"Evil Maid" attack against disk encryption [LWN.net]

By Jake Edge
October 28, 2009

Physical security is important. The "Evil Maid" attack serves as a reminder that briefly allowing a laptop out of your control, even with an encrypted hard disk, means that all security bets are off—the machine should be considered potentially compromised. Obviously different users have different levels of paranoia about their data security, but the Evil Maid attack shows just how simple it can be for others to access your data.

There is nothing particularly new in the proof-of-concept (PoC) attack against TrueCrypt disk encryption software, but the simplicity of the approach should give one pause. Joanna Rutkowska described the attack back in January, but the need for physical computer security goes back much further than that. But, folks are less wary of physical attacks against laptops today because of whole-disk encryption. Rutkowska's PoC, along with last year's report on "cold boot" attacks, should make it clear that encryption—at least without some kind of Trusted Platform Module (TPM) support—is not a complete solution

The basic idea behind Evil Maid is that someone gets access to a laptop for a fairly short period of time (a few minutes), and, in that time, boots it from a USB key. One obvious vector is a hotel maid (or someone acting as one), who enters someone's room while they are out to dinner, which is what gives the attack its name. The USB key contains a payload that hooks the TrueCrypt password prompting code and stores the last password entered. The payload gets added to the Master Boot Record (MBR) of the laptop so that it becomes active on the next boot.

While it has not been implemented in the PoC, there is no reason that the malware couldn't send the password off via the network; currently it just reports it back the next time the Evil Maid USB key is booted. That would require the attacker to access the laptop twice—with its user typing in the encryption key in between—but a multi-day hotel stay would give ample opportunity for that to occur.

As Bruce Schneier points out, this attack is in no way limited to TrueCrypt, as other solutions suffer from the same vulnerabilities. Both Schneier and Rutkowska look at some potential workarounds, but, in the final analysis, physical access allows an attacker too many ways around these security measures. Even Trusted Computing, with appropriate TPM hardware, can succumb to certain kinds of attacks.

Microsoft's BitLocker drive encryption uses the TPM, which provides reasonable assurance that the right code is being booted, but even that can fall prey to Evil Maid-style attacks, as Rutkowska describes:

Namely the Evil Maid for Bitlocker would have to display a fake Bitlocker prompt (that could be identical to the real Bitlocker prompt), but after obtaining a correct password from the user Evil Maid would not be able to pass the execution to the real Bitlocker code, as the SRTM [Static Root of Trust Measurement] chain will be broken. Instead, Evil Maid would have to pretend that the password was wrong, uninstall itself, and then reboot the platform. Thus, a Bitlocker user that is confident that he or she entered the correct password, but the OS didn't boot correctly, should destroy the laptop.

Rutkowska also describes a "Poor Man's Solution" which calculates hashes of various unencrypted portions of the disk (especially the MBR). The Disk Hasher is a bootable Linux-based USB key that calculates and stores the hashes on the USB key, as well as verifying the correct hashes prior to booting. As she points out, it only protects against disk-based attacks—BIOS reflashing would subvert Disk Hasher.

Requiring a password in the BIOS before booting is another possible workaround, but one that may not provide as much security as it at first seems. BIOS reflashing is one possible attack, but an easier—though more time-consuming than the "standard" Evil Maid attack—method would be to remove the disk, attach it to another laptop and install the necessary code. It also adds complexity to the attack, but the 5-15 minutes needed to swap out a laptop hard disk is not all that difficult to come by in the hotel scenario.

This PoC, along with other attacks against encrypted disks, is very useful to remind users that hard disk encryption is no panacea. You still must consider which kinds of threats you are trying to protect against. Disk encryption is great for preventing accidental disclosure of private information when someone steals a laptop, but is much less useful for an attack that is focused on accessing the data on a particular laptop. Much like internet security, fairly straightforward protection techniques are fine to thwart the random attacker but are probably insufficient for one who is focused on subverting your defenses in particular.

(Log in to post comments)

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 6:59 UTC (Thu) by sitaram (subscriber, #5959) [Link]

This won't work if you use on-disk encryption, like some of the newer hard drives. You can't write the payload (or indeed anything) to the disk without knowing the password or (possibly) destroying all the contents anyway.

I've heard people say that these sorts of encryptions do not have too much entropy and/or people use weak or guessable passwords, but it's still a pretty good extra layer of security on top of whatever else you may be doing, and at least it makes it *feasible* (if you're sufficiently paranoid and disciplined) to protect your self.

About the only thing that would cause concern here is a backdoor left in the hard disk, for "technical support" reasons or at the behest of agencies with 3-letter acronyms :-) I wouldn't rule out that possibility.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 22:55 UTC (Thu) by diederich (subscriber, #26007) [Link]

I think a talented "Evil Maid" could install a keyboard logger into a laptop in a few minutes.

"Evil Maid" attack against disk encryption

Posted Oct 30, 2009 0:30 UTC (Fri) by sitaram (subscriber, #5959) [Link]

Certainly, but that takes the attack into a different realm, was always possible anyway, and was always conceptually much easier and cleaner.

Grammar nitpick

Posted Nov 2, 2009 22:04 UTC (Mon) by roelofs (guest, #2599) [Link]

"This PoC ... are very useful" is even more painful. ;-)

(These things work better if you mail them to lwn@, btw.)

Greg

Grammar nitpick

Posted Nov 2, 2009 22:25 UTC (Mon) by jake (editor, #205) [Link]

> (These things work better if you mail them to lwn@, btw.)

ah yes, i somehow had missed the parent comment ... all fixed, including the one you emailed, Greg.

i should take the grumpy guy's advice and not try to write articles on Wednesday :)

thanks!

jake

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 12:12 UTC (Thu) by cesarb (subscriber, #6266) [Link]

Another theoretical way to defend against "hardware keylogger" attacks would be for the system to be always on, and detect attempts to attack it (it could detect keyboards being temporarily removed to install a keylogger in the middle of the cable, hard disks being removed to tamper with their boot sectors, new malicious hardware being added, or even physical movement of the computer using accelerometers).

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:00 UTC (Thu) by drag (subscriber, #31333) [Link]

If a normal PC was left on then it makes it even easier to grab passwords.

If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that. Plug that in, Linux detects it and configures it, and the attacker uses a separate PC running Linux to communicate over the firewire and send DMA requests to systematically shift through your memory until it finds the encryption key.

Even if you block against autodetecting hardware your RAM is still removable so that if the attacker is quick they can pull your RAM out of your machine and then read it before the memory goes all random on them.

And there are other attacks besides that.

Now this is with actual hardware you can actually buy. Theoretically if you have some sort of physical resistant hardware then that may help. For example you can currently purchase hardddrives that have self-destruct mechanisms that get set off if they are tampered with... doing such things as spraying the drive internals with acid mist to etch the platters. So you can do all sorts of stuff theoretically if the hardware supports it, but right now that is not typical consumer hardware most of us can afford.

---------------------------------

Now I can't believe people are avoiding obvious solutions to this particular attack (were they install a trojaned bootloader):

TAKE YOUR BOOTLOADER WITH YOU.

This is Linux. You don't have to boot off of internal media if you don't want to. Use a USB stick and boot from that and take that with you.

Or just take the laptop with you were ever you go. If it is a small device like a "open Linux smartphone" or a netbook that can adequately meet your needs then you can just keep it on your person.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

"If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that."

Not anymore. New platforms (including notebooks) have IOMMU, which separates each device into its own memory protection domain.

"TAKE YOUR BOOTLOADER WITH YOU."

Won't work. 'Evil maid' can infect your BIOS, so your whole Linux will run after 'evil' code is executed. Which can install backdoors into SMM, for example.

In short, TPM is the only real solution. You _need_ to have a hardware you trust as the base of the 'trust chain'.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 20:31 UTC (Thu) by drag (subscriber, #31333) [Link]

No.

Even if your using TPM the hardware can still be subverted if you allow
physical access to it. TPM does not solve any "evil maid" related issue
that putting the bootloader in removable media won't solve, except maybe
the BIOS thing.

TPM is useful for detection of problems with malicious software in your
bootloader and kernel. That way you can establish a chain of trust from
initial boot-up to running the OS. This allows you to hash every element
from the BIOS on upwards. This way you can reliably detect things like
rootkits by a simple reboot, which is impossible otherwise. Previously to
TPM you had to use a tool like tripwire or other host-based IDS while the
system was offline (like you were booted up in a live cd) and comparing
that result with last known good hash is the only reliable way to combat
rootkits. TPM can reduce the complexity, expense, and difficulty of that
considerably.

It is not really designed to secure your machine from physical access.

------------------------------------

Really the only solution using current technology is just not to leave your
stuff were other people have access to it when your not around.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 18:57 UTC (Thu) by bronson (subscriber, #4806) [Link]

But once you plug your USB key back into your compromised laptop, you're boned.

There's simply no way around it: once you give an attacker physical access, you give him the kingdom.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 21:29 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

You could use one-time passwords. That would defeat any attempt to simply read the password and store/transmit it for later use. Getting around that would require hardware changes or some kind of resident hypervisor to gain access to the new password.

This obviously assumes that the current password can't be used to gain access to a more permanent key. The permanent key could be made so bulky that it can't be stored in the MBR, and that getting it off the system by other means would take a noticeable amount of time. Or you could re-encrypt the entire disk with the new password every time, and not have a permanent key...

You could also make the encryption hardware external to the main system, and never expose the permanent key to the computer itself at all. That eliminates the need to re-encrypt, but the device has to be tamper-proof (or you have to carry it around all the time). Good built-in drive encryption would qualify, but only if you can change the password of an unlocked drive without clearing it.

"Evil Maid" attack against disk encryption

Posted Oct 30, 2009 2:11 UTC (Fri) by bronson (subscriber, #4806) [Link]

> You could use one-time passwords

If you enter your one-time password on a subverted system, the attacker suddenly has access to all your data. He only needs access once.

> Or you could re-encrypt the entire disk

Not if your system is subverted. Sure, it would appear to you that everything is being re-encrypted, but in reality the back door the maid slipped will be used to copy everything the next time you leave your computer behind. (this is just one scenario, the attacker could also weaken the encryption algo, ship your data out over the network, etc etc)

> You could also make the encryption hardware external to the main system

Perhaps, but this doesn't exist today and sounds awfully expensive to develop.

"Evil Maid" attack against disk encryption

Posted May 6, 2010 23:18 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

> If you enter your one-time password on a subverted system, the attacker suddenly has access to all your data. He only needs access once.

All your *current* data, yes; I don't see a way around that. The idea was to protect any future data you may put on the device from a different host PC.

> Not if your system is subverted.

The idea was to remove the USB key and re-encrypt it on a known-clean system, not re-encrypt on the compromised PC. Again, this is to protect against future unauthorized access, not to protect any data which may have already been exposed.

> Perhaps, but this doesn't exist today and sounds awfully expensive to develop.

I don't think it would be all that expensive; it's basically just a TPM chip with some trivial input hardware for the password. Internal hard-disk encryption exists today, though I don't know if it's any good. The drives I know of with that feature require full re-encryption to change the password, if they support it at all, but that wouldn't be hard to fix.

My scheme does not seem to be vulnerable

Posted Oct 29, 2009 18:59 UTC (Thu) by bronson (subscriber, #4806) [Link]

This sounds really interesting and useful. Do you have an articles or blog posts that describe your setup?

My scheme does not seem to be vulnerable

Posted Oct 30, 2009 17:02 UTC (Fri) by NAR (subscriber, #1313) [Link]

The Evil (and Determined) Maid then installs a logger on the BIOS which captures the key from the USB flash drive and from the keyboard...

"Evil Maid" doesn't care about your passwords -- watch out for the thieves though

Posted Oct 29, 2009 17:35 UTC (Thu) by zzxtty (subscriber, #45175) [Link]

"Just lock your valuables in a room's safe before you leave the room!"

I suspect a lot of this paranoia is directed at people visiting China and the idea of state sponsored industrial espionage. In such a case you cannot trust the hotel room safe, in fact you cannot trust anything.

Take your own hardened case and 50 or so quality padlocks?

"Evil Maid" attack against disk encryption

Posted Nov 6, 2009 13:46 UTC (Fri) by robbe (subscriber, #16131) [Link]

You can't trust your computer after the Evil Maid touched it. It may very
well post your Valuable Secrets to wikileaks once you plugged in your
memory stick containing it.

"Evil Maid" attack against disk encryption

Posted Nov 26, 2009 19:07 UTC (Thu) by mcortese (guest, #52099) [Link]

I read the original article, and found the comments particularly interesting. I also think Joanna was a little too severe with those proposing alternative protection schemes against the attack.

For example, keeping the /boot partition in a removable media that you carry with you all the time, does help. Nonetheless such proposal was dismissed as ineffective because it still allows for a BIOS infection.

Now, if I correctly understood the aim of the article, it was not to prove that your hardware is prone to attacks if left unattended, but rather how simple and quick these can be. Re-flashing a BIOS is in no way comparable to plugging in a USB drive and pressing the power button!

Before Joanna's article and proof of concept, we were tempted to overestimate the security level that Full Disk Encryption could grant us. Thank her for the enlightenment. Does this mean that FDE is useless? I don't think so. Alone it is not enough, but with appropriate side measures (like removable /boot) it can secure our system to a reasonable level.