Wearables and mobile phone security - a heads up.

[Polar Bear]

Discovered a little problem this evening.  I have had a Garmin Forerunner 735 for a couple of weeks now.  It is generally connected to my Samsung Galaxy s7 via bluetooth.  What I didn't know until this evening is that in establishing the link a setting in the bowels of the phone was set allowing for the fingerprint / pin code security to be bypassed if the wearable is 'in range'. 

For the past two weeks I have been wandering around with my phone in my pocket and my mobile potentially vulnerable.  If it had fallen from my pocket in a cafe or on the train then it was totally accessible.  Good job that I don't do online banking, paypal etc. from my phone then.

I have now adjusted the setting.  The point of my post is to warn people who, like me, may not be aware of this setting.

Incidentally, mllePB's Fitbit required her to select this on setup and defaulted to the secure option but I do not recall this being the case with my Garmin.   

[Kim]

It's a useful feature, if handled with caution.

Generally what happens is that after pairing a Bluetooth device, Andorid pops up a notification asking if you want to use it's presence for Smart Lock.

There's a potential PEBKAC where you don't know what 'smart lock' means, and assume this is another stage of the process of, say, setting up the connection to your shiny new PE watch.

(It's an Android feature, and completely agnostic of the Bluetooth device in question.  It can be a keyboard, a desktop computer, a head torch, a smart watch, an audio system, or whatever.)

[Polar Bear]

Ah, I see.  I don't recall a smart lock request but I guess it could have happened. 

Given the tendency of good and others to run their lives from their phones and wearables this must be  an unintended but real risk.  I wonder what a bank would say if somebody had their account emptied in such a way.

[fuaran]

Any online banking app requires an additional form of login anyway, even if the phone is already unlocked.

[PaulF]

Surely it's only a risk whilst your phone is close by? Which realistically for a Bluetooth device is less than 10m.

[Polar Bear]

Surely it's only a risk whilst your phone is close by? Which realistically for a Bluetooth device is less than 10m.

If somebody sitting behind you picks up your phone they are far less than 10m away.  Once they have the phone they can walk away.

Any online banking app requires an additional form of login anyway, even if the phone is already unlocked.

I would hope so but what about the likes of paypal, apple pay or android pay, etc?  And, what if you'd been logged in to your bank, slipped your phone into your pocket and it was still logged in?   I hope unlikely but I don't know and I concern myself about these things.

[Kim]

If you don't have such things set up to require auth every time then you're doing it wrong.  Do they even let you?

Anyway, realistically, creating a transaction from a 'borrowed' phone is a rubbish means of opportunistic theft (unless you've got a plan for how to spend the money without it being traced back to you).  You'd be better off stealing the phone, or installing some malware.

[PaulF]

But they'd need to keep it unlocked; sure it's a risk but I think that you're being over cautious here, if someone were to lift your phone like that the first thing I'd expect them to do would be to either hide it until they got it away or make off with it immediately. The least likely scenario, in my view, is that they'd sit behind you and start investigating "their" new phone.

PayPal and ApplePay both require Touchid or an additional login, don't know about Android. The banking apps that I've used have a short timeout before they lock and either don't allow you to set up new payees on the app or require some form of additional authentication so are pretty safe in my view.


P.S. As Kim rightly says using creating a transaction from a 'borrowed' phone is a rubbish means of opportunistic theft

[barakta]

If you don't have such things set up to require auth every time then you're doing it wrong.  Do they even let you?

PayPal likes to encourage you to have "just click and it's paid for" mode. I tell it to feck off every time.

Lots of people now use ApplePay and other stuff where you go into shops and wave your phone at the contactless wossnames and it does payments. Thieves could theoretically spend your money if they had your phone and didn't let it lock after out of smartlock range.

[PaulF]

If you don't have such things set up to require auth every time then you're doing it wrong.  Do they even let you?

PayPal likes to encourage you to have "just click and it's paid for" mode. I tell it to feck off every time.

Lots of people now use ApplePay and other stuff where you go into shops and wave your phone at the contactless wossnames and it does payments. Thieves could theoretically spend your money if they had your phone and didn't let it lock after out of smartlock range.

ApplePay is a bit more secure than that, it does require a fingerprint to activate and whilst in theory that could be spoofed it's unlikely to happen as an opportunistic thief wouldn't have the resources and someone who did wouldn't go to the effort given the £30 limit on contactless payments

[Jaded]

Apple Pay can have a (much) larger limit than £30. I’ve used it several times when buying more than £30 contactless.

[Polar Bear]

But they'd need to keep it unlocked; sure it's a risk but I think that you're being over cautious here, if someone were to lift your phone like that the first thing I'd expect them to do would be to either hide it until they got it away or make off with it immediately. The least likely scenario, in my view, is that they'd sit behind you and start investigating "their" new phone.

Why do you think that?  Unless you are likely to notice your phone missing then they are free to play and it is easily concealed amongst their bags / clothing, etc.  Also, everybody on a train is phone surfing so it's not unusual.  If you start hunting for your phone they will have you in full sight so can conceal or even pretend to pick it up and then hand it to you. 

All I wanted to do here was raise the potential issue but somehow I now feel I should have just shut the fuck up.

[PaulF]

Why do I think that? For the same reason as you think they may do the opposite. It's just my opinion.

You've pointed out a potential vulnerability, others have pointed where there's more inherent security enabled in apps that, by your own admittance, you're unfamiliar with and tried to explain why it's not a significant risk

[mrcharly-YHT]

On looking up Smart Lock, it seems to be a bloody stupid idea. I would disable it on my phone (if it were enabled).

I'm less concerned about things like Apple pay, more concerned about access to gmail  - someone being able to access that and reset the password could then seriously mess with me. Armed with other details about me, potentially get access to bank accounts, for example.

[Polar Bear]

Why do I think that? For the same reason as you think they may do the opposite. It's just my opinion.

You've pointed out a potential vulnerability, others have pointed where there's more inherent security enabled in apps that, by your own admittance, you're unfamiliar with and tried to explain why it's not a significant risk

Except 1: you don't know that It's not a potential risk e.g. PayPal and 2: there will be many less tech savvy than yourself who wouldn't have known about this.  Notwithstanding that their email, social media etc could also be compromised.

If we were all so wonderful as you ...

[Morat]

I only use SmartLock to keep my phone unlocked in the car which I think is a Good Idea and also pretty safe. Maybe you'd do the same if you were using an HRM in the gym or on your bike - but surely you wouldn't want to use SmartLock to keep the phone unlocked by something that you regularly take with you in public. If you need that, maybe a smartwatch would be a better bet?

[Greenbank]

Interestingly (?!) the iPhone allows you to change the Auto-Lock setting of an unlocked iPhone without having to re-enter the passcode (I have mine set to auto-lock at 1 minute as a backup to always locking it when sticking it in a pocket). Most other security considerations are buried in the menus behind another request for the passcode but not that one.

As for the original problem, I'm with PaulH. I'd categorise it as very low risk:-
* low likelihood of me losing the phone (I rarely ever misplace things)
* low likelihood of a miscreant finding it first
* and low likelihood of said miscreant knowing what to do with an unlocked phone

Phones are just turned off and sold on (either to be shipped abroad to avoid being blocked) or stripped for parts (this is a large source of cheap replacement parts on eBay).

I wouldn't be at risk for Internet banking / Paypal / ApplePay / etc as I don't ever use that on my mobile. I don't have my primary email on my mobile either (getting rid of that took away a huge time suck) if I really need it I can use the clunky web interface.

2FA would be interesting as the miscreant would have access to receiving emails and texts (which are the usual variants of the 2nd factor) but then if they were still in range I'd get a notification on my watch of any incoming texts, which would make me check for my mobile.

I'd really like the opposite function, for the phone to be locked when a specific device (my watch - connected by Bluetooth) went out of range.

[simonp]

My macbook auto-unlocks if my watch is nearby and unlocked.

iPhone doesn't seem to do this.