[rrebelo]

I am about to finish a more limited implementation of this idea for Android Wear smartwatches and Windows. It works by measuring bluetooth signal intensity (rssi).

I already made a prototype for Mac & generic smartwatches [1], but if you have a Pebble you'll have to disconnect the watch from the phone. Questions, criticism & suggestions are welcome.

[1] https://www.gadgetish.com

[Eridrus]

Using just signal strength as an authenticator is a bit of a shaky idea for actual security IMO. Car thieves have been using signal amplifiers to break into cars for a while now.

I think you should have some initial prompt on the watch that asks the user if it is OK to unlock the device. It's more friction, but otherwise it's trivially bypassable.

[rrebelo]

> Car thieves have been using signal amplifiers

Very true. But I am using Bluetooth and it has much better security protocols than the plain simple radio-frequency signals for car remote controls. At the very least, the user needs to first pair the watch with the computer. Besides, all communication between the 2 is encrypted. And, to avoid Bluetooth spoofing, there is also an exchange of time-based encrypted tokens, all transparent for the user. There are a few more security details about it (e.g.: the authentication password is not stored in the watch, is AES-encrypted in the computer, etc). I intend to write a detailed risk-assessment about it later.

In truth, my intention is someday to make it FIDO-UAF [1] compatible, if I have get the money to do it.

It is very cool to understand what concerns people have about it. Thank you.

[1] https://fidoalliance.org/specifications/overview/

[Eridrus]

I believe that you can safely pair with the watch and authenticate it reliably and an attacker can neither read nor modify what you send; this is largely a solved problem.

But I am concerned that you cannot measure proximity accurately because an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents, and none of your comments about crypto or time-based tokens convince me otherwise.

[rrebelo]

> an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents

As a simplified version of a MITM attack? That is clever, I admit I didn't think of it.

However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages. That is for the Android Wear-Windows PC version, though. I admit the Mac version is not that sophisticated, yet.

[Eridrus]

> However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength.

It's better than nothing, but the user is likely to think of it as a malfunction if they are far away (e.g. at a coffee shop), and the watch may not actually be physically on them at the time either.

And a second is really enough to plant malware on a computer; you can already buy a USB stick which types in commands much faster than a human: http://hakshop.myshopify.com/products/usb-rubber-ducky-delux...

Though that might be more of an argument about why this attack vector is unrealistic since most people don't even have full disk crypto on their phones/computers.

Also, not sure if you've seen this, but surprisingly these guys are still around: http://www.knocktounlock.com/

[icebraining]

And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages.

Not if the attacker stops the relay right after the PC is unlocked.

[rrebelo]

> Not if the attacker stops the relay right after the PC is unlocked.

No, if it happens the program falls back into the "user is away->lock the computer" mode.

[joshka]

So, don't unlock without watch confirmation. Ever.