Open source project tracks stolen laptops

Researchers at the University of Washington and University of California, San Diego, have released Adeona, an open source application for tracking missing laptops on Windows, Linux and Mac OS X. There are many commercial applications for tracking laptops, but Adeona is different because it focuses on the privacy of the laptops and their owners.

When a user installs Adeona on a laptop, they are asked for a password which Adeona uses to encrypt data. Adeona then generates a "retrieve credentials" file, which the user needs to take and save for later use. With Adeona installed, the software sleeps in the background, starting up at random intervals. It then looks for the IP address of the laptop and probes the local and remote network, recording routes to known sites on the net. On Mac OS X, it can also take a snapshot of whoever is in front of the machine using the built in webcam. Once the Adeona client has that information, it generates a key and encrypts the data it has just acquired and saves this information to a distributed hash table.

Typically, a location tracking application would send the laptops location to a server where it would be stored, which can be considered a privacy issue, requiring that you trust your tracking supplier and their own security measures. Adeona uses OpenDHT, an open distributed hash table to store its location information. A distributed hashtable acts as a cloud of key/value pairs, served by multiple machines on the internet. An application wanting to store something in the cloud would generate a hash key using whatever rules it defines, and asks the cloud to save a value with that hash key. Other applications with that key can then retrieve the value from the cloud.

With Adeona, the key is generated from information only the person who installed Adeona on the machine should have, and a tiny amount of information about when the tracking was performed. The value of the key/value pair is an encrypted version of the location information. Because the key just appears to be some arbitrary value, people probing the OpenDHT cloud have no idea that a key may be related to Adeona, let alone who or what machine it belongs to. This is how Adeona manages to be private, while leaving the data out in the open.

Assuming Adeona has been installed on a laptop and that laptop has gone missing, the retrieval process is simple. You install and run the Adeona retrieval application which comes with the Adeona package. It will ask for the "retrieve credentials" file that was generated when Adeona was installed on the lost laptop. Adeona uses the credential file to predict what key would have been generated when the laptop may have saved it's location to the OpenDHT cloud. It probes the cloud, looking for keys that match those predictions. It can predict and scan a range of days, defaulting to looking back from "now" to two days ago. When it finds a key, it retrieves the value, which it then decrypts using the password and leaves the result your desktop. If the webcam option is enabled, you also get an image of whatever the laptop was pointing at. It is currently up to the user to map the IP address information to a physical location using a IP geolocation service.

The article's author caught on camera during testing Adeona is, at this time, primarily a research project and this release is a beta version based on prototype code. The location capture software makes no overt attempt to hide itself on the machine it is installed on and is easily uninstalled. In testing it, we found that it worked quite well, delivering to us IP location information and a picture which we easily retrieved. The location information included the SSID name of the access point the laptop was using and a internal and external IP addresses, though all the geo-location sites we located placed our IP in the data centre of our ISP, which emphasises a limitation of IP only location. Also, the use of OpenDHT does limit the persistence of the location data, OpenDHT only promises to keep a key/value pair in the cloud for a week, but the design of Adeona would allow it to work with any distributed hash table which could have longer persistence. The results generated with Adeona's retrieval tool also, sensibly, advise that you do not try and retrieve your laptop yourself, but leave that task to the appropriate law enforcement authority.