Image of the glider from the Game of Life by John Conway
Skip to content

Evil Maid

Two weeks ago, we had the Utah Open Source Conference, and I gave a presentation on how to crack passwords when you have physical access to a box. You can find my slides and materials here (3MB tar.gz). As an overview of my presentation, I discussed that if you have physical access to a machine, you can easily get administrative rights (root on Unix-like machines), and as a result, get access to the password database and user accounts, and use software to brute force the passwords out of the database.

I then finished up showing how to break encrypted filesystems using the cold boot attack. The University of Princeton has an excellent white paper, video and software on how to make this possible. The idea is simple- read the contents of RAM immediately after a shutdown, then use software to search through that memory dump finding a passphrase used on the encrypted filesystem. The only problem with this attack, is the limited scope of software in which it is effective against.

Enter Evil Maid.

The idea is simple. Because you still have access to the target machine, rather than doing a cold boot attack, memory dumps and additional processing on the RAM dump, install a different boot loader that contains a key logger. When the target enters the encryption passphrase on his machine, the key logger will have grabbed every key stroke, either saving it somewhere on disk for later retrieval, sending it over the Internet to the attacker, or whatever is necessary to get the passphrase.


This is more effective than the cold boot attack, or even the "stoned boot" attack that Bruce Schneier covered earlier this year, but it's still not without its weaknesses. This attack assumes that the target will power on the computer at a later time, and enter the passphrase for the encrypted filesystem. The attacker would not want to actually steal the powered down computer.

This is why it is called "Evil Maid"- you leave your computer in the hotel room, the housekeeping maid comes in to clean your room, but while there, installs the boot loader and key logger, then repowers down your computer. When you return to the hotel room, you power on, enter the passphrase, do you work, or whatever. The next day, when the maid returns, she returns, most likely to either retrieve the key and restore the previous boot loader, erasing her tracks. Now she has access to your data, can image the drive for offline analysis and have all sorts of nasty fun.

This should say something about encrypted filesystems. They really only protect you if the drive is stolen, and the computer has been powered down. Other than that, there is an important security lesson to learn here. If someone has physical access to your computer, with the intent to do harm, there is no stopping them from getting administrative rights on the machine, installing software, archiving data, imaging drives, etc. As a result, this should tell you something valuable: if possible, as in the case with laptops, keep your computer with you in untrusted environments.

There are possible protective measures to protect yourself against such an attack. Storing your computer in a strong box under lock and key might work. Although the attacker only needs to be proficient with lock picks, this is a good first safe measure. Many hotels offer such strong boxes. Second would be hardening your BIOS to help prevent such an attack. Again, just a "speed bump" do a dedicated attacker, but it could be enough to deter. Lastly, because this attack assumes installing software on non-encrypted boot partitions or sectors, getting a hash of the non-encrypted boot partition and storing on a separate USB key could be valuable. Thus, when you travel, before you boot the machine from the hard disk, you could boot from a live CD, and check the hash of the boot sector against the hash stored on your key. Of course, if the attacker ever gets access to your USB key, the hash could be corrupted or modified.

Long story short- don't leave sensitive data on your machine in untrusted environments, such as hotel rooms. Take your computer with you whenever you can and shut it down when not in use.

{ 8 } Comments