If you are a Mac user and you haven’t heard of Objective-See, you should have. Objective-See is a company founded by former NSA guy† Patrick Wardle that provides some excellent security tools for macOS. Objective-See’s “Do Not Disturb” application is a very cool physical security tool for Mac users that alerts you if your Mac’s lid is opened.
Do Not Disturb, Evil Maids!
Do Not Disturb is intended to offer a layer of protection against evil maid attacks. The “evil maid” attack is an attack vector in which someone gains physical access to your computer. Ostensibly this happens in hotels (hence the name) because we frequently leave laptops in hotel rooms. Patrick conceived of the idea while visiting Moscow, and in his words in an email to me, “tl;dr tinder date in russia w/ a woman who worked for the Russian govt.” You can probably read between the lines, there or check out a more detailed account here.
Do Not Disturb simply records instances of your Mac’s lid opening. It can log these locally, or transmit the event to a paired iOS device. You can program Do Not Disturb to take actions on the machine, or you can take a limited set of actions from the paired phone. I’ll get into this a bit more later on.
This isn’t a perfect security model, and Objective-See is honest about that. This ONLY records instances of the lid being opened. Attackers who would exploit your computer without opening the lid would not initiate any alert from Do Not Disturb. There are some other instances in which this application does not work, and I’ll address those a little further down.
Using Do Not Disturb
Tools from Objective-See are simple, free‡, and easy to install, and Objective-See provides detailed installation, use, and troubleshooting instructions. I won’t retread all of those here. I’ll briefly cover how I set up the application, and how it has worked for me.
After installing it, Do Not Disturb is dead simple to use. It requires just a bit of setup and it can be enhanced by pairing an iOS device. There are four settings options across the top of the GUI. Let’s look at these quickly.
The first category is General and defines the application’s basic functions via five check boxes. Each of these are pretty much self-explanatory. I run my instance in Passive Mode and No Icon Mode. I would not want an attacker to see any indication that this app is running. I have also chosen to have Do Not Disturb start at login.
Unfortunately my Mac doesn’t have TouchID. If yours does, you can prevent Do Not Disturb from sending a notification every time you open your machine simply by swiping your fingerprint after login. Finally, the “No Remote Tasking” setting prevents your paired iOS app from being able to activate the camera or shut down the computer remotely.
The second menu category is “Action.” Any number of desired actions can be taken if you’re willing to write a script for them. I don’t take any specific action beyond “Monitor” which keeps logs of what happens during the first three minutes after the computer is awakened.
The “Update” category allows you to check for updates and disable automatic updates. I advise against disabling automatic updates.
Do Not Disturb with Paired iPhone
The “Link” option allows you to pair an iOS application (Do Not Disturb Companion) to the desktop application. After the app is installed, open it. You will be prompted to scan a QR code. On your Mac open Do Not Disturb and select the “Link” option. A lengthy QR code will be displayed that will pair the two applications.
With this setup you will receive notifications on your phone(s) that your computer’s lid was opened.
You also have the option to take some other actions. The application can disregard the notification, activate the camera, or shut down the computer. Be advised: the shutdown command is a hard power off; all applications will be closed immediately and the machine will shut down (which…you probably should have shut it down before you left the room).
There are a couple of other notes concerning the Do Not Disturb Companion. First, it is not produced by Objective-See, but rather by Digita Security, a company also owned by Wardle. Secondly, while the Mac app is free, the iOS companion is not. It costs a very reasonable $0.99/month or $9.99/year. I like the flexibility of this pricing structure; you can keep it on your device all the time for a mere 10 bucks, or just spend a buck every time you travel.
My Experience with Do Not Disturb
I have been using this application for several weeks now. Overall I’m pretty pleased with it; I can simply close my laptop’s lid when I leave the house and have a reasonable expectation of being told if it gets opened. There are a couple of tricky problems with this, though.
First – obviously – you only get a notification on your phone if both devices (Mac and iPhone) are connected to the internet. Without a connection there is no way to get that message to your phone. Sometimes having a VPN running on one or other device can struggle to get an internet connection, slowing this alert.
Secondly, the ability to activate the camera is very cool. However, I (and probably most of you) keep my camera covered. I have a sliding cover that allows me to use the camera as needed, but it is almost always closed. To use it in this way I have to remember to open the camera cover before I leave. To be honest I’ve only remembered once, and that was when I was explicitly testing the camera function. One would have to work diligently to make this a consistent part of his or her daily routine.
Finally, even though the application launches on boot, I couldn’t get it to send out a message that the machine has booted up. This could be because I don’t have it installed on the only account that can boot my computer (more testing is probably in order). If you’re leaving your computer unattended, it should be fully SHUT DOWN. This is the only way you get the full measure of protection from full disk encryption. Getting a message that the machine has been started (and having the ability to shut it down) would be nice, but I also understand there are probably some programming challenges involved with this.
Most Mac users probably aren’t as fastidious my readers about shutting down their computers before leaving them behind. I suspect that the vast majority of Mac owners only rarely do a full shut down. Do Not Disturb is an outstanding tool for that set of users. This is a pretty cool tool for us security nerds, too. If this fits into your threat model, try it out for free. Also, check out Patrick’s other tools.
I paid for a yearly subscription to the Companion, and I’ll be leaving Do Not Distrub installed on my Mac. I will also be supporting Objective-See’s mission via Patreon very shortly.
Support Op-Sec on Patreon
†I know, I know – he’s probably a .gov plant. In the privacy community we believe everyone who has ever been in the military or held a government job is now a robot that turns everything directly over to the government. Except Mr. Snowden, of course…
‡ If you would like to support Objective-See, you can – and should – via Patreon.