As a proponent of encryption and security, I advocate the use of full-disk encryption (FDE) on any and every laptop computer. Used properly, your data thoroughly protected against nearly any belligerent third party. The problem is, full-disk encryption is no panacea: unless you understand associated risks, FDE may alter your behavior and leave you vulnerable to other attacks like “the Evil Maid.”
Vulnerabilities? What vulnerabilities?
This is purely a user-behavior problem in that the user, having employed full disk encryption, feels invulnerable. In the user’s mind, he has done everything right:
- He has installed a first-tier, commercially sound FDE package like TrueCrypt or PGP.
- He has chosen a strong passphrase that is known to no other person.
- He has physically powered off the machine (thus requiring a passphrase before it so much as boots).
The problem is, Full Disk Encryption of any sort does not obviate physical security. There is a standing rule in computer security: physical access to a computer renders other security measures moot. Overconfidence in FDE leads one to forget this rule. The Evil Maid attack exploits this vulnerability.
The Evil Maid attack
The attack is so-named from a hypothetical exercise: you have left your TrueCrypt-encrypted laptop in your hotel room, and while away the attacker has masqueraded as (or bribed) a hotel maid to perform the attack.
All the attack requires are a few undisturbed minutes, physical access to your computer, and the right software. After booting your computer with a correctly programmed USB stick, the attacker is able to quickly install software that modifies the disk’s bootloader with malicious software; the software simply hooks into TrueCrypt’s keyboard-entry code and records your decryption passphrase as you type it.
Lest you think the attack is purely hypothetical, it certainly isn’t. This is a working, downloadable attack for a TrueCrypt-encrypted computer.
The fix: never surrender physical access
The attack could have been prevented by never surrendering physical access. The victim could have kept the laptop on his person; he could also have secured it in a safe of some kind that only he could open. (Note: neither the in-room hotel safe nor the front-desk safe qualify, as neither is 100% trustworthy.)
It’s also important to note that once physical security has been compromised, the laptop is no longer trustworthy — it must be considered compromised and completely wiped. This attack could spell disaster for traveling businesspeople with business secrets or other sensitive information from their computers; such individuals would be wise to never let their vigilance slip, nor to have extraneous sensitive information on their portable machines.
Once again we see that the biggest vulnerability in computing security is the human factor.