[Eridrus]

I believe that you can safely pair with the watch and authenticate it reliably and an attacker can neither read nor modify what you send; this is largely a solved problem.

But I am concerned that you cannot measure proximity accurately because an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents, and none of your comments about crypto or time-based tokens convince me otherwise.

[rrebelo]

> an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents

As a simplified version of a MITM attack? That is clever, I admit I didn't think of it.

However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages. That is for the Android Wear-Windows PC version, though. I admit the Mac version is not that sophisticated, yet.

[Eridrus]

> However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength.

It's better than nothing, but the user is likely to think of it as a malfunction if they are far away (e.g. at a coffee shop), and the watch may not actually be physically on them at the time either.

And a second is really enough to plant malware on a computer; you can already buy a USB stick which types in commands much faster than a human: http://hakshop.myshopify.com/products/usb-rubber-ducky-delux...

Though that might be more of an argument about why this attack vector is unrealistic since most people don't even have full disk crypto on their phones/computers.

Also, not sure if you've seen this, but surprisingly these guys are still around: http://www.knocktounlock.com/

[icebraining]

And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages.

Not if the attacker stops the relay right after the PC is unlocked.

[rrebelo]

> Not if the attacker stops the relay right after the PC is unlocked.

No, if it happens the program falls back into the "user is away->lock the computer" mode.

[icebraining]

So what happens if my watch shuts down for some reason while I'm using the computer?

[joshka]

So, don't unlock without watch confirmation. Ever.