"Protect the Data" from the Evil Maid
I recently posted "Protect the Data" from Whom?. I wrote:
[P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat.
Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt!, a follow-up to her January post Why do I miss Microsoft BitLocker?
Her post describes how she and Alex Tereshkin implemented a physical attack against laptops with TrueCrypt full disk encryption. They implemented the attack (called "Evil Maid") as a bootable USB image that an intruder would use to boot a target laptop. Evil Maid hooks the TrueCrypt function that asks the user for a passphrase on boot, then stores the passphrase for later physical retrieval.
The scenario is this:
- User leaves laptop alone in hotel room.
- Attacker enters room, boots laptop with Evil Maid, and compromises TrueCrypt loader. Attacker leaves.
- User returns to hotel room, boots laptop, enters TrueCrypt passphrase. Game over.
- User leaves laptop alone in hotel room again.
- Attacker enters room again, boots laptop with Evil Maid again, and retrieves passphrase.
Joanna recommends implementing a product that supports Trusted Platform Module (TPM), like Microsoft BitLocker. A detection-oriented workaround is to calculate hashes of selected disk sectors and partitions and decide that mismatches indicate an intrusion has occurred. That approach still misses BIOS-based attacks but it's the best one can do without TPM support.