Evil Maid attacks, named by Joanna Rutkowska, refer to scenarios that affect device integrity. This includes gaining unauthorised physical access to an unattended device with the purpose of changing, stealing or selling the information found on the device; and hackers selling ‘brand new’ laptops containing pre-loaded keyloggers or malware to unsuspecting victims.
Although the opportunities for this type of attack are limited, physical attacks can have a profound impact on the company. Skilled Evil Maids are able to bypass the login credentials and encryption of most corporate laptops within 30 seconds, so all it takes is for an employee or member of the C-suite to be distracted for a minute for them to gain access to your sensitive data.
The main targets of these sophisticated attacks are company executives, government officials and journalists, as their devices are the most likely to contain valuable data.
A typical Evil Maid attack goes as follows:
The Evil Maid will boot up the unattended device from a compromised bootloader (USB). They can also bypass security systems by installing malware onto the device or by simply typing in the password captured on hidden cameras within the room.
The attacker then installs a keylogger, which records the encryption key once entered on the device, and shuts the computer down. The encryption key can either be sent to the hacker via the internet or stored in a hidden location for retrieval.
Once the owner has unlocked the hardware, the Evil Maid can revisit the device to retrieve the keylogger, which now contains the encryption key. During this visit the Evil Maid will remove all traces of their interference. Alternatively, they can replace the device with an identical copy without the victim’s knowledge.
The hacker is now free to remotely access all of the device’s data.
Why Does it Matter?
In this emerging era of collaboration among hackers, firmware rootkits are now readily accessible for amateur hackers on the Dark Web for ease of access, thus increasing the likelihood of attack.
Most devices were not designed with physical security built in, but a variety of apps that are able to notify users when their devices are being physically accessed now exist.
Other ways an individual can reduce their chances of being attacked by an Evil Maid include:
- Never leaving their devices and USBs unattended.
- Shutting down devices after use.
- Avoiding unknown USBs and hard drives.
- Ensuring that patch updates are applied without delay.
- Enabling input-output memory management unit (IOMMU) features.
- Enforcing secure boot protection and changing encryption keys regularly.
- Using strong passwords and changing them often.
- Enabling multi-factor authentication.
- Only booting the system from the hard drive.
- Setting up alerts and passwords for hardware changes.
- Using burner devices when travelling in high risk areas where attacks are commonplace.