September 23, 2008

Track your missing laptop with Adeona

Author: Nathan Willis

Almost every laptop on sale today comes equipped with the Kensington security slot on the side or back, through which you can connect a theft-deterring locked steel cable. The system's down sides are (a) that a would-be thief can damage or destroy your equipment trying to yank the cable out, and (b) that you have to buy the cable separately. As an alternative, the free software utility Adeona won't preemptively deter theft, but it will help you track down your stolen equipment and better the chances of its recovery by police.

Adeona runs in the background, and works its magic by waking up at random intervals to record data about the equipment's location and status, which it encrypts and then silently uploads to off-site storage. If your laptop (or, for that matter, your co-located server) goes missing, you can retrieve its latest records from elsewhere, learning such information as its internal and external IP address, local network configuration, and more. Armed with that info, you can call John Law and take a big step toward recovering your goods.

Adeona is distinct from commercial equipment tracking alternatives in that it takes multiple measures to ensure that the off-site status records are anonymous, untraceable, and encrypted. To accomplish this, the system randomizes many of its parameters -- the length of time between status checks, the time between status check and upload, and the destination node of the off-site storage.

You can download the Adeona client for Linux, Mac OS X, and Windows; the latest version is 0.21, and is available under the GPLv2. The OS X and Windows packages are binaries, and the Linux package is source code. Compiling the code is straightforward; the standard ./configure; make; make install three-step will suffice on any standard Linux distribution. You will also need the OpenSSL, traceroute, and cron packages, all of which are widely available.

Once you have compiled Adeona, the make install step will prompt you to create an Adeona password that is used to encrypt a local credentials file. The file contains seed data that you will need in order to retrieve stored status checks in the event that your machine is lost or stolen, so don't forget your password. The installer will also provide you with a sample cron job that you should add to your machine's crontab in order to keep Adeona running regularly.

You can install Adeona clients on multiple machines, and you can retrieve entries for all of them from a single machine, provided that you have a copy of each client's credentials file. If you are monitoring multiple laptops, desktops, or servers, it pays to have a copy of each credentials file on each machine, since you never know which ones will turn up missing. Each file is encrypted with its own password.

The OS X version of Adeona sports one feature not yet present in the others: the ability to take a snapshot using modern Macs' built-in iSight video camera, potentially catching thieves on screen. If that bothers you or if you are just shy, a separate no-camera build is available too.

How it works

Current location checks are run approximately once every 30 minutes. Each time Adeona runs, it collects your machine's internal IP address from the operating system, the external IP address from a third-party reporting service, the name (if any) of the wireless network to which it is connected, the names of nearby routers as reported by traceroute, and (if available) a photo via iSight camera. It stores this information securely in an encrypted local cache. At some random point in the future, it uploads the collected report to the distributed, decentralized OpenDHT network.

By randomizing the interval between location checks and between uploads, Adeona makes it harder for would-be attackers to foil the system by switching the computer off before the check or by observing the upload. By randomizing which OpenDHT nodes receive the upload, Adeona can spread the information across multiple servers. Because the key used to index the upload on OpenDHT is randomized, attackers cannot retrieve your reports or discover which sets of reports are associated with the same machine.

Of course, the key values cannot be truly random -- they are generated by a pseudo-random number generator, and therein lies the key to retrieving the location reports. The intervals, nodes, and keys are completely predictable if you know the initial seed value, and that is stored within the credentials file. Armed with that file, Adeona can calculate the timestamps of every location report, and how to retrieve them from OpenDHT. Since that file is password-encrypted using AES, it is secure from all but a brute-force attack.

Naturally, a thief with physical access to your machine can do things to disable Adeona -- uninstall it, erase the hard drive, or just keep it disconnected from the Internet. In such situations, no other security product can help you discover your missing machine's location either. Adeona's service is just as strong as any proprietary solution, but with the added strength of anonymity and security.

Test drive

In practice, Adeona is unobtrusive: once you have installed the data collection client, you can forget it is there. That is true even of the camera-enabled OS X build, which I tried along with the Linux package. The green camera LED blinks once when a picture is taken, but I didn't notice a flash until after several hours of continuous use. Compiling and installing the Linux version is a piece of cake; there are no obscure dependencies and it needs no complicated configuration.

In the field, report retrieval is more important than the unobtrusiveness of report generation. If your laptop is stolen, you may have only a short window in which to act, after which your machine could be wiped or shut down to sit on a pawn shop's shelf. The retrieval command on Linux requires command-line switches that specify the start and end times and the number of location reports to fetch. The Mac version is a bit easier to use; it comes as a clickable Terminal script with pop-up windows that request the same information. The same could be done for Linux with Zenity.

In either case, the retrieval process provides human-readable output as it requests and fetches each location report from OpenDHT. The only problem I encountered with the system at all was with OpenDHT itself. OpenDHT is a decentralized database of hashed key-value pairs running on PlanetLab nodes. As such, it provides some fault-tolerance should any particular node become unreachable. But for the first few days of my Adeona test drive, the entire OpenDHT system was down.

I talked to Adeona developer Gabreil Maganis about the issue, because the error message I received from the retrieval script did not indicate OpenDHT was at fault. He assured me that the error message would be fixed in the future, and suggested checking the URL http://www.opendht.org/servers.txt to determine whether OpenDHT was currently up and running.

As to whether OpenDHT storage constitutes a single point of failure that undermines Adeona's utility, Maganis says that there are alternatives in the works. "Additional online storage options is an engineering issue. We plan to have a 'wish list' of some sort on the Web site to invite enthusiasts to maybe implement an Azureus DHT module for Adeona. We were conscious about making the code easy to extend and add to during development and hopefully that is the case."

The Adeona project is hosted at the University of Washington. If you are interested in learning more details of the exact security protocols that make it run, its creators have published a paper describing the system and the attack vectors it counteracts. It not only keeps your location information secure from prying eyes, but it protects your privacy in other ways that a common thief might not have thought of. If you have ever considered purchasing a proprietary device tracking application, read the paper to get up to speed on exactly what makes Adeona superior. And read the source code if you're still not convinced.

Most of us will be lucky enough to never have a laptop or desktop computer lost or stolen, and Adeona's location abilities will only serve as a precaution. But at this price, it is well worth taking that precaution.

Categories:

  • Security
  • Tools & Utilities
  • Reviews
Click Here!