Evil Maid: Road warriors beware
Road warriors, do you know where your notebook is? You better or Evil Maid may get the best of you and your computer.
————————————————————————————
Joanna Rutkowska, founder and CEO of Invisible Things Lab is a well-known security researcher. You may remember Ms. Rutkowska as co-developer of the Blue Pill, a rootkit using virtualization to remain undetectable.
Well, Ms. Rutkowska has upset the order of things once again. Alex Tereshkin, Principle Researcher at Invisible Things Lab, and Ms. Rutkowska have perfected malcode that defeats whole-drive encryption. They named the malware Evil Maid. The name may seem odd, but it’s appropriate. Evil Maid requires attackers to physically interface with computers and hotels full of road warriors are perfect targets.
How it works
As a part-time road warrior I firmly believe in TrueCrypt. Yet, Ms. Rutkowska has me questioning my resolve. To explain why, let’s say I am on the road. After seeing my client, I return to the hotel and begin writing this article. In a few hours, it’s time to meet the client for dinner. So, I turn the notebook off and go to the hotel restaurant.
I’m not sure why, but someone really wants to see what I am writing. So he pays a hotel employee to sneak into my room and do the following:
- The attacker starts out by booting my computer from the Evil Maid USB Stick.
- After booting, an application called “Evil Maid Sniffer” is installed on the TrueCrypt loader, as shown below (courtesy of Ms. Rutkowska):
- The attacker turns the notebook off and leaves.
- I come back later that evening and decide to write some more.
- As soon as I power up the notebook, the Evil Maid Sniffer application records my TrueCrypt passphrase, storing the information on a pre-arranged portion of the hard disk.
- None the wiser, I continue writing. After awhile, I decide I’m thirsty. So I turn the notebook off and head to the bar for a drink.
- Seeing an opportunity, the attacker sneaks back into my room, boots the notebook using the Evil Maid USB Stick.
- The application detects that TrueCrypt loader is infected and displays the passphrase as shown below (courtesy of Ms. Rutkowska):
- The attacker restarts my notebook, enters the correct passphrase decrypting the hard drive, and copies my article.
You can see why it is called the Evil Maid attack; it’s perfect for hotel environments. Ms. Rutkowska also mentioned that the notebook could be stolen once the passphrase is known.
Possible defenses
Mr. Bruce Schneier in his latest security blog has an interesting comment about Evil Maid:
“This attack exploits the same basic vulnerability as the “Cold Boot” attack from last year, and the “Stoned Boot” attack from earlier this year, and there’s no real defense to this sort of thing. As soon as you give up physical control of your computer, all bets are off.”
TrueCrypt has documentation that agrees with this assessment. Mr. Schneier goes on to point out that of all possible fixes, the following is probably the best:
“A few readers have pointed out that BitLocker can prevent these sorts of attacks if the computer has a TPM on the motherboard.”
The reason for creating Evil Maid
Ms. Rutkowska agrees with Mr. Schneier and has been trying to convince developers at TrueCrypt to implement a TPM version of TrueCrypt:
“Personally I would love to see TrueCrypt implementing TPM-based trusted boot for its loader, but, well, what can I do? Keep bothering TrueCrypt developers with Evil Maid attacks and hope they will eventually consider implementing TPM support.”
Until that happens, it appears the only absolute solution is to ensure the computer’s physical security at all times. That said, I noticed many interesting potential solutions in the comments after Mr. Schneier’s post about Evil Maid.
Final thoughts
It seems that whole-disk encryption is not the panacea most people think it is. It protects against someone trying to obtain data after stealing the computer. All bets are off, if an attacker has physical access to the computer on more than one occasion.
Michael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net. Read his profile or Twitter at MKassnerNet.
Print/View all Posts Comments on this blog
Road warriors, guard your notebooks
Michael Kassner | 10/27/09
|
Physical Ownership is Everything
rickk@... | 10/27/09
|
|
I agree to a point
Michael Kassner | 10/27/09
|
Prevention DETECTION
tadejv | 10/28/09
|
Simple, yet elegant
Michael Kassner | 10/28/09
|
|
I like the blending of old and new
Neon Samurai | 10/28/09
|
|
Other attack vectors.
ctrogers | 10/28/09
|
|
Other issues also
Neon Samurai | 10/28/09
|
|
jkarl@... | 10/27/09
|
|
Vaio?
Neon Samurai | 10/28/09
|
|
DriveLock?
tadejv | 10/27/09
|
|
A Hard Disk Drive
ocie3@... | 10/27/09
|
|
I delight
santeewelding | 10/27/09
|
|
I thought about using that "word".
ocie3@... | 10/27/09
|
|
The use, sir
santeewelding | 10/27/09
|
|
Commonplace
ocie3@... | 10/28/09
|
|
Maids carry the evil maid?
rgroves@... | 10/27/09
|
|
If the notebook
Michael Kassner | 10/27/09
|
|
Fully agree.
Marty R. Milette | 10/27/09
|
|
Thanks, Marty
Michael Kassner | 10/27/09
|
|
Wow...
KPeoples | 10/27/09
|
|
Just stating facts...
Marty R. Milette | 10/28/09
|
|
I was IT for a company that owned 9 hotels
KPeoples | 10/28/09
|
|
The human factor, revisited
ocie3@... | 10/27/09
|
|
Momentous observation
santeewelding | 10/27/09
|
|
nit nit nit
fw32 | 10/28/09
|
|
Marty, what you say is true for honest hotels in the USA
Deadly Ernest | 10/28/09
|
|
Anything is 'possible'...
Marty R. Milette | 10/28/09
|
|
Door locks
FatNGristle | 10/28/09
|
|
And the preferred method of unlawful entry in many
Deadly Ernest | 10/29/09
|
|
Dude....
QAonCall | 10/27/09
|
|
Are you
Michael Kassner | 10/27/09
|
|
Ironkey
Neon Samurai | 10/28/09
|
|
RE: Evil Maid: Road warriors beware
Jhdenis | 10/27/09
|
|
Just pipped me at the post
neilb@... | 10/27/09
|
|
I believe
Michael Kassner | 10/27/09
|
|
Two-factor authentication
ocie3@... | 10/28/09
|
|
Oh, my
santeewelding | 10/28/09
|
|
made me wanna go reread my docs on boot process
Neon Samurai | 10/28/09
|
|
What about bios password?
basil.cinnamon | 10/27/09
|
|
Good point
Michael Kassner | 10/27/09
|
|
Bios password
saghaulor@... | 10/27/09
|
|
I really like
Michael Kassner | 10/27/09
|
|
Thank you.
saghaulor@... | 10/27/09
|
|
Password the BIOS
Evilroyd | 10/27/09
|
|
Misnomer
mathew.gauvin@... | 10/27/09
|
|
1st line of defense
Evilroyd | 10/27/09
|
|
Lowest hanging fruit
Michael Kassner | 10/27/09
|
|
First rule of criminality
rcfoulk@... | 10/27/09
|
|
I agree completely
Michael Kassner | 10/27/09
|
|
cracking methods never get worse; they only ever get better.
Neon Samurai | 10/28/09
|
|
I think that you meant
ocie3@... | 10/28/09
|
|
Maids are not hackers, we hope.
saghaulor@... | 10/27/09
|
|
That is what
ocie3@... | 10/28/09
|
|
Depending on who you are...
RipVan | 10/28/09
|
|
Scenario: Irrelevant
saghaulor@... | 10/29/09
|
|
What if
Michael Kassner | 10/27/09
|
|
KISS
saghaulor@... | 10/27/09
|
|
For sure
Michael Kassner | 10/27/09
|
|
BIOS Paswword, No Boot to USB and...
jyoung@... | 10/27/09
|
|
Simple question
Michael Kassner | 10/27/09
|
|
Simple Answer: Education and the Right Equipment
jyoung@... | 10/28/09
|
|
and.. the USB goes in the computer bag
Neon Samurai | 10/28/09
|
|
Oh yeah... I know
jyoung@... | 10/29/09
|
|
And don't forget, many of those gov't notebooks have the
Deadly Ernest | 10/29/09
|
|
Yup
rcfoulk@... | 10/27/09
|
|
Unless...
MrRich | 10/27/09
|
|
That would be my thought
ssirvin@... | 10/27/09
|
|
Depends on determination
Michael Kassner | 10/27/09
|
|
That leaves you and me out
santeewelding | 10/27/09
|
|
Nope
Michael Kassner | 10/27/09
|
|
Joanna Rutkowska says
ocie3@... | 10/28/09
|
|
RE: Evil Maid: Road warriors beware
turtle975 | 10/27/09
|
|
Good idea
Michael Kassner | 10/27/09
|
|
Practicality
saghaulor@... | 10/27/09
|
|
Crazy stuff this....but how about
mukababi@... | 10/27/09
|
|
As a person who hates the road which TPM is
Deadly Ernest | 10/27/09
|
|
One way...
MrRich | 10/27/09
|
|
TPM pretty much guarrantees you use MS software to, and
Deadly Ernest | 10/27/09
|
|
Most are already
Michael Kassner | 10/27/09
|
|
Becasue the final lock down stage is to exclude all those not
Deadly Ernest | 10/27/09
|
|
I guess
Michael Kassner | 10/27/09
|
|
Michael, a lot depends on how much of the SCG and its
Deadly Ernest | 10/27/09
|
|
Michael, mea culpa, I forgot, they changed the name again
Deadly Ernest | 10/28/09
|
|
Please pardon me for butting in.
ocie3@... | 10/28/09
|
|
No Ocie, you're not paranoid enough
Deadly Ernest | 10/28/09
|
|
Deadly, sometimes the cure
ocie3@... | 10/28/09
|
|
In this case, Trusted Computing is MUCH worse than
Deadly Ernest | 10/28/09
|
|
Yeah,
ocie3@... | 10/28/09
|
|
Yeah the magnets can be a concern, but pickpockets
Deadly Ernest | 10/28/09
|
|
If you were that worried...
The 'G-Man.' | 10/27/09
|
|
RE: Evil Maid: Road warriors beware
BrianMWatson | 10/27/09
|
|
Well said
Michael Kassner | 10/27/09
|
|
Michale, I know a few people who use high security on a
Deadly Ernest | 10/27/09
|
|
Malware = illegal??
leedsfan88 | 10/27/09
|
|
Please explain
Michael Kassner | 10/27/09
|
|
Evil Maid is clearly designed to attack a system, he's
Deadly Ernest | 10/27/09
|
|
It is perfectly
ocie3@... | 10/28/09
|
|
Not stupid
santeewelding | 10/27/09
|
|
Cheers
leedsfan88 | 10/29/09
|
|
Not as such.
seanferd | 10/27/09
|
|
Otherwise
santeewelding | 10/27/09
|
|
It isn't a crime to make
ocie3@... | 10/28/09
|
|
RE: Evil Maid: Road warriors beware
news@... | 10/27/09
|
|
RE: Evil Maid: Road warriors beware
charlb@... | 10/27/09
|
|
The purpose of
ocie3@... | 10/28/09
|
|
The Poor Man's Solution
ocie3@... | 10/27/09
|
|
You grace your dreadful news
santeewelding | 10/27/09
|
|
hard drive passwords
Michael Horowitz | 10/30/09
|
|
My initial thought is why bother using TrueCrypt?
art@... | 10/28/09
|
|
any chance this will improve policy?
Neon Samurai | 10/28/09
|
|
Interesting
Michael Kassner | 10/28/09
|
|
RE: Evil Maid: Road warriors beware
BobaFettismyuncle | 10/29/09
|
|
not all hotel rooms have safes - then what? -- nt
Deadly Ernest | 10/29/09
|
|
Stay at another hotel in which the rooms have safes.
ocie3@... | 10/29/09
|
|
Good heavens
santeewelding | 10/29/09
|
|
not always possible, not when the company selects where
Deadly Ernest | 10/29/09
|
|
Sensitive data not on laptop at al
Michael Horowitz | 10/30/09
|
|
RE: Evil Maid: Road warriors beware
michaelwillett | 11/02/09
|
|
I'd rather risk someone stealing my data via evil maid than
Deadly Ernest | 11/02/09
|
|
Livecd built for privacy
saghaulor@... | 11/05/09
|
|
Thank you
Michael Kassner | 11/06/09
|
