Hidden RFID reader locks workstation unless keys are present

We don’t know how [Kristoffer Marshall] found himself with free time at work, but he used it to beef up his computer security. Above is the finished project. There is literally nothing to see here. He’s rigged up a hidden RFID reader which locks and unlocks his workstation.

The security of the system depends on xscreensaver, which has a password protected lock feature already built into it. When the tag is removed from the reader’s field it fires up the screensaver using a Perl script.

But waking up from the screensaver is a bit more tricky. The package doesn’t allow you to wake it from the command line — most likely for security. He found the xdotool to be of great use here. It is a command line tool which simulates keyboard and mouse entry. His script detects when the xscreensaver password prompt is on the screen and uses the xdotool to fill in [Kristoffer’s] password. Since the script knows what has focus it won’t give away your password by accident.

See the complete setup in the clip after the break.

39 thoughts on “Hidden RFID reader locks workstation unless keys are present

    1. This could be a better solution with a passwordless sudo to kill the screensaver than to store the password in plain text and have a script input it… Some pam libraries also work with RFID modules, like Pam mhcrfid, witch could then turn off the screensaver. Did something similar a couple years ago with a usb key.

    1. Their home directory is probably automounted from a central NFS server (for backups) and not stored on the local workstation. And NFS does not have any encryption by default, so it could be snagged from the wire in plaintext (at a guess).

    1. Yea I’m that way as well. The only time my keys aren’t in my pocket is when they are in a vehicle ignition switch or next to my checkbook- cellphone- pocket knife-wallet- watch on a stand by the front door.

  1. using pam in the back would really be the better idea!
    xscreensaver uses pam to check the password but using pamexec you can execute an external script to auth and you can have a xscreensaver specifig pam config. this way different users canuse different rfid tokens to unlock only their sessions, etc.

  2. So……..? We get a two minute video to waste our time showing us what a simple written sentence or two could describe.

    No parts list, no hardware config description, no installation notes, code example buried on the Youtube page which you didn’t list in your write up, etc etc. Basically NOTHING but a fluff video.

    The headline brought me in, and the content kicked me out shaking my head in bewilderment.

    1. By that logic, all RFID based security is security by obscurity.

      The goal here is that if his environment doesn’t have his keys (a form of physical thing) at his desk (his security zone) his machine (the security zone’s arbiter) locks (does the right thing).

      It’s a clever hack, and it’s a cheaper way than how some folks have done it.

  3. Although the theory sounds great, it doesn’t look very practical (takes several seconds to lock/unlock), and it does not sound even remotely secure given that the password is stored in cleartext. Hopefully he at least had disk encryption so that people can’t mess with the root shell.

  4. Actually, it looks like PAM is the only option to properly close xscreensaver. Per the FAQ:

    “Warning: never use kill -9 with xscreensaver while the screensaver is active. If you are using a virtual root window manager, that can leave things in an inconsistent state, and you may need to restart your window manager to repair the damage.”

    If you’re looking for another option, use PAM as others have pointed out or switch to another screensaver.

  5. XScreenSaver author here. This is a cute idea, but the proper way to do this is to write a PAM module that recognizes the presence of the RFID. That’s how other non-password-based authentication systems (fingerprint readers, retina scanners, etc.) work. The bonus of doing it this way is that it works for authentication from normal login prompts too, not just xscreensaver. On another note: it’s great to see that the kiddies up thread still think that “kill” is spelled “kill -9” always. Sure, go ahead and start from there all the time. I’m sure that’ll work out great for you.

  6. There must be an error in the original post language. If it “detects when the screensaver prompt is on” and then disables the screensaver, then I could walk up to his terminal and jiggle the mouse to get in. I assume this is handled by his script, but the hackaday post doesn’t make that clear.

  7. Hi all! I’d like to thank you for the constructive comments! This is pretty much a proof of concept right now. I’ve put in a total of about 30 minutes worth of programming into the script, so it’s nowhere near polished. All physical access is controlled here at work and all my work is cloud based. This script is purely for convenience so my fellow coworkers don’t fool with things like Facebook and G+. With that said, PAM authentication may be in the future for the script. This currently works for my purposes though. Take the code and modify it to your liking.

    And yes, IBM Model M keyboards are awesome.

  8. Your “proof of concept” should at least include PAM authentication. Writing a PAM module should be pretty easy to do. Ive never done it myself, but it should only take a couple of minutes. And your using a plaintext password? REALLY?! WHYY!? Did you write this on your lunch break or something? It works, sure, but i bet i could do better if i wanted to. And i bet youre using NFS liek the other guy said to back up your laptop, because thats what you linux people do. Whats this, the 90’s and youre using linux? Or better yet Samba! Haha! I bet youure using samba.

    Bottom line, your doing it all wrong.. you cant sell this to me if you wanted to. its like you just put something together to see if it works.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s