An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.
The name refers to the scenario where a maid could subvert a device left unattended in a hotel room – but the concept itself also applies to situations such as a device being intercepted while in transit, or taken away temporarily by airport or law enforcement personnel.
In a 2009 blog post, security analyst Joanna Rutkowska coined the term "Evil Maid Attack" due to hotel rooms being a common place where devices are left unattended.[1] [2] The post detailed a method for compromising the firmware on an unattended computer via an external USB flash drive – and therefore bypassing TrueCrypt disk encryption.[2]
D. Defreez, a computer security professional, first mentioned the possibility of an evil maid attack on Android smartphones in 2011. He talked about the WhisperCore Android distribution and its ability to provide disk encryption for Androids.
In 2007, former U.S. Commerce Secretary Carlos Gutierrez was allegedly targeted by an evil maid attack during a business trip to China.[3] He left his computer unattended during a trade talk in Beijing, and he suspected that his device had been compromised. Although the allegations have yet to be confirmed or denied, the incident caused the U.S. government to be more wary of physical attacks.
In 2009, Symantec CTO Mark Bregman was advised by several U.S. agencies to leave his devices in the U.S. before travelling to China.[4] He was instructed to buy new ones before leaving and dispose of them when he returned so that any physical attempts to retrieve data would be ineffective.
The attack begins when the victim leaves their device unattended.[5] The attacker can then proceed to tamper with the system. If the victim's device does not have password protection or authentication, an intruder can turn on the computer and immediately access the victim's information.[6] However, if the device is password protected, as with full disk encryption, the firmware of the device needs to be compromised, usually done with an external drive. The compromised firmware then provides the victim with a fake password prompt identical to the original. Once the password is input, the compromised firmware sends the password to the attacker and removes itself after a reboot. In order to successfully complete the attack, the attacker must return to the device once it has been unattended a second time to steal the now-accessible data.[7]
Another method of attack is through a DMA attack in which an attacker accesses the victim's information through hardware devices that connect directly to the physical address space. The attacker simply needs to connect to the hardware device in order to access the information.
See also: Phishing. An evil maid attack can also be done by replacing the victim's device with an identical device. If the original device has a bootloader password, then the attacker only needs to acquire a device with an identical bootloader password input screen. If the device has a lock screen, however, the process becomes more difficult as the attacker must acquire the background picture to put on the lock screen of the mimicking device. In either case, when the victim inputs their password on the false device, the device sends the password to the attacker, who is in possession of the original device. The attacker can then access the victim's data.
Legacy BIOS is considered insecure against evil maid attacks.[8] Its architecture is old, updates and Option ROMs are unsigned, and configuration is unprotected. Additionally, it does not support secure boot. These vulnerabilities allow an attacker to boot from an external drive and compromise the firmware. The compromised firmware can then be configured to send keystrokes to the attacker remotely.
Unified Extensible Firmware Interface (UEFI) provides many necessary features for mitigating evil maid attacks. For example, it offers a framework for secure boot, authenticated variables at boot-time, and TPM initialization security. Despite these available security measures, platform manufacturers are not obligated to use them. Thus, security issues may arise when these unused features allow an attacker to exploit the device.
Many full disk encryption systems, such as TrueCrypt and PGP Whole Disk Encryption, are susceptible to evil maid attacks due to their inability to authenticate themselves to the user.[9] An attacker can still modify disk contents despite the device being powered off and encrypted. The attacker can modify the encryption system's loader codes to steal passwords from the victim.
The ability to create a communication channel between the bootloader and the operating system to remotely steal the password for a disk protected by FileVault 2, is also explored.[10] On a macOS system, this attack has additional implications due to "password forwarding" technology, in which a user's account password also serves as the FileVault password, enabling an additional attack surface through privilege escalation.
See main article: Thunderspy. In 2019 a vulnerability named "Thunderclap" in Intel Thunderbolt ports found on many PCs was announced which could allow a rogue actor to gain access to the system via direct memory access (DMA). This is possible despite use of an input/output memory management unit (IOMMU).[11] [12] This vulnerability was largely patched by vendors. This was followed in 2020 by "Thunderspy" which is believed to be unpatchable and allows similar exploitation of DMA to gain total access to the system bypassing all security features.[13]
Any unattended device can be vulnerable to a network evil maid attack. If the attacker knows the victim's device well enough, they can replace the victim's device with an identical model with a password-stealing mechanism. Thus, when the victim inputs their password, the attacker will instantly be notified of it and be able to access the stolen device's information.
One approach is to detect that someone is close to, or handling the unattended device.Proximity alarms, motion detector alarms, and wireless cameras, can be used to alert the victim when an attacker is nearby their device, thereby nullifying the surprise factor of an evil maid attack.[14] The Haven Android app was created in 2017 by Edward Snowden to do such monitoring, and transmit the results to the user's smartphone.[15]
In the absence of the above, tamper-evident technology of various kinds can be used to detect whether the device has been taken apart – including the low-cost solution of putting glitter nail polish over the screw holes.[16]
After an attack has been suspected, the victim can have their device checked to see if any malware was installed, but this is challenging. Suggested approaches are checking the hashes of selected disk sectors and partitions.[2]
If the device is under surveillance at all times, an attacker cannot perform an evil maid attack. If left unattended, the device may also be placed inside a lockbox so that an attacker will not have physical access to it. However, there will be situations, such as a device being taken away temporarily by airport or law enforcement personnel where this is not practical.
Basic security measures such as having the latest up-to-date firmware and shutting down the device before leaving it unattended prevent an attack from exploiting vulnerabilities in legacy architecture and allowing external devices into open ports, respectively.
CPU-based disk encryption systems, such as TRESOR and Loop-Amnesia, prevent data from being vulnerable to a DMA attack by ensuring it does not leak into system memory.[17]
TPM-based secure boot has been shown to mitigate evil maid attacks by authenticating the device to the user.[18] It does this by unlocking itself only if the correct password is given by the user and if it measures that no unauthorized code has been executed on the device. These measurements are done by root of trust systems, such as Microsoft's BitLocker and Intel's TXT technology. The Anti Evil Maid program builds upon TPM-based secure boot and further attempts to authenticate the device to the user.