Obi Public Docs
  • FOR USERS
    • Quickstart: Using Obi
  • FOR BUILDERS
    • Obi: Cross-Chain Account and User Management
    • Dev Quickstart: Connecting Your App
    • Dev Quickstart: Building Multi-Chain Apps
    • 🔵The Obi Smart Account Suite
      • 🔒Multikey
        • 🎣Preventing Phishing
        • 📲SMS and Other Web2 Providers
        • 💕Final Recovery
      • 🔍Signet
        • Draft Signet Whitepaper
      • 💕Extra Life
      • 🤖Automatons
      • ⏳Sessions
        • Threshold Escalation
      • 🧙‍♂️Party Members
        • Allowances: Hot Wallets, Budgets, and Subscriptions
        • Allow/Block/Delay Lists
      • 🧩Obi Stack Overview
      • ⛽Gasless UX
      • 🔍General Obi Features
      • 📜Smart Account Design Philosophy
      • 🏗️Smart Contract Architecture & Flow
    • 🛣️Roadmap: Upcoming Features
      • 🔧Duress Mode
      • 📳Security Notifications and Lockdowns
      • ✋Global Transaction Limit (Sanity Limit)
      • 🌐Obi Service Providers
        • Incentivizing Service Providers
    • 🥇Obi's Unique Advantages
    • 🔢Multikey Attack & Loss Vectors
      • Passkey
      • Cloud Key
      • SMS Key
      • Telegram Key
      • WhatsApp Key
      • Social Recovery Key
      • Email Recovery Key
      • Ledger Hardware Key
      • Map Points Key
      • NFC Key
      • Major 2 Key Loss Vectors and Mitigations
      • Major 2 Key Attack Vectors and Mitigations
      • “Unlocked Obi Theft” Attack
  • Glossary
Powered by GitBook
On this page
  1. FOR BUILDERS
  2. Multikey Attack & Loss Vectors

“Unlocked Obi Theft” Attack

Most of the attack and loss vectors are remarkably different among keys. Still, a scenario in which a user’s phone is stolen with an Obi application unlocked is conceivable. It is particularly threatening if some other item such as an NFC key or Ledger is stolen along with the phone. Even Security Notifications will offer no protection since the user’s device is stolen.

In this case, the attacker would be unlikely to have access to the user’s Device Key, as every single use is guarded by OS-level biometric or passcode protection. If the attacker switches to the user’s email application, they will be unable to re-enter the Obi application without again passing the OS-level biometric or passcode protection. However, a sophisticated attacker may be able to use any combination of the following:

  1. Keep the Obi application open, and thus have access to a Cloud Key.

  2. Know the security answer from previous research, and thus have access to SMS, Telegram, or WhatsApp Key.

  3. Use a stolen Ledger Key or NFC Key.

  4. Use an observed passcode to have access to Passkey.

  5. Use observed or learned Map Points.

  6. Use their social key, if the attacker is also the user’s social recovery partner.

Each of these is unlikely by design, since each requires more than just stealing the phone – except, perhaps, for #1.

In order to reduce the likelihood of #1, then, using the connected Cloud Key is also guarded by biometrics (though not Device Key), as if unlocking the application.

To reduce the likelihood of #2, the user can optionally force the Obi app to never send SMS, Telegram, or WhatsApp requests – in this case, the app will switch to the relevant application with a pre-filled message which the user must send. This will require the app to be unlocked when switching back, and thus is more secure.

#3 NFC can require a PIN code at the WebAuthN level. Ledger is less of a risk due to the PIN code.

#4 is difficult to protect against, and would make all of the above proposed protections invalid. Users with any high value should have a secure (not numeric) passcode and take care to protect it.

A user still may be able to take certain actions in the case of #4 in order to lock the thief out of the account, even if temporarily, before funds can be stolen, especially if they have activated protections such as delays and global maximums. For example, even without their device, the user could:

  • trigger a defense mode which sends an alternate SMS code. While this looks like a normal code to the thief, when entered it can instruct the app to lock or pause functionality.

  • disconnect cloud accounts so that the app cannot access cloud keys

PreviousMajor 2 Key Attack Vectors and MitigationsNextGlossary

Last updated 1 year ago

🔢