Richard Bucker

SmartLock - what's it good for?

Posted at — Jun 2, 2015

SmartLock is a tool that joins your Android phone and your ChromeOS device. When logging into your ChromeOS device it will attempt to locate an open or unlocked Android device. When ChomeOS identifies the paired device it it will change the lock icon in the login dialog from yellow or spinning to green.  The green icon means that I need only click on the picture in the login form in order to perform that function.There is a related feature on the phone.  I can identify and record “safe” locations on the phone so that when the phone is found to be in that location it does not require a password. You are automatically logged in by GPS location. This is great when you’re home or maybe even work… if you do not mind the obvious complications.So you can see that if your:homeSmartLock knows home is safethe phone has auto unlockedand paired with a ChromeOS deviceand the devices are in rangeyour ChromeOS device will auto unlock with a click of a button. (you can temporarily disable this feature by clicking on the lock when you logout).This is a particularly good feature when your in public. Clearly you do not want people to see what you might have logged into and correlating that with your password which can be captured with a gopro or even the store or coffee shop store camera. It’s no longer the thing of science fiction. So having your phone handy, and unlocked, means not having to worry about your password.However, this does create a different attack vector. If you at a location that is not SAFE then you need to unlock your phone manually; which can be recorded. And then there is the potential that there is a backdoor for the Bluetooth detector thing/code. All someone needs to do is steal your phone and get to one of your safe locations before you and they have access to the family jewels.The good news (a) I do not have the family jewels on my phone. (b) the tough ones still require a password. (c) I never access them from the public.The bad news (a) it might still happen if one of the vendors I depend on is vulnerable and I’ve been exposed. (b) someone is able to steal my computer and phone and get to my safe place before me… or even at some distance depending on the geo limits of SmartLock.The really bad news is that Google has not yet provided a killswitch so that SmartLock can be disabled from anywhere. Once the bad guy has my phone and computer changing my password may not help.