This N&O article yesterday got my attention. One of my neighbors installed the open-source Prey tracking software, after which his new MacBook Air laptop was stolen. He used the software to successfully recover his laptop:
While still on his honeymoon, Moss got an e-mail from his landlord. It appeared that his house had been burglarized.
That’s when he took matters into his own hands and tracked down his stolen laptop, using his iPad from his hotel on the small island of Aruba.
Prey software, available in both Mac or PC versions, is a web service that’s free for the first three items a user registers.
The software can detect the wireless network closest to the registered device, even if the user is not signed onto that network. Prey also uses webcam technology, if available, to capture images of the device’s location.
I use open-source software every day so I thought I would look into Prey. It seemed like cheap (free!) peace of mind. Then I read one person’s quick security audit of Prey, after which he began steering people away from it:
Prey is able to parse config files over the web and it blindly accepts them with no authentication whatsoever. This means if an attacker used trivial ARP spoofing attacks on a network, a coffee-shop’s wireless for example, s/he could replace your config file with their own. Worse, what is in your config file gets eval’ed by bash with full root privileges. Simply, this means the attacker can run any code s/he wants to. Your hard drive could be deleted, or a reverse SSH session could be set up giving the attacker a command prompt as root.
Granted, his post is over a year old but it does give me pause. I’ve downloaded a copy of Prey myself and will be looking into it myself this weekend. While I’d like to be able to track my laptop if it’s ever stolen, I don’t want my laptop exposed to a giant security hole for 99.99999999% of the rest of the time.