What does evil maid attack mean?

10 May 2019

Evil Maid attacks, named by Joanna Rutkowska, refer to scenarios that affect device integrity. This includes gaining unauthorised physical access to an unattended device with the purpose of changing, stealing or selling the information found on the device; and hackers selling ‘brand new’ laptops containing pre-loaded keyloggers or malware to unsuspecting victims.

Although the opportunities for this type of attack are limited, physical attacks can have a profound impact on the company. Skilled Evil Maids are able to bypass the login credentials and encryption of most corporate laptops within 30 seconds, so all it takes is for an employee or member of the C-suite to be distracted for a minute for them to gain access to your sensitive data.

The main targets of these sophisticated attacks are company executives, government officials and journalists, as their devices are the most likely to contain valuable data.

A typical Evil Maid attack goes as follows:

  1. The Evil Maid will boot up the unattended device from a compromised bootloader (USB). They can also bypass security systems by installing malware onto the device or by simply typing in the password captured on hidden cameras within the room.

  2. The attacker then installs a keylogger, which records the encryption key once entered on the device, and shuts the computer down. The encryption key can either be sent to the hacker via the internet or stored in a hidden location for retrieval.

  3. Once the owner has unlocked the hardware, the Evil Maid can revisit the device to retrieve the keylogger, which now contains the encryption key. During this visit the Evil Maid will remove all traces of their interference. Alternatively, they can replace the device with an identical copy without the victim’s knowledge.

  4. The hacker is now free to remotely access all of the device’s data.

Sign up to our latest  news & insights Sign up to our latest  news & insights

Why Does it Matter?

In this emerging era of collaboration among hackers, firmware rootkits are now readily accessible for amateur hackers on the Dark Web for ease of access, thus increasing the likelihood of attack.

Most devices were not designed with physical security built in, but a variety of apps that are able to notify users when their devices are being physically accessed now exist.

Other ways an individual can reduce their chances of being attacked by an Evil Maid include:

  • Never leaving their devices and USBs unattended.
  • Shutting down devices after use.
  • Avoiding unknown USBs and hard drives.
  • Ensuring that patch updates are applied without delay.
  • Enabling input-output memory management unit (IOMMU) features.
  • Enforcing secure boot protection and changing encryption keys regularly.
  • Using strong passwords and changing them often.
  • Enabling multi-factor authentication.
  • Only booting the system from the hard drive.
  • Setting up alerts and passwords for hardware changes.
  • Using burner devices when travelling in high risk areas where attacks are commonplace.


  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 3394 0486.

  • For more articles like this, download our Cyber Decoder

    Share this article