PreyProject pressimism

I’ve been hearing things about Prey Project, which is an open-source recovery tool for mobile computers (and handsets). I’ve been skeptical because in order for Prey to really work, it requires you to ignore best practices for securing your system. My conclusion is that if you want to use Prey, your computer needs to be about as secure as your average Bait Car.

Doesn’t sound very reassuring does it?

This is a copy of my recent Reader Report: Security on MacInTouch. I was responding to a line from the Prey Project FAQ that reads:

Will Prey still phone home if there’s no user logged in?

The answer is yes, since Prey runs in the background as the root (system) user.

My testing revealed this isn’t accurate. I have not yet tried to validate if Prey will attempt to hit an insecure wireless network, but I will explain my test case:

Test system

  • MacBookAir4,2 running Mac OS X Lion 10.7.1
  • Local accounts like most people use, password required.
  • Whole-disk encryption “FileVault 2” active and enabled[1]

Remote server

  • created a lost.html as per Prey’s instructions
  • configured smtp credentials for a gmail account
  • watched the prey agent check-in with the remote server to pull lost.html a few times[2]

Test Begins

  • Sleep the MacBook Air
  • Wait five minutes (per my configured check-in) to confirm sleeping as expected
  • Remove lost.html from the remote server per Prey’s instruction
  • Wait another five minutes (still no GETs of lost.html)
  • Wake up the MacBook to a lock screen asking for my password
  • Wait five minutes (still no GETs)
  • Fail a couple of logins and then clicking to Switch User (still no GETs)
  • Login as my locked user
  • once logged in, my Keychain unlocks, and my WiFi connection is authenticated, lost.html gets pulled and it works as expected

Conclusion

Prey may work for people who rely on insecure wireless networks and don’t protect their system with a password or any form of encryption of their data. I didn’t test that (and if nobody else volunteers I’ll do that too!).

I wouldn’t recommend relying on Prey if you are security-conscious and leverage whole-disk encryption via FileVault 2 or other mechanisms, or use authenticated wireless connections. Doing so would require you to ignore best practices. I certainly wouldn’t recommend a small business or enterprise use Prey.

I would rather a thief get a MacBook they have to re-image and that I’ll never see again than let them have access to my data. Mac OS X Lion’s “Samaritan” message lets you display a message on the login screen that is probably going to be more effective in getting your Mac back!

When iCloud is released the “Find my Mac” service may be a better option, it isn’t known how that service will work. It’s possible that the tight integration with iCloud will provide some level of accountability for devices you have associated with your ID and report them as stolen? Who knows!?

[1] If you follow Prey Project’s advice and have an account that requires no login to “lure” people into using your Mac, you are negating whole-disk encryption. Don’t follow their advice if you expect whole-disk encryption to encrypt your files, should your Mac be stolen.

[2] The nerve of these people using cron instead of launchd! — not following OS X conventions isn’t a great way to deploy this software in my opinion. I’m being somewhat tongue-in-cheek but c’mon.