McAfee’s Everykey Can Unlock Your Phone, Accounts, Doors, And More

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Is having a master key an awful idea, or do you think we’re headed toward this kind of thing in the future?

When Everykey - which supports Windows, OS X, Linux, Android, and iOS (requires jailbreaking) - comes under the specified proximity of a device - up to 3 metres - it unlocks the device - be it your phone, your account, your computer. What's more, when you walk away from your device, it automatically unlocks them too.
 
It sounds reasonable to me up until...
If you lose your Everykey, you can call us or go online to immediately freeze it so no one else can use it. After you've frozen your Everykey, a message is immediately sent to all of your devices letting them know that they should not unlock without manual password entry.
Click to expand...
That sounds like a backdoor. And what if your devices aren't online?
 
"and iOS (requires jailbreaking)" Oh, to work around the security that even the FBI can't crack? No thanks.

Not to mention that this is coming from John McAfee, the guy who created the crappy antiviral product that you've had to remove from every friend and family member's computer you've ever worked with.

This is throwing up more red flags than a Chinese military parade.
 
evilsofa said:
"and iOS (requires jailbreaking)" Oh, to work around the security that even the FBI can't crack? No thanks.

Not to mention that this is coming from John McAfee, the guy who created the crappy antiviral product that you've had to remove from every friend and family member's computer you've ever worked with.

This is throwing up more red flags than a Chinese military parade.
Click to expand...

Ever since Intel bought them McAfee AV products have been pretty solid. Granted they seem more interested in selling them to businesses now because there isn't any money in forcing them onto the ordinary folks anymore.

And with everything going into or connecting to the cloud these days, the FBI doesn't need to crack your phone. And it's only a matter of time before they figure that out. Maybe they should try talking to someone at the NSA.
 
Well, if it weren't for people like evilsofa, I might consider it a good idea, but the world we live in has evilsofas in it and because of that, it's a terrible idea! I dunno what they're thinking!
 
Can it unlock your neighbor's house when you're out of your mind on bath salts and filled with murderous rage?
 
Dwango said:
Ever since Intel bought them McAfee AV products have been pretty solid. Granted they seem more interested in selling them to businesses now because there isn't any money in forcing them onto the ordinary folks anymore.
Click to expand...

Then why does Adobe Flash try to get me to download and install McAfee AV every time I get an update for Flash in Firefox?
 
GaryJohnson said:
It sounds reasonable to me up until...
That sounds like a backdoor. And what if your devices aren't online?
Click to expand...

How is this a back door? A back door is a hidden way to bypass security, not an emergency protocol to make it more secure.
 
It's too bad iOS needs jailbreaking. This is actually kinda neat. When I have my phone on me, it would nice for it to just be unlocked, but if someone "nicks me phone mate" they get a few feet from me and it's locked and useless.

It would also be nice at work, so I don't have to (a) remember to lock my computer when I walk away from it, and (b) not have to arbitrarily unlock my PC when I have been sitting in front of it the entire time because I turned to talk to someone for a few minutes and WELP IDLE TIMEOUT LOCK ER DOWN
 
JohnleMVP said:
How is this a back door? A back door is a hidden way to bypass security, not an emergency protocol to make it more secure.
Click to expand...

It's not exactly hidden, but this "emergency protocol" is basically a means to remotely bypass a security feature. It's essentially in the hands of the Everykey people and not the device owner too. I think that this potentially makes it less secure.

When you call up Everykey and ask them to disable your lost Everykey, how do they confirm it's you?

See: http://www.hardocp.com/news/2015/12/31/2016_reality_lazy_authentication_still_norm#.VoiPBRVulHY
 
Sure, centralizing security in the hands of the everykey people introduces the potential for backdoors. But I still think this is safer than the majority of the average person using simple-to-guess passwords.
 
What's more, when you walk away from your device, it automatically unlocks them too.
Click to expand...

19e2en1mflkshjpg.jpg
 
I think that the idea of having the ability to unlock all of your devices on one device is convenient, but creates a significant security risk.
 
Ok so lets say this requires something like oh say bluetooth to work on all of your devices. (because I am pretty damn sure it does) they already sell a bluetooth dongle you can keep on your person that keeps your phone from locking down as long as it is connected. Heck you can do that with ANY bluetooth connected device on most modern android phones. Unless it can be programmed to remote start my car (that it can do via the dongle and connection it uses.) Then it may offer some actual use. Right now it is just a programmable RFID with blue tooth built in. And a charging/USB port to do updates... the remote disable is curious. I have to wonder how it is connected or if it piggybacks through drivers installed on connected intelligent devices.

That would mean of course you have yet another convenience hackable vector on all of your connected devices. And that = bad. Corporations will avoid this unless they can really prove it's security.
 
Sounds like every thief dream

And if it's online than it's hackable - can you imagine script kiddies locking people from entering their own homes in winter ?

All people swatting someone will have new favourite toy ;)
 
There are ways to implement this that it could be a very good idea. When he mentioned "go online to freeze it", that told me he used one of the not so good ways.
 
pharmecist said:
Sure, centralizing security in the hands of the everykey people introduces the potential for backdoors. But I still think this is safer than the majority of the average person using simple-to-guess passwords.
Click to expand...

Truth. The passwords most people use are horrible. (I know this from working in IT for almost 20 years. I try to avoid even asking for users' passwords, but there are some circumstances where it is impossible to get something fixed without it. So, I have had about fifty user passwords per year while I worked desktop support.) Generally, the idea of a password is not good security, but most people refuse to believe it. An uncopyable physical key is the best, because the user will know the instant it is stolen, and nothing could be accessed without the user at least knowing it is coming. This can also allow for tracking down the one who stole it.

Now, the best way for something like this would go something like this:
0. A USB key is manufactured given the unlock system's public encryption key and a randomly generated high-bit (>4096 bit) encryption key set. The public key for the USB key is recorded with the identifier for the key, the private key is recorded into the firmware of the USB key and never recorded anywhere else. It would also be set to not respond to requests more than once per 5 seconds so that the keys could not be calculated from multiple responses. A user would then buy one and registers it with a service.
1. A web site asks for an unlock
2. the browser asks the local system if a specific generic USB device is attached, and its identifying code, then sends the web site the identifier.
3. the unlock system looks through its lookup tables and find the public key for that device, and generates a challenge based on a random number and the unlock system's private encryption key, and then hands the challenge off to the web site.
4. the web site issues the challenge to the browser
5. the browser sends the challenge to the USB device
6. the device, entirely internally, run by USB power and not requiring a battery, decodes the challenge using the unlock system's public key, given at the time of manufacture, and gets the unencrypted challenge code. It then takes it and encrypts it using its own private encryption key, sending the response to the browser.
7. The browser sends the response to the web site
8. the web site sends the response to the unlock system, requesting it's authentication
9. the unlock system then decrypts the response using the USB key's public key and checks the unencrypted result with the randomly generated number from #3. If the same, it sends the web site the OK. If not, it sends an error.

Here's the advantages:
1. the USB key's private key is never directly accessible. It can never be copied or bypassed.
2. the unlock system never has any personally identifying information. It only holds the key identifiers and associated public decryption key.
3. the web sites never hold any encryption info, only the personally identity info and the associated key identifier.
4. the local system only displays the info on the current session. cached copies could be kept, but it would be out of date pretty quickly.
5. the unlock system would be paid by the web sites that use it. It would be expensive, but very secure, and they would never have to deal with government requests for info because they've never have the info locally. They could never be hacked to get that information, either.
6. Much of the information could be pieced together, but the hacker would need to do this in a targeted manner, and could not do it in bulk without immense resources and access to multiple systems at the same time. The government could get this info fairly easily for criminal investigations, but would not be able to use too wide of a net due to the resources involved.
7. It could be used for a house lock or car without internet access using a directly programmable challenge/response pair that would always be used just for that device.
8. The standards would be set as generic USB devices, with standardized responses for requests, locking out the ability for one company to get a monopoly on such devices. Anyone deviating from the standard would not be able to have their devices usable by most people, and would lose portions of the market because of such behavior.
9. last, but not least, the cost to the consumer would only be about $10 for the key. They could easily register a backup key in case the main is stolen, where they could just insert the new key and visit their sites to instantly disable the old main key, and then register a new backup key.

Such a system would be unhackable and uncopyable. Perfect security.
 
Yeah, give me software like this from McAffee...the company responsible for more mischief and fuckups than any other AV software on computers I've had to fix.

No.
Thanks.
 
Dwango said:
And with everything going into or connecting to the cloud these days, the FBI doesn't need to crack your phone. And it's only a matter of time before they figure that out. Maybe they should try talking to someone at the NSA.
Click to expand...

I mean for FFS are all you guys criminals and potential terrorists? Nobody for sure hell doesn't need to crack my phone or any other device I use lol.
 
B00nie said:
I mean for FFS are all you guys criminals and potential terrorists? Nobody for sure hell doesn't need to crack my phone or any other device I use lol.
Click to expand...

That's the thing. The NSA and FBI want to have backdoors in place on every smartphone, regardless of the fact that the vast majority aren't owned by those who commit crimes. They want to collect everyone's data, regardless of whether you commit a crime or not.

What's the danger in this, you may ask? The danger isn't in the things that are illegal, but rather in the things that aren't, but can be considered ethically compromising. With the investigators' access to all this information, they can use it for other means. Also, with Federal agencies, part of the executive office, having access to this, the President would also have access to this, unrecorded and without a warrant needed.

Much of the information they've already collected could very easily be used by the President and his party for blackmailing political opposition. Do you seriously think that John Boehner campaigned on the Tea Party platform, and within weeks decided he's going to vote right along with the Democrats? Do you honestly think that Paul Ryan would have such strong religious convictions that it hurt Romney in the election so bad to lose it, only to push through the most recent budget bill with full endorsement and funding for Planned Parenthood? It looks to me like this information has already been used to make certain people compliant.

Any threat to our privacy is a threat to politicians' privacy, which can compromise their ability to keep with their beliefs. Nobody is perfect, and those who run for office are more likely to have skeletons in the closet. Threats to our privacy are threats to our very way of life.
 
dgingeri said:
That's the thing. The NSA and FBI want to have backdoors in place on every smartphone, regardless of the fact that the vast majority aren't owned by those who commit crimes. They want to collect everyone's data, regardless of whether you commit a crime or not.

What's the danger in this, you may ask? The danger isn't in the things that are illegal, but rather in the things that aren't, but can be considered ethically compromising. With the investigators' access to all this information, they can use it for other means. Also, with Federal agencies, part of the executive office, having access to this, the President would also have access to this, unrecorded and without a warrant needed.

Much of the information they've already collected could very easily be used by the President and his party for blackmailing political opposition. Do you seriously think that John Boehner campaigned on the Tea Party platform, and within weeks decided he's going to vote right along with the Democrats? Do you honestly think that Paul Ryan would have such strong religious convictions that it hurt Romney in the election so bad to lose it, only to push through the most recent budget bill with full endorsement and funding for Planned Parenthood? It looks to me like this information has already been used to make certain people compliant.

Any threat to our privacy is a threat to politicians' privacy, which can compromise their ability to keep with their beliefs. Nobody is perfect, and those who run for office are more likely to have skeletons in the closet. Threats to our privacy are threats to our very way of life.
Click to expand...

Yup, this is the kinda stuff that happens in a dramatic, crazy-cakes movie world. Put the remote down and think a little and it'll be obvious how not realistic it is off a television show though. :)
 
Hmmm. So the metal key that unlocks my doors is good?

Except of course for the poor bastard that does so without permission in order to meet 3 very unfriendly large dogs and a GF with a 9mm AR-15 with a hundred round magazine?

p.s. if I disappear in a pink cloud, she must have been pissed so go easy on her. :)
 
wonder how his quest for that 5-Methoxy-diisopropyltryptamine analogue is coming
 
McAfee crawled out of a Costa Rican forest to announce this? He needs to go back into the forest and stay there.
 
People who consider themselves hip, technologically and intellectually-enlightened techies still think John McAfee is responsible for McAfee software when he hasn't been involved with them since before Windows 95 existed. He is, however, basically responsible for creating the very concept of antivirus software.

Oy vay. I'm glad he's running for president, but it's clear that there's a large LIV segment in his own demographics.
 
You must log in or register to reply here.
Back
Top