Thursday, October 22, 2009

"Protect the Data" from the Evil Maid


I recently posted "Protect the Data" from Whom?. I wrote:

[P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat.

Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt!, a follow-up to her January post Why do I miss Microsoft BitLocker?

Her post describes how she and Alex Tereshkin implemented a physical attack against laptops with TrueCrypt full disk encryption. They implemented the attack (called "Evil Maid") as a bootable USB image that an intruder would use to boot a target laptop. Evil Maid hooks the TrueCrypt function that asks the user for a passphrase on boot, then stores the passphrase for later physical retrieval.

The scenario is this:

  1. User leaves laptop alone in hotel room.

  2. Attacker enters room, boots laptop with Evil Maid, and compromises TrueCrypt loader. Attacker leaves.

  3. User returns to hotel room, boots laptop, enters TrueCrypt passphrase. Game over.

  4. User leaves laptop alone in hotel room again.

  5. Attacker enters room again, boots laptop with Evil Maid again, and retrieves passphrase.


Joanna recommends implementing a product that supports Trusted Platform Module (TPM), like Microsoft BitLocker. A detection-oriented workaround is to calculate hashes of selected disk sectors and partitions and decide that mismatches indicate an intrusion has occurred. That approach still misses BIOS-based attacks but it's the best one can do without TPM support.

11 comments:

Mike Rothman said...

More likely the Evil Maid is going to poach the laptop and sell it on the gray market for $50. Security researchers spend a lot of time on these edge cases, while the soft chewy center is still where most of the problems are.

I'm not saying that understanding the soft targets within the devices and operating systems we use isn't important. But it's a big world out there and these attack vectors just don't seem very likely to me.

We are better served to fill the gaping holes before we worry about evil maids.

Mike Rothman
http://blog.securityincite.com
http://blog.eiqnetworks.com

Anonymous said...

Wouldn't this be defeated by using a keyfile? If the keyfile is on a usb flash drive that you keep with you, then the passphrase alone would do no good.
I haven't used TC's full disk encryption yet. Does it support key files the same way as it does for encrypted volumes?

-oldami

Richard Bejtlich said...

oldami, Joanna's posts and comments address this.

John Ward said...

If i was an intruder with the motivation to bribe maids to let me in to install key stealers, then chances are pretty good that I'm also motivated enough to "brute force" the user as well. broken fingers are an amazing tool in pain compliance. Physical security is always the weakest link in the chain. It's a cool POC though.

John Ward said...

forgot to mention, if its a girl, they could always use their feminine wiles to get that password. might have a higher rate of success too.

Anonymous said...

it is pointless to fight against physical attacks, if they have physical access to your pc, you will be powned

IBM Laptop Motherboards said...

I think this is a clear reason why 1) hotels stress the fact that they are not responsible for items left in the rooms, and 2) Why there are increasingly larger safes in the rooms now. Call me paranoid, but I am one of those people who hides everything that is of value in an area that the maid has no place being. Most of the time I do not even allow the maid in unless absolutely necessary. This is the only way to guarantee that your belongings are safe.

Richard Bejtlich said...

I hope readers understand that the "maid" isn't the problem here... it's anyone who might enter a room when he or she is not authorized, i.e., someone who really wants to steal your data.

Also, such a party doesn't want the victim to know that the victim has lost his data.

John Ward said...

That depends entirely on the scenario and the value of the data. A juicy bit of information used for insider trading might warrant less descretion on the part of the adversary than a buisiness competitor stealing trade secrets. It also depends on the consequences. A state sponsored, forign actor has less to lose than a native employee of a competitor who can face jail time.

I understand the point, that Truecrypt lacks the appropriate protections against tampering of a host machine to protect the encrypted data. 0 trust in protecting your data means you might want to consider another product or method. My point is that if they did implement the checks suggested, there are still ways to get that password.

Dr Anton Chuvakin said...

Whenever I read smth as fun as this, I always wonder: has the world of security really split in two pieces? One piece has to GENUINELY worry about "evil maid-"style attacks while the other has to be told 1000 times to update that anti-virus and deploy that Windows patch from 2007....

This just cannot end well :-(

Sven Türpe said...

The preventive effect of a TPM on evil maid attacks is pretty limited. Even with TPM-supported disk encryption, our evil maid can install a hardware key logger; manipulate boot code and spoof password prompts; and replace the entire computer with a different machine.