[Discuss] A Little OT: The Password Post-It

Tom Metro tmetro-blu at vl.com
Thu Apr 19 02:13:45 EDT 2012


Richard Pieri wrote:
> Tom Metro wrote:
>> Strictly an automatic screen lock/unlock. But nice. A step in the right
>> direction.
> 
> Until someone steals your phone....

All security measures have a finite space of effectiveness. What are the
attack vectors you are trying to guard against?

Remember that the phone only serves as the 2nd of a two-factor
authentication. So the window of opportunity (unless the attacker also
plans to crack your password) is limited to an hour or two after you
walked away from your computer.

Sure, someone can steal your phone, but will they know it can unlock
your computer if they get into your office before you get back from
lunch? A co-worker would, but are they who you are guarding against?


> Regarding the Bluetooth proximity unlock, there is a way to exploit
> such a system without the victim ever being without his fob. ...use a
> pair of transceivers to extend the RFID range.
> 
> It's a simple exploit.

Clever, and simple in concept, but not simple to pull off.

So lets see, an attacker sneaks into your office, surreptitiously places
a Bluetooth transceiver just outside the conference room where you are
having a meeting, and then gets back to your cube unnoticed where he
paces the 2nd transceiver and unlocks your computer? Or maybe he breaks
into your office just after you left work for the evening, while his
partner "war drives" for your phone outside your house?

Sure, doable, but until you can pick up a pair of turn-key Bluetooth
extender transceivers mail order from China, not likely. If you're
protecting something valuable enough to justify that effort, you don't
want to be relying on Bluetooth proximity.

In any case, with a smartphone you could easily mitigate this exploit
with "geofencing." The PKI app on the phone wouldn't even respond to an
unlock request if the phone wasn't in the right geographic area (based
on GPS) for the requesting computer.

Even the basic Bluetooth proximity mechanism is a worthy upgrade
compared to using only passwords that are stuck to the monitor on a
post-it note.


> Car thieves have been using it for several years...

Really? There's evidence this has been pulled off more than once? How do
they get the transceiver near the owner without being noticed? Who is
building the transceivers?

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



More information about the Discuss mailing list