Similarly, whenever I'm working at my kitchen table I always "lose" my mouse as if there's another monitor connected.
I realized a couple weeks later MacOS display continuity (or "sidecar"?) was connecting to my Mac Mini located directly upstairs using it as a 2nd monitor while I'm downstairs.
My apple watch also regularly unlocks my Mac Mini when I'm downstairs (Mac Mini in a bedroom upstairs).
All of these features pose serious security issues if your physical location isn't secure/trusted.
There really should be a "Travel Mode" for MacOS that disables features like these. No one wants airport security to open a laptop and have the apple watch immediately unlock it for them while standing 20 feet away (or in another room).
Your watch really shouldn’t be able to do that. The pairing uses p2p latency as a way to determine if you are actually close enough to your Mac to want to unlock it.
I’ve used it for years now with a variety of watches and Macs and I’ve always had to be right next to the computer with a fairly clear line of sight between them. Even putting my watch on the other side of my body is normally enough to make it tell me that the WiFi signal isn’t strong enough to unlock it.
To play devil's advocate, it would very easy to create custom rooms in which a detainee is held in a room against a paper wall (with their locked device on the other side of the paper wall). The orientation of their seating arrangement could be such that it always places the detainees watch closest to the device.
To me, that's just a failure on Bluetooth spec part, period. All reasonable bluetooth devices should come with a selector which allows you to choose which device to connect to [1]. Instead, there's this crapshoot, where, if there are multiple bluetooth devices near you, you'll get paired with a random one, and will have to disable bluetooth on it to roll the dice again.
[1] For cheapest devices, a physical button that goes to the next available device would still make a world of difference.
Definitely should be an os-level feature to disable all that, similar to using panic mode on ios to disable biometrics.
I personally boot my laptops to the filevault screen and no further when going through the security checkpoints. Keeps the disk encrypted and requires my password to continue.
Doesn't look like Filevault has a duress option— otherwise it'd be pretty nice to have a separate password that boots you to a dummy partition showing a fresh desktop install with apparently nothing on it. For bonus points, you could have the dummy OS kernel-patched so that it doesn't even show the other partitions as existing, and just pretends it's occupying the whole disk with mostly empty space.
"That computer? Oh yeah, I just picked it up, officer; was going to start configuring it when when I arrive at my destination."
You should spend a few minutes in setting. Continuity allows a mouse and keyboard to run multiple macs and iPads. You move the cursor all the way over to the end of the screen. It stops but if you push more it will switch to the neighboring Mac. Easy to disable in settings. You can unlock your other Mac this way (I think), and Apple Watch will unlock if you are close by. All changeable in settings.
I don’t really trust it. The sports bands (which I find most comfortable) are especially vulnerable to being “scooped” off the wrist with two fingers in a single motion without interrupting the presence detection.
Do you have any more info on that? I've been able to find videos of people taking the sports band off, but it didn't look like any of the techniques were attempting to avoid interrupting the wrist presence detection
Two fingers under the watch (far enough to cover the heartbeat sensor) and a swift upwards yank will pop the strap underneath and it’ll lift right off.
The thing is, if someone has your unlocked watch, what can they really do? This is a question I’ve never really known the answer to and doubt you ever would know clearly.
Certainly banking apps don’t seem to have a lot of functionality on watchOS, but I’m unsure to what extent being signed in on an unlocked watch is the same as being signed in on an unlocked phone. Can i authorise a new phone just from the watch? I can certainly get 2FA codes to the watch, so the answer I guess is maybe.
Well I'll be damned, so you can. With a watch alone they'd have limited access, but if you steal somebody's watch without the watch realising it's been removed & also steal their phone you can almost certainly unlock the phone with the watch (my partner + I use that all the time when driving... they pick up my phone, show it only their eyes, and the phone assumes it must be me wearing a mask and so it uses my unlocked watch on my wrist to unlock the phone).
The good news, however, is that you don't appear to be able to use the Apple Watch mask unlock feature to pass further Face ID checks deeper in the system once unlocked, so your banking apps & password manager is safe... but your messages & e-mails are not...
OK, but most people don't use burner laptops /phones and are often subjected to unreasonable searches at the border by federal agents during entry at international airports, etc.
I think you got this backwards. The 5th amendment means that the state can not force you to share information you have in your head, e.g. you can not be forced to give a password. But the state can force you to give a physical key, harware token, or a biometric read.
Oh yeah, for some reason my brain reversed the logic, thanks! :D
Though certain EU courts can “make you give up” your password, as far as I know. Nonetheless, security is only good when it is used — widely-used biometrics with a potentially stronger password (due to not having to enter it all the times) is statistically safer for the population over everyone having “password1” as a secret. Especially with a good fallback like emergency mode on iphone/apple watch. Afterwards only the password can unlock the device, and it is a single long press of two hardware buttons.
You are right about the EU. There are many free democracies that do not consider passwords to be protected under their "no self-incrimination" version of the US 5th amendment.
Can they force you to give up the post-it on which you wrote down your password? If yes, are there any real limits to how much pressure they can apply before they give up? If no, what's stopping them from giving you a pencil and a stack of post-its, and letting you know they'll keep applying pressure until you produce a post-it with the password on it, which they "know" you have "somewhere"?
Point being, I feel this is getting into xkcd://538 territory.
Depends. If you have the resources to hire a lawyer, then what you describe is governmental overreach borderline on torture that will lead to the government paying out to you when you sue them and plenty of government employees being reprimanded or fired. If you do not have these resources and end up before unscrupulous law enforcement, you might very well have your rights abused until a journalist or the ACLU or some other equivalent decides to fight for you.
Given overwhelmingly evidence and an overworked public defenders office, you’re not going to take a chance on going to court where you will probably lose.
> There really should be a "Travel Mode" for MacOS that disables features like these.
Sadly that is not the Apple way. We'll have to wait years for them to come up with a "solution" that doesn't involve a disable button. If they even decide to work on it.
macOS Lockdown Mode is not intended to be used by casual travelers to prevent unintended macOS unlocks.
Per Apple, “Lockdown Mode is an optional, extreme protection that's designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.”
Which is why you shouldn’t have a 4 digit PIN. By default Apple devices have wanted a 6 digit PIN for a while now. I have an 8 digit one on my watch, but use a passphrase on my iPhone.
Amusingly simple, practical solution. What's the wake time difference from power off vs sleep for a modern Mac Book? I don't have one. Oh, I suppose the power off time would be longer than simply shutting the lid, too.
Can you configure it to power off when the lid shuts?
I realized a couple weeks later MacOS display continuity (or "sidecar"?) was connecting to my Mac Mini located directly upstairs using it as a 2nd monitor while I'm downstairs.
My apple watch also regularly unlocks my Mac Mini when I'm downstairs (Mac Mini in a bedroom upstairs).
All of these features pose serious security issues if your physical location isn't secure/trusted.
There really should be a "Travel Mode" for MacOS that disables features like these. No one wants airport security to open a laptop and have the apple watch immediately unlock it for them while standing 20 feet away (or in another room).