs to have the device connected to a host system where they can run USB monitoring software or issue SCSI commands.

Impact

Successful exploitation reveals the plaintext password used to unlock the encrypted storage on the eyeDisk [1]. The attacker can then use that password to access all data stored on the drive, defeating the AES-256 encryption and the biometric authentication. The impact is a complete compromise of data confidentiality, as the attacker gains the ability to read, copy, or modify any files on the drive without the legitimate user's knowledge.

Mitigation

As of the publication date (May 12, 2019), no firmware update or fix has been released by the vendor to address this vulnerability [1]. The device ships with the cleartext password transmission as a design flaw. Users are advised not to store sensitive data on the eyeDisk or to discontinue use of the device until a fix is available. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.