[Ed. GadgetTrak have replied to a number of Ryan’s criticisms — see the update at the end of this post]
Lots of consumer electronics devices connect to a PC via a USB connection, such as mp3 players, flash drives, digital cameras and mobile phones, and the amount and range of information that they can carry is astounding — gigabytes of music, video, photos and documents. Some of these can contain important information, such as personal details or business secrets, while others may just be of sentimental value and of little interest to anyone else. In either case, losing one of these devices, be it from theft or misplacement, is at best a nuisance, and at worst can be a disaster.
GadgetTrak have developed a software system that can be installed onto supported USB devices, which they claim provides a means of tracking those devices, in the event that they are lost or stolen. Various membership options are offered, starting at $12.95 for one device, increasing to $45.95 for up to twenty devices.
There are two constituent parts to the GadgetTrak Recovery System — the software that needs to be installed onto the USB device itself and the web-based tracking service. Once your GadgetTrak account has been activated you can register your device(s) via the website, where you’re asked to enter the device type (MP3 Player, USB Flash Drive, Digital Camera, Sony PSP, GPS System, Other), manufacturer, model and serial number. Once registered, it will appear on the device list and you can edit or delete the device as expected.
Next you’re required to install the software onto your registered USB device, so that it will “phone home” once you report it as missing. To do this, you first need to download a zip archive containing the following files: a PDF with setup instructions, an autorun file, an icon file, the “phone home” application itself, and an “id” file which contains the device’s unique 40-character reference generated by the GadgetTrak website. These files (with the exception of the pdf) are then extracted to the root of the device.
How the GadgetTrak software phones home
The GadgetTrak system works in a number of ways to ensure that the protected USB device phones home automatically. Firstly, the autorun file causes the GadgetTrak application to be launched whenever the device is plugged into a computer, as well as changing the default behavior in Windows Explorer so that double clicking on the device’s icon also runs the application. Secondly, the application is named passwords.exe, and the icon is set to look like a text file. In Windows XP, with the default settings, file extensions are hidden, so to a casual viewer the device will look like it contains a text file called passwords — creating a nice little “honeytrap”. Once launched, the GadgetTrack application sends details of the device and the computer back to the GadgetTrak website.
The GadgetTrak website is where you can activate the tracking system, so that you receive an email alert every time your device is been plugged into an Internet-connected computer, and finally, view a report containing the details sent back to the website when your device “phones home”. This includes the date and time of connection, the public IP address, the internal IP address, username, computer name and (approximate) location. It also displays a Yahoo! map of the location.
However, the GadgetTrak system falls down in a number of ways, by making too many assumptions in order to work:
- The USB device will be plugged into a Windows system. Only XP/2000 are supported (and Vista is partially supported according to GadgetTrak’s FAQ).
- Autorun has to be enabled. On my system, as on many others, autorun is disabled because it is an annoying feature if you are changing CDs regularly or plugging in/unplugging USB devices!
- The thief is stupid. Again, a lot of people that are more technically minded have the file extensions visible, making the idea of masquerading the executable as a text file a bit redundant, and raises the alarm straight away.
Even with these assumptions, the information that is returned when a GadgetTrak-protected device “phones home” maybe of little use. By the time you get the email report from GadgetTrak, the thief could have already passed on the device, which means that any information you’re given might point to an innocent party. Also an intelligent thief could share the “phone home” application and ID files over the web, disguised as another legitimate program, causing false reports from numerous locations.
I was also quite disappointed that the program made no attempt to encrypt the data on the device once it has been flagged as stolen or lost. It is one thing notifying the website where the device may possibly be, but if the data can be siphoned off and passed on, then the damage may already be done before it can be recovered.
All in all, I can see the GadgetTrak system having limited use in the real world, although it maybe more viable in a University or company campus environment, where the network can be more easily interrogated. Another point worth mentioning is the GadgetTrak Labels – which work in reverse the “phone home” approach. If the device has a GadgetTrack label on it, the finder can enter the unique code into the GadgetTrak website to arrange for anonymous communication to allow the safe return of the item.
Update: In an email sent a few hours after we published our review, GadgetTrak have attempted to address a number of our criticisms.
We actually have a Mac solution that will be available this week. Also regarding your comment about the “real world”, of the 5 devices that have been reported stolen in the past two months we have recovered 4 for our subscribers. In our experience and in discussions with law enforcement, thieves are usually in a hurry and nervous, the first thing they do when they steal an iPod or other device is remove anything that can identify the original owner, for iPods this means they will access the USB partition to look for any files that can finger the original owner, it is the same with other devices such as GPS systems and USB flash drives. Yes, you may have autorun disabled but that is quite rare actually and requires some knowledge to implement on a system, considering most opt for the default installation our solution will work the majority of the time. Think about a thief, odds are that they are not gainfully employed and as such probably lack the technical skills of folks reading this blog. To your point about the Passwords file, our recent recovery had 10 connections in a row, this meant the thief accessed the USB partition and kept on clicking the passwords file trying to open it. Technical geeks such as ourselves are much more likely to be the victims of gadget theft, than the perpetrators.