Image of the glider from the Game of Life by John Conway
Skip to content

Evil Maid

Two weeks ago, we had the Utah Open Source Conference, and I gave a presentation on how to crack passwords when you have physical access to a box. You can find my slides and materials here (3MB tar.gz). As an overview of my presentation, I discussed that if you have physical access to a machine, you can easily get administrative rights (root on Unix-like machines), and as a result, get access to the password database and user accounts, and use software to brute force the passwords out of the database.

I then finished up showing how to break encrypted filesystems using the cold boot attack. The University of Princeton has an excellent white paper, video and software on how to make this possible. The idea is simple- read the contents of RAM immediately after a shutdown, then use software to search through that memory dump finding a passphrase used on the encrypted filesystem. The only problem with this attack, is the limited scope of software in which it is effective against.

Enter Evil Maid.

The idea is simple. Because you still have access to the target machine, rather than doing a cold boot attack, memory dumps and additional processing on the RAM dump, install a different boot loader that contains a key logger. When the target enters the encryption passphrase on his machine, the key logger will have grabbed every key stroke, either saving it somewhere on disk for later retrieval, sending it over the Internet to the attacker, or whatever is necessary to get the passphrase.

THIS WILL WORK ON ANY OPERATING SYSTEM AND IS EFFECTIVE AGAINST ANY FILESYSTEM ENCRYPTION SOFTWARE!

This is more effective than the cold boot attack, or even the "stoned boot" attack that Bruce Schneier covered earlier this year, but it's still not without its weaknesses. This attack assumes that the target will power on the computer at a later time, and enter the passphrase for the encrypted filesystem. The attacker would not want to actually steal the powered down computer.

This is why it is called "Evil Maid"- you leave your computer in the hotel room, the housekeeping maid comes in to clean your room, but while there, installs the boot loader and key logger, then repowers down your computer. When you return to the hotel room, you power on, enter the passphrase, do you work, or whatever. The next day, when the maid returns, she returns, most likely to either retrieve the key and restore the previous boot loader, erasing her tracks. Now she has access to your data, can image the drive for offline analysis and have all sorts of nasty fun.

This should say something about encrypted filesystems. They really only protect you if the drive is stolen, and the computer has been powered down. Other than that, there is an important security lesson to learn here. If someone has physical access to your computer, with the intent to do harm, there is no stopping them from getting administrative rights on the machine, installing software, archiving data, imaging drives, etc. As a result, this should tell you something valuable: if possible, as in the case with laptops, keep your computer with you in untrusted environments.

There are possible protective measures to protect yourself against such an attack. Storing your computer in a strong box under lock and key might work. Although the attacker only needs to be proficient with lock picks, this is a good first safe measure. Many hotels offer such strong boxes. Second would be hardening your BIOS to help prevent such an attack. Again, just a "speed bump" do a dedicated attacker, but it could be enough to deter. Lastly, because this attack assumes installing software on non-encrypted boot partitions or sectors, getting a hash of the non-encrypted boot partition and storing on a separate USB key could be valuable. Thus, when you travel, before you boot the machine from the hard disk, you could boot from a live CD, and check the hash of the boot sector against the hash stored on your key. Of course, if the attacker ever gets access to your USB key, the hash could be corrupted or modified.

Long story short- don't leave sensitive data on your machine in untrusted environments, such as hotel rooms. Take your computer with you whenever you can and shut it down when not in use.

{ 8 } Comments

  1. jimcooncat using Firefox 2.0.0.17 on Ubuntu | October 23, 2009 at 7:15 am | Permalink

    My advice:

    Set BIOS to boot only from hard drive
    Password protect BIOS setup
    Take out two of the screws that hold it together and liberally apply epoxy.

  2. Daniel T Chen using Firefox 3.5.4 on Windows XP | October 23, 2009 at 7:55 am | Permalink

    Right, we've pretty much always equated physical access with game over.

  3. Joseph Scott using Safari 531.9 on Mac OS | October 23, 2009 at 10:40 am | Permalink

    I agree with Daniel, once physical access has been gained then everything else is just a matter of time. That isn't to say that throwing up a few barriers to extend the length of time required to gain control isn't worth while, they just shouldn't be viewed as anything more than that.

  4. me using Firefox 3.5.3 on Windows XP | October 25, 2009 at 4:17 am | Permalink

    "THIS WILL WORK ON ANY OPERATING SYSTEM AND IS EFFECTIVE AGAINST ANY FILESYSTEM ENCRYPTION SOFTWARE"

    WRONG!

    Windows Vista and 7 have Bitlocker that can be configured to use TPM chip on motherboard. If you will change anything in boot loader the checksum will change and TPM will notify you about it.

    Additionally some laptops like Lenovo Thinkpads use ATA password mechanism that can lock the drive, that mechanism adds complexity to this kind of attack.

    TPM works only with Windows and Bitlocker.

  5. Aaron using Debian IceWeasel 3.5.3 on Debian GNU/Linux 64 bits | October 25, 2009 at 7:25 am | Permalink

    @me no, it's not wrong. It will still work against Windows, and it will still work against Bitlocker. Just because you can change the default settings, daesn't mean it doesn't apply to Windows any longer. I didn't say THIS WILL WORK AAGAINST EVERY KNOWN CONFIGURATION, did I. So, it's still effective against Windows, and it's still effective against Bitlocker. Sure, there are ways to mitigate this attack, such as using hard drive passwords or TPM, but the point of that statement is that this attack is platform and software independent.

  6. Kevin DuBois using Firefox 3.0.1 on Ubuntu | October 25, 2009 at 5:56 pm | Permalink

    Yeah, but if they're skilled enough to do this attack, they're probably not gonna be cleaning hotel rooms for a living...

    Right? ;-)

  7. Aaron using Debian IceWeasel 3.5.3 on Debian GNU/Linux 64 bits | October 26, 2009 at 1:48 am | Permalink

    @Kevin DuBois- Maybe, maybe not. Do you trust that assumption? :)

  8. Charles Curley using Firefox 3.5.4 on Ubuntu | November 7, 2009 at 7:22 am | Permalink

    "Mossad reportedly used a Trojan to hack into a Syrian official's laptop while he stayed in a London hotel."

    http://www.theregister.co.uk/2009/11/06/mossad_syria_trojan_hack/

    OK, probably not everyone here is a Syrian official, but still...

{ 1 } Trackback

  1. [...] CDROM, network or USB. This step is necessary to hopefully avoid the Evil Maid attack, something I’ve already blogged about here. In summary, the Evil Maid attack is booting your computer from a USB or CDROM, replacing your [...]

Post a Comment

Your email is never published nor shared.

Switch to our mobile site