Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Software Secures Data when Owners Walk Away

Posted by chrisd on from the don't-lost-your-watch dept.

Makarand writes "Leave an operating laptop unattended on your desk and your sensitive data is accessible to anyone who gets hold of it. To limit this risk many users configure their systems to fall into a "sleep" mode after a period of inactivity and ask for a password before the system can be awakened. This constant re-authentication proves to be a headache for many users. Now a Professor and his graduate student at at the University of Michigan have come up with a system called Zero-Interaction Authentication (ZIA), described in this article in The Age, to protect data on mobile devices. The system works by starting to encrypt data the moment the owner walks away from the system. The owners wear a token with a encrypted wireless link with the laptop. If the token moves out of range the ZIA re-encrypts all data within 5 seconds. If the cryptographic token moves within range the system decrypts the information for the owner. The token, which could take many forms, is currently a wristwatch with a processor running Linux designed by IBM."

27 of 302 comments (clear)

  1. wouldn't it make more sense by drDugan · · Score: 4, Interesting

    would it not be more sensible to make the token a passive device, like one with an RFID

    I'm not an expert in encryption, but I have had serveral security related dongles and all of them were a pain in the arse.

    it would seem that there are technologies (I've read about) that can return specific information passively when hit with specific radio frequencies. Wouldn't these be more easily used than a powered device like a watch?

    Anyone else know more about these technologies?

    1. Re:wouldn't it make more sense by LostCluster · · Score: 4, Informative

      RFIDs are "dumb" devices. They're like your EZ-Pass in your car, when a radio beam passes through them, they alter the beam to add their "signature" which is uniquely identifyable. This is useful for identity, but nonsense for encryption. The problem is that if you are within range to "hear" the signal, you get the ID and enough to make a duplicate token. Tardly the model for security. There's no place for encryption here... whatever value is broadcast is the key value. By requring the token to have a microprocessor, the key never gets broadcast. It's an encrypted conversation between the station and the token, which if properly implemented makes it impossible to have a duplicate token take its place.

    2. Re:wouldn't it make more sense by LostCluster · · Score: 5, Insightful

      If you unify the office security systems, then the system can require you be wearing your watch in order to unlock the bathroom door... if you left your watch at your desk while you go to the bathroom, you have to go back and get it.

      People will carry their key with them if it's required to do everything they want to do away from their desk too.

    3. Re:wouldn't it make more sense by cybermace5 · · Score: 5, Interesting

      As the previous poster pointed out, RFID is relatively easy to snoop on.

      One of my major peeves is the RFID card that gets me into work every morning. In certain stores, my RFID card returns a code that sets off their RF tag detectors at the door. Usually I remember, pull out my wallet, and hold it over my head while walking through. Once I forgot at Fleet Farm (basically a giant general store, like Home Depot with tractor parts) and I set off the alarm. Of course someone came to visit me, and it was especially embarrassing because I was wearing a big coat and didn't buy anything. She handed me a little piece of cardboard called a "Schlage Shield" and said to put it in my wallet. No more alarm.

      Worked great, except that opening the door at work involved putting down my coffee, laptop, and lunch to get out the RF card (instead of conveniently pressing my butt against the door). So I took it out, and promptly set off a Barnes & Noble alarm. No one seemed to care, so I just pulled out my wallet and walked through with the wallet over my head again.

      ANYWAY...the point is that RFID tags are barely more secure than keeping a post-it note with an access code.

      I am curious exactly what my card claims to be on the store scanners....

      And the whole article is a duplicate.

      --
      ...
    4. Re:wouldn't it make more sense by Cruciform · · Score: 5, Funny

      I'm soooo sorry about the wastebasket, Sir. You see they were serving East Indian cuisine in the caf and I forgot my watch today. And you know those locks on the bathroom doors... once again Sir, my apologies.

    5. Re:wouldn't it make more sense by FyRE666 · · Score: 5, Funny

      A good IT department will audit this (at least for the users that reside in the office... that goes for plain-view passwords, etc) and penalize users who do not [lock machine when leaving it unattended]
      I used to have great fun with people who did this at a previous job where the majority of machines were Sun/Linux. One guy constantly left his machine logged in, so I'd sneak over and drop the security on his X server (xhost +), then have great fun randomly opening apps on his machine across the room. Since he was a hardcore Windows man (he was working as a Perl programmer, and didn't have any interest in the operating system) he had no idea what was going on.

      Oh yeah, I also set up a cron job to open Netscape, pointed at the famous goatcx site at lunch every day on his machine for a while...

      --
      Code, Hardware, stuff like that.
    6. Re:wouldn't it make more sense by Sheridan · · Score: 5, Funny
      but I have had serveral security related dongles and all of them were a pain in the arse.

      Dude, you're definitely wearing your dongle in the wrong place!

  2. Interesting article/research project by ekrout · · Score: 5, Insightful

    But what happens when the neighborhood/college/company bully steals your watch?

    --

    If you celebrate Xmas, befriend me (538
    1. Re:Interesting article/research project by EverDense · · Score: 5, Funny

      Then you offer praise to whomever you worship that the company you work for didn't use
      finger print authentication. Its a lot easier to replace a stolen device than a stolen finger.

      --
      http://jesus.everdense.com/
  3. Would that be the J R R Token by cyber_rigger · · Score: 4, Funny

    That you wear on your finger? :^)

  4. Vulnerable to brute force cracking by commodoresloat · · Score: 5, Funny

    Gimme your watch, punk!

  5. Something's missing by Safety+Cap · · Score: 5, Interesting
    (from the article)
    At the beginning of the process, the user enters a password on the watch~.
    Isn't the point so that lazy people don't have to be bothered with remembering passwords? Doesn't this defeat the purpose? (sigh)

    What happens if you take your watch off and leave it next to the computer? It never encrypts!

    Worse yet---what happens if your watch gets stolen? Now you can't get at your data! Better make sure you get the Casio watch option instead of the Breitling. No one would want to steal a Casio POS, so you should be safe.

    --
    Yeah, right.
  6. Use my technique by ekrout · · Score: 4, Interesting

    I keep all mission-critical and government-classified information on portable USB Flash DRAM-based storage devices. They're incredibly portable and can be brought to the gym, in the car, to work, back home, swimming, hiking, biking, etc.

    To be perfectly honest, I just can't bring myself to respect anyone who would leave a $4,000 laptop with supposedly top-secret information on it sitting out on a cafeteria table or something while they go sit in the bathroom and read the paper.

    Just stick with portable USB drives. They're cheap, efficient, fast, and more secure than any fly-by-night research project out there right now.

    --

    If you celebrate Xmas, befriend me (538
    1. Re:Use my technique by Mitreya · · Score: 4, Insightful

      Parent might be a troll, but he makes a valid point. If you are already prepared to carry some device on you, you might as well have the data *on* that device... So not only is it safe from someone's tampering, but stays with you if the laptop is stolen alltogether...

    2. Re:Use my technique by Surak · · Score: 4, Funny

      I keep all mission-critical and government-classified information on portable USB Flash DRAM-based storage devices. They're incredibly portable and can be brought to the gym, in the car, to work, back home, swimming, hiking, biking, etc.

      I think you had a typo.

      What you meant to say was
      "and can be LOST at the gym, in the car, at work, at home, swiming, hiking, biking, etc.

      --
      My journal has hot /. gossip.
  7. Re:hmmm... by pboulang · · Score: 5, Funny

    ... or maybe some secretly hidden sequence of key presses?

    --

    This comment is guaranteed*

    *not guaranteed

  8. Is it really so hard? by NineNine · · Score: 5, Interesting

    When you stand up, hit ctrl+alt+del. When you sit down, type in your password. I had to do it at one company, and now it's just habit. Not exactly a tough thing to do. I think that these guys are trying to solve a non-problem.

    1. Re:Is it really so hard? by LostCluster · · Score: 4, Insightful

      There are business analysts (remember what the first four letters of that word are..) who add up all those seconds lost to things like hitting Ctrl-Alt-Del and typing their passwords over a year, then multiply it by the hourly wage to determine how many dollars are wasted by that task. If that step is replaced by a passive process, it theoretically makes employees more effective... YMMV in actual use.

    2. Re:Is it really so hard? by NineNine · · Score: 4, Interesting

      True, but then you have to factor in the physical cost of these doohickeys, and the support time when one dies, is lost, or malfunctions. I dunno. Seems like it's making things more complicated and expensive for no really good reason. In most businesses, a LOT more time and money can be saved by doing something as simple as making sure that no non-developers or non-admins have full control of their box, limiting the damage they can do. Most companies that I've seen make each user admin of their own box, when really if they're just doing work, they'd never need.

  9. repeat article by Jucius+Maximus · · Score: 5, Informative
    The repeat mania continues ... amazing.

    The original is here. At least they waited some weeks before reposting it.

  10. To save my hand... by wray · · Score: 5, Funny

    Let me use a ring, then I only lose a finger when someone wants access :~)

    --
    Guess what? I got a fever! And the only prescription.. is more cowbell!
  11. Dongles revisited by mark_space2001 · · Score: 4, Insightful
    In other news, University of Michigan has re-invented the dongle. "You know those things you hated and were a pain in the ass to use? We'll, we got it all figured out, trust me."

    Great, something else to buy. My fingers are cheaper and I'm not one of the people who has a problem logging in with a password. Why should I fork out cash for this?

  12. ZIA Redux by mcorner · · Score: 5, Informative

    As much as I enjoy the free publicity, this has been posted on slashdot before.

    To correct a serious error that appears in this article and in the nytimes article this was cribbed from: The system was NEVER run on the IBM watch. We mentioned it as a possibility and somehow it was taken as fact.

    I welcome the comments on the work, however remember that the world of university research is often more forward looking than the commercial world. That is our job!

  13. Sounds like a nice idea. by Chris_Stankowitz · · Score: 5, Insightful

    Sounds like a nice idea. However we all know that once physical security is compromise the rest is all down hill. On-top of which, a thief that is just after the machine and cares nothing about the data will still take the machine. He doesn't know that you have a proximity sensor (whether it uses encryption or not). What I would like to see is a tool and/or system that has the kind of reliability and name recognition that something like low-jack has. What I mean is something that a crook will look at and walk away because he will recognize that it will be more trouble than it is worth. Even if he is just stealing it for the hardware. Something that he knows he just can't slap in a windows boot disk and format. Because we all know that most laptop thefts are not by criminals that want data. Its the common crook that just wants a buck. Granted what would also bring down those thefts would just be the prices in laptops coming down, the prices on those haven't fallen nearly as close to the same rate as desktops.

    For now I will continue to dream and maybe even write a book entitled "2085" by Ali Orwell. :)

  14. Breaks an important rule by afidel · · Score: 4, Insightful

    good security should always be based on at least two of the three from the list

    Something you have

    Something you know

    Something you are

    Anything that relies on just one of these catagories is going to be significantly easier to break than one the follows the rules. Most commercial security these days is based on something you know (password) and nothing more. Good security systems require all three, biometrics, password, and a physical token. biometrics are suseptible to advanced attacks but thing like thermal imaging for skull structure combined with retinal imaging is pretty close to unbreakable. Passwords are notoriously lacking because passwords strong enough to be secure are difficult for most people to remember so they end up either weak or written down. As for token systems other than smart cards and the IBM watch I have not seen many implementations out there.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  15. Vulnerability already discovered! by wirelessbuzzers · · Score: 4, Funny

    It was discovered soon after the press release that the "zero interaction authentication" system was vulnerable to a transmission replay attack. This attack may prove fatal to the design; in any case, it should take a few years to get the kinks worked out, so don't expect it on your desktop any time soon.

    --
    I hereby place the above post in the public domain.
  16. Man in the middle attack by jpmorgan · · Score: 5, Insightful
    The thing is, these are radio devices. Radio is analog, not digital, and one of the amusing things about analog is it's actually much easier to authenticate.

    A possible solution is to generate a second low powered signal from the laptop; this signal would be generated from nothing more than some strongly encrypted hash, and most certainly be an AM signal. The nice thing about strong encryption is that it should be pretty much indistinguishable from random noise, so the this signal would be indistinguishable from background noise.

    Then you have the frequency the signal is broadcasted on randomly shuffled based on the current time. The laptop and the token are time-synced (not a problem, most decent cryptographic tokens are time-synced anyway), so the token is always listening on the correct frequency.

    At this point you have the correct waveform, although its amplitude will depend on your distance from the device. Every tenth of a second, or something, normalise the signal based on the RMS power, then compare the input signal based on what you compute it should be (you know the secret, so you can also compute the hash).

    To fool this system you have to replicate the exact signal as it bounces around frequencies. Since it's bouncing around frequencies you can't just repeat the signal you're recieving on a specific frequency, since that won't matter. Further, for each part of the signal you repeat, you'll be off in intensity by a certain amount based on the frequency you're tuning into relative to the frequency its actually being transmitted at, and unless you can exactly predict the pattern you your error will vary. You can't track the frequency since you'd need to break the encryption. Really, this is nothing more than frequency scrambling that's been used by the military to secure communication for years, used in a slightly different way.

    I'm sure there are other ways to solve the problem. So yes, it could be a problem if it wasn't taken into consideration, but it is a solvable problem.