Hack and /: Automatically Lock Your Computer


If you've ever worked with pranksters, you've probably come across this classic office prank. First, the unsuspecting victim leaves his computer and goes to lunch or a long meeting and doesn't lock his screen. The prankster then takes a screenshot of his current desktop, hides all the desktop icons and any taskbars, and sets the background to be the screenshot the prankster just took. When the victim gets back to his computer, none of the icons work, and no programs will open, yet when he inevitably reboots, even that doesn't fix it. Around the time he calls the desktop support team, the prank is revealed and everyone has a good laugh about it—except maybe the victim, who vows from that day on always to lock his screen.

Good Locks Make Good Neighbors

I don't know about you, but even though I've never been the victim of a prank like that, I've always tried to be good about locking my screen when I'm away. I imagine some of this just stems from trying to be thoughtful about security, but also, if you are a sysadmin, you often have access to a lot of sensitive systems and data. Although you'd like to extend trust to your coworkers, an unlocked sysadmin computer would be a great source for sensitive information if you were a disgruntled employee. In this article, I discuss a simple program I've found that works great to lock your screen automatically when you walk away. At the end of the article, I also discuss some ideas for how to hack in to a system protected by this software.

Traditionally on any desktop environment I've used, I would configure a Ctrl-Alt L keybinding that locked my screen. It was so committed to muscle memory, that the moment I was about to stand up, my fingers automatically would lock my desktop without thinking about it. Although this method works great, I've recently discovered just how easy it is to set up your desktop to lock automatically when you leave, and even better, to unlock automatically when you return.

The solution to proximity-based desktop locking has been around for a while. I remember Linux Journal's own Bill Childers demonstrating such a thing to me with Bluetooth on a Mac more than six years ago, but I've never felt like messing around with the Bluez tools on Linux to write my own script. It turns out these days there's a simple program you can use to lock your screen via Bluetooth that takes only a minute to set up: BlueProximity.

How BlueProximity Works

Essentially, BlueProximity works on the notion that most of us carry around a Bluetooth device with us—our cell phone. Because Bluetooth works only over a limited range, with a bit of tuning, you can make some assumptions about how close a device is to your computer based on the strength of its signal. BlueProximity works via these assumptions to decide when to lock or unlock your screen. When you leave your computer, the Bluetooth signal gets weaker until it crosses a threshold, and your desktop is locked. When you return to your computer, the signal gets stronger until it crosses a different threshold, and the computer automatically unlocks.

Install BlueProximity

You install BlueProximity much like any other Linux program: with your package manager. In my case, the package simply was called blueproximity. Alternatively, if your distribution doesn't package it, you can download and build the software from the source available at the BlueProximity SourceForge page. Once installed, you either can type blueproximity in a terminal to launch the program or click on it in your applications menu (on my system, it showed up under the Accessories category).

Once you start the program, you will get a new icon in your panel and also see a window much like the one shown in Figure 1. BlueProximity requires that the device you set up already has been paired with your computer, so if you haven't yet paired your phone (or other Bluetooth device you wish to use), you need to go through the steps to pair your Bluetooth device first. In my case (on an Ubuntu system), I first made sure Bluetooth was enabled and visible on my phone, next I clicked System→Preferences→Bluetooth, then clicked Set up new device, and after that I just followed through the wizard that appeared.

Figure 1. The Default BlueProximity Tab

After you pair the Bluetooth device, go back to the main BlueProximity screen and click on Scan for devices. It may take a bit for the scan to complete, but afterward, you should see your Bluetooth device on the list. At that point, just select it, click Use selected device, and your device will be configured and ready to use. You can safely click the close button at the bottom of the window, as BlueProximity will still stay in your panel.

Fine-Tune Your Settings

Out of the box, BlueProximity tries to use reasonable settings to determine when to lock your screen; however, each Bluetooth device is different, and I've personally seen that different Bluetooth devices can have much different antenna strengths. If you notice that your screen doesn't lock as soon as you'd like, or worse, if it locks while you are still at your desk, click on the Proximity Details tab where you can edit thresholds (Figure 2). In this window, you will find a number of different sliders. The Distance slider for both Locking and Unlocking lets you control how close you need to be to the computer. The Measured atm slider updates every second or so and shows the current distance BlueProximity reads, so you can get a sense of how sensitive your equipment is. The Duration sliders let you control how long the device needs to be at a certain distance before it locks or unlocks the screen. This is useful in particular when tuning the Locking section so that one bad reading doesn't lock your screen when you don't want it to.

Figure 2. The Proximity Details Tab

If you do notice that the screen locks on you often while you are at your desk, increase the Distance slider for locking. Alternatively, if you notice when you come back to your desk you have to sit there for some time before it unlocks, you may want to increase the Distance slider for Unlocking and decrease the Duration slider if it's higher than one. Just make sure that your unlocking distance isn't higher than your locking distance.

Use Your Own Locking Program

By default, BlueProximity is configured to trigger gnome-screensaver commands. If you use GNOME, that might be fine, but if you use another desktop environment, click the Locking tab (Figure 3) where you can change what command gets run to lock and unlock the screen. By default, you can choose between gnome-screensaver and xscreensaver from the drop-down list, but you could really put any script you want in here. For instance, you might want to create a locking bash script that not only calls gnome-screensaver but also uses a DBUS signal to pause your music. Then you could write a similar script to unpause your music and unlock the screen when you return.

Figure 3. The Locking Tab

Hack BlueProximity

Security is often a trade-off for convenience. BlueProximity is interesting in that it tries to increase your security (by automatically locking your screen), and it also tries to increase your convenience (by automatically unlocking your screen when you return). It is this convenience that may possibly open you up to an attack. That said, BlueProximity and the Bluetooth protocol do make attacking this method rather difficult, because BlueProximity allows only one device to unlock it at a time. You may think you could hack this setup simply by cloning the MAC address of a person's phone on your Bluetooth device. Although this is possible, unfortunately, during the pairing process, keys are shared between the two devices that they will use for secure communication later on, so even if you can clone a phone's MAC address, it still will not necessarily accept your device, because you don't have the shared secret. That having been said, Andrew Y. Lindell released a paper for Blackhat 2008 demonstrating that if you could sniff the pairing procedure, the password potentially could be leaked to you. Even if you weren't there when the devices were paired, the paper demonstrated how you might be able to get a device to re-run the pairing procedure.

Of course, such an attack is quite sophisticated and might be difficult to pull off. An easier approach simply would be to borrow the person's phone to make a phone call or check out an app when he isn't at his desk and then sneak over there. Along with that attack, BlueProximity naturally would be vulnerable to knocking the person out and stealing the phone, but then we are talking about office security here, and if you have to worry about coworkers beating you over the head and robbing you, maybe you should look into another line of work.


The BlueProximity Project Page: http://sourceforge.net/projects/blueproximity

Blackhat 2008 paper on Bluetooth Hacking by Andrew Y. Lindell: http://www.blackhat.com/presentations/bh-usa-08/Lindell/BH_US_08_Lindell_Bluetooth_2.1_New_Vulnerabilities.pdf




Kyle Rankin is Chief Security Officer at Purism, a company focused on computers that respect your privacy, security, and freedom. He is the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Not everyone would want to

James Randall's picture

Not everyone would want to use BlueProximity because it is more complicated than just the regular locking of the screen. For myself, since I am using Windows, I would just make log off my work station every time I leave desk. It is not about the trust issues with fellow colleague, but more about the responsibility of protecting your work. It's just a matter of habit.
James - http://www.raid-data-recovery-uk.com

Thanks a lot for such a

php development's picture

Thanks a lot for such a helpful explanation, very helpful!

Is this the only software?

marksen's picture

Is this blueproximity the only software able to do this job or there are alternatives?

May 2012... anybody still using Bluetooth?

Anonymous's picture

Anybody using bluetooth now!

Awesome app, good explaination

amol's picture

Thanks for such a good and detailed explaination. Quite helpful.

Good and bad (risks ...)

Anonymous's picture

Thanks for the post, interesting approach for automatically locking ones
computer. However, one alert: is there an inherent risk in this method.

Suppose that after automatically locking his/her computer
using BlueProximity and his/her mobile phone, the user lost the
mobile phone, or let's say, the mobile phone breaks down, get wet or something similar. What will then happen, will a reboot help to disable BlueProximity in order to unlock the computer ?

That is, how to get around the possibility that after the automatically locking the user's mobile phone is for some reason out of service ?

Ctr+Alt+F2, login, killall

Fax's picture

Ctr+Alt+F2, login, killall locking processes :-)

Something else that's affective

TiredTech's picture

Send goofy poems and love letters from the user's e-mail account. Don't forget to 'cc:' half the office staff sans managers. After this happens three or four times, the user miraculously becomes a "lock your desktop" evangelist. Also puts everyone else on notice.

Old School 1: For corded keyboard/mice, pull the DIN connectors out about half way. Electrical connection is severed, yet connectors still look like they're plugged in. I'd do this on occasion to my support staff to see who the methodical ones were on the team.

Old School 2: Removing the mouse ball or putting tape/paper over the internal infrared sensors was always good for a laugh :)

PS: 3 out of 10 of you, in my experience, tape you passwords to the bottom of the keyboard, so don't worry if you're not around when I come to service your workstation ;)

No workee

Ed Carp's picture

Running on Linux Mint 11, using xscreensaver, it doesn't work reliably:

1. The screen won't unlock when the BT device comes back within range.
2. The app doesn't remember which device it was paired with between invocations, so you have to re-pair every time the app is run.

A great idea, but useless at this point. I looked at the project page and there are a number of people for whom the software doesn't work, too.

But it's such a good idea that I might dig into it this weekend to see what the problems are, and see if I can fix them. Hmmm, maybe that was the point of the article!

Anoteher method for locking

Bartman's picture

How about locking whenever an unrecognized BlueTooth device comes into proximity?

That would probably be quite viable and would only inconvenience the user if (s)he brought an active BT device near the protected PC.

Or auto-minimizing games when

Anonymous's picture

Or auto-minimizing games when the boss is nearby. :)

thnks for post. i save pdf :)

Mevlam's picture

thnks for post. i save pdf :)