"Protect the Data" from the Evil Maid


I recently posted "Protect the Data" from Whom?. I wrote:

[P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat.

Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt!, a follow-up to her January post Why do I miss Microsoft BitLocker?

Her post describes how she and Alex Tereshkin implemented a physical attack against laptops with TrueCrypt full disk encryption. They implemented the attack (called "Evil Maid") as a bootable USB image that an intruder would use to boot a target laptop. Evil Maid hooks the TrueCrypt function that asks the user for a passphrase on boot, then stores the passphrase for later physical retrieval.

The scenario is this:

  1. User leaves laptop alone in hotel room.

  2. Attacker enters room, boots laptop with Evil Maid, and compromises TrueCrypt loader. Attacker leaves.

  3. User returns to hotel room, boots laptop, enters TrueCrypt passphrase. Game over.

  4. User leaves laptop alone in hotel room again.

  5. Attacker enters room again, boots laptop with Evil Maid again, and retrieves passphrase.


Joanna recommends implementing a product that supports Trusted Platform Module (TPM), like Microsoft BitLocker. A detection-oriented workaround is to calculate hashes of selected disk sectors and partitions and decide that mismatches indicate an intrusion has occurred. That approach still misses BIOS-based attacks but it's the best one can do without TPM support.

Comments

Mike Rothman said…
More likely the Evil Maid is going to poach the laptop and sell it on the gray market for $50. Security researchers spend a lot of time on these edge cases, while the soft chewy center is still where most of the problems are.

I'm not saying that understanding the soft targets within the devices and operating systems we use isn't important. But it's a big world out there and these attack vectors just don't seem very likely to me.

We are better served to fill the gaping holes before we worry about evil maids.

Mike Rothman
http://blog.securityincite.com
http://blog.eiqnetworks.com
8:36 AM
Anonymous said…
Wouldn't this be defeated by using a keyfile? If the keyfile is on a usb flash drive that you keep with you, then the passphrase alone would do no good.
I haven't used TC's full disk encryption yet. Does it support key files the same way as it does for encrypted volumes?

-oldami
9:50 AM
Richard Bejtlich said…
oldami, Joanna's posts and comments address this.
2:03 PM
John Ward said…
If i was an intruder with the motivation to bribe maids to let me in to install key stealers, then chances are pretty good that I'm also motivated enough to "brute force" the user as well. broken fingers are an amazing tool in pain compliance. Physical security is always the weakest link in the chain. It's a cool POC though.
7:44 PM
John Ward said…
forgot to mention, if its a girl, they could always use their feminine wiles to get that password. might have a higher rate of success too.
7:57 PM
Anonymous said…
it is pointless to fight against physical attacks, if they have physical access to your pc, you will be powned
4:24 AM
IBM Laptop Motherboards said…
I think this is a clear reason why 1) hotels stress the fact that they are not responsible for items left in the rooms, and 2) Why there are increasingly larger safes in the rooms now. Call me paranoid, but I am one of those people who hides everything that is of value in an area that the maid has no place being. Most of the time I do not even allow the maid in unless absolutely necessary. This is the only way to guarantee that your belongings are safe.
11:16 AM
Richard Bejtlich said…
I hope readers understand that the "maid" isn't the problem here... it's anyone who might enter a room when he or she is not authorized, i.e., someone who really wants to steal your data.

Also, such a party doesn't want the victim to know that the victim has lost his data.
11:44 AM
John Ward said…
That depends entirely on the scenario and the value of the data. A juicy bit of information used for insider trading might warrant less descretion on the part of the adversary than a buisiness competitor stealing trade secrets. It also depends on the consequences. A state sponsored, forign actor has less to lose than a native employee of a competitor who can face jail time.

I understand the point, that Truecrypt lacks the appropriate protections against tampering of a host machine to protect the encrypted data. 0 trust in protecting your data means you might want to consider another product or method. My point is that if they did implement the checks suggested, there are still ways to get that password.
1:37 PM
Anton Chuvakin said…
Whenever I read smth as fun as this, I always wonder: has the world of security really split in two pieces? One piece has to GENUINELY worry about "evil maid-"style attacks while the other has to be told 1000 times to update that anti-virus and deploy that Windows patch from 2007....

This just cannot end well :-(
9:57 PM
Sven Türpe said…
The preventive effect of a TPM on evil maid attacks is pretty limited. Even with TPM-supported disk encryption, our evil maid can install a hardware key logger; manipulate boot code and spoof password prompts; and replace the entire computer with a different machine.
6:37 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more