 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Richard Pieri wrote: > Tom Metro wrote: >> Strictly an automatic screen lock/unlock. But nice. A step in the right >> direction. > > Until someone steals your phone.... All security measures have a finite space of effectiveness. What are the attack vectors you are trying to guard against? Remember that the phone only serves as the 2nd of a two-factor authentication. So the window of opportunity (unless the attacker also plans to crack your password) is limited to an hour or two after you walked away from your computer. Sure, someone can steal your phone, but will they know it can unlock your computer if they get into your office before you get back from lunch? A co-worker would, but are they who you are guarding against? > Regarding the Bluetooth proximity unlock, there is a way to exploit > such a system without the victim ever being without his fob. ...use a > pair of transceivers to extend the RFID range. > > It's a simple exploit. Clever, and simple in concept, but not simple to pull off. So lets see, an attacker sneaks into your office, surreptitiously places a Bluetooth transceiver just outside the conference room where you are having a meeting, and then gets back to your cube unnoticed where he paces the 2nd transceiver and unlocks your computer? Or maybe he breaks into your office just after you left work for the evening, while his partner "war drives" for your phone outside your house? Sure, doable, but until you can pick up a pair of turn-key Bluetooth extender transceivers mail order from China, not likely. If you're protecting something valuable enough to justify that effort, you don't want to be relying on Bluetooth proximity. In any case, with a smartphone you could easily mitigate this exploit with "geofencing." The PKI app on the phone wouldn't even respond to an unlock request if the phone wasn't in the right geographic area (based on GPS) for the requesting computer. Even the basic Bluetooth proximity mechanism is a worthy upgrade compared to using only passwords that are stuck to the monitor on a post-it note. > Car thieves have been using it for several years... Really? There's evidence this has been pulled off more than once? How do they get the transceiver near the owner without being noticed? Who is building the transceivers? -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
