Slashdot Mirror

← Back to Stories (view on slashdot.org)

Of Encrypted Hard Drives and "Evil Maids"

Posted by kdawson on from the take-the-second-factor-with-you dept.

Schneier has a blog piece about Joanna Rutkowska's "evil maid" attack, demonstrated earlier this month against TrueCrypt. "The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. ... [A] likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. ... [P]eople who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too."

19 of 376 comments (clear)

  1. surprise by jacquesm · · Score: 5, Informative

    physical access > digital security

    --
    MP3 Search Engine
    1. Re:surprise by Golddess · · Score: 4, Insightful

      Except it's not quite like that. It sounds more like you lock your door and leave to get groceries. Before you get back, someone comes up to the door and installs something that can scan the key that is used to unlock the door. That person leaves, you return, unlock the door, and go in. You later head out again, locking the door behind you, and that other person comes up, recovers their device, makes a duplicate key based on the device's contents, and now has access to your home.

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
    2. Re:surprise by malakai · · Score: 5, Informative

      My god the mod's today suck. All of these "Then don't leave yourself logged in" responses are getting +mod.

      This attack has NOTHING to do with you leaving your session authenticated and open. It's about a boot-loader level phish scheme.

      Basically, you come back to your laptop which you left off, you boot it up not noticing anything out of place, and you log in an unlock your drives. Meanwhile, little did you know that the intruder put a very small OS on to your laptop which runs your primary OS as a virtual OS. It's got low level hooks to all the basic INT's and can read any memory without chance of any program within your primary OS (now virtualized) detecting it.

      Then you log off and go out to dinner. The maid comes in, boots up, hits a key-sequence, and dumps a log to a USB drive. In that log somewhere is your password to your encrypted drives. Game over dude... game fucking over.

      --
      -Malakai
      A Dragon Lives in my Garage
  2. At the next defcon... by purpledinoz · · Score: 5, Funny

    I'm imagining a bunch of geeks dressed up in maid outfits.

    1. Re:At the next defcon... by Anonymous Coward · · Score: 5, Funny

      Holy crap slashdot, you scare me! That was not sold out when I posted it.

  3. Fine line between security and paranoia by elrous0 · · Score: 5, Interesting

    Seriously, if you're worried about some hacker assassin breaking into your house or office and installing a bootloader, you're either doing something REALLY secretive (in which case the computer probably shouldn't even be on a network to upload any data back in the first place) or you're the kind of person who thinks Obama has your name on an "important persons" list and is coming for your guns. If someone has physical access to your machine and has the skills to install a bootloader, you're pretty much boned anyway, encryption or not (encryption isn't going to stop a simple keylogger). That's nothing new. Fortunately, for the vast vast majority of us, there are very few hacker black operatives who are running around breaking into hotel rooms just so they can get a single Visa number from Bob the dipshit middle manager. Newsflash Bob, YOU'RE NOT THAT IMPORTANT!

    Oh, and I love how the article calls the prospect of a ninja hacker hotel maid sneaking a bootloader onto your laptop and then sneaking back into your room later to retrieve the data a "likely scenario." What hotels is this guy staying at anyway?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Fine line between security and paranoia by Umuri · · Score: 5, Insightful

      Offhand, i'd say any prominent high-class hotel that might be used by foreign businessmen on a trip.

      I mean, you do have a point, bob the middle manager isn't that important. However there are quite a few business people who this really would be that important to. Corporate espionage is high, and you know china has been doing focused attacks over the network.

      Sneakernet is always faster, so if they can train up a few pretty women, pay them a decent programmers wage to have them steal stuff that is the work of 10 engineers or even hundreds, that's a pretty sound economic payoff don't you think?

      I think stuff like this has it's purpose, and those who really are at risk need to be educated about it. For the other 95% of us, i think it's useful info to be aware about, just like don't leave your purse out visible in your car. Sure it probably won't happen, but there are always people who would.

      --
      You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
    2. Re:Fine line between security and paranoia by stoolpigeon · · Score: 4, Insightful

      You vastly underestimate the number of people traveling internationally and engaged in activities that the host governments find to be of interest.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    3. Re:Fine line between security and paranoia by oldspewey · · Score: 5, Insightful

      Bob the middle manager isn't that important, but Bob routinely sends email to Dave the director and Charles the CxO. By trojaning Bob's computer you can start to build a pretty decent profile of the corporate activities going on within, and above, Bob's department ... including travel schedules of some other bigger fish in the corporate pond.

      Do this to 3 or 4 Bobs, and pretty soon you'll have an understanding of the corporate org chart, upcoming projects, and most importantly you'll be able to target your future EvilMaid attacks with pinpoint accuracy.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
  4. bootloader checksum by arabagast · · Score: 4, Insightful

    If you are the kind of person that are in the danger zone of this happening (not that you would leave a computer with such sensitive information in your hotel room.); You would probably feel a lot better if you were able to checksum the bootloader when returning, maybe from an external usb drive. This would offcourse run it's own OS, not being done from the bootloader(for obvious reasons).

    --
    Doolittle : ...What is your one purpose in life?
    Bomb no.20 : To explode of course.
    1. Re:bootloader checksum by Terrasque · · Score: 4, Interesting

      That won't work if the attacker use a hardware keylogger (which can be inserted under a laptop's keyboard - how often do you check there?).

      An easier way to checksum bootloader is via a tamper-proof hash stored in the encrypted area. But that require that the computer is actually telling you the truth, which is doubtful if they already went far enough to change the bootloader. But then again, your idea also require that the computer is honest... They could have replaced the bios itself, or made a small bootloader that worked its magic fast and silent, and then proceeded like a normal boot, starting from usb like bios would do..

      I was thinking of this a few months ago, actually, and the only solution I found was to either always have it with you (impractical), or store it in a trustworthy safe (could also be slightly impractical to haul around). And still you have to be certain of your environment (spy cameras, tempest type snooping, in some cases recording the sound of your key clicks...).

      Also, if you want it connected to a network, well darnit, you got another can of worms.. First, you need to update it, or else its vulnerable fast. Second, you need to trust the OS providers and the actual update. Could someone have stolen the signing key and faked an update? Is the company / employees really trustworthy? Are you sure the developer's machine isn't hacked and is used to spread dangerous code?

      I tried to make a system where I (if I had a lot of resources) couldn't possibly find any way around. I just couldn't find any. All of them had a potential loophole.

      My conclusion was : Pick an approperiate level of paranoia and go from there. And never expect it to be 100% secure.

      --
      It's The Golden Rule: "He who has the gold makes the rules."
  5. And that's the lesser evil by Thanshin · · Score: 5, Funny

    You could have found the evil bartender.

    You leave your laptop at the hotel and you go out to take a beer. There, you meet the evil bartender, who because of a common past becomes your friend and starts inviting you to more and more beer. Then he closes the bar and you both go to a strip club where you meet the evil bartender's girlfriend and her friend who we shall call "Foxette".

    The next morning, you wake up in an unknown appartment with Foxette and a guy you don't even know. You quickly get out of there and go to work, with such a massive headache than when asked about the laptop's full disk encription, you answer is "the what?".

    1. Re:And that's the lesser evil by JustOK · · Score: 4, Funny

      "Has anyone seen my kidney?"

      --
      rewriting history since 2109
  6. Bootloader? BitLocker? by sam0737 · · Score: 4, Insightful

    I didn't read the RTFA, but aren't MSFT's BitLocker supposes to validate the boot path (from BIOS code to bootloader up to the BitLocker decrypter) with the help of the TPM chip?

  7. Easily foiled by Hogwash+McFly · · Score: 4, Insightful

    Evil maids are easy to spot because of their goatees.

    --
    Mother, do you think they'll like this sig?
  8. Re:Bucket List by mccalli · · Score: 4, Funny

    Someday I want to invent an attack, but only because I want the privilege of naming it.

    And some day I'd like to be hit by the attack you invent, because saying that I've been hit by an "all-knowing frog" attack would simply be cool.

    Cheers,
    Ian

  9. Why are we talking about this? by dachshund · · Score: 4, Insightful

    You can see why it's called the "evil maid" attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. The same maid could even sneak back the next night and erase any traces of her actions.

    Maybe if she's an idiot. Once you've installed your own bootloader, it can neatly remove itself. (After installing malware, or transferring the encryption keys and data it needs over the network.) Why in the world would the maid unnecessarily repeat the riskiest part of the entire attack?

    But more to the point, it must be a slow week. Why are "serious" security researchers even wasting time on something this obvious? Of course your software-based hard disk encryption is hosed in the event that an attacker gets hold of your machine and can alter the bootloader. Hell, the really sophisticated bad guys aren't even going to do anything this difficult or risky. After all, the encryption key has to be in RAM somewhere whenever you're using software-based encryption (hardware encryption excluded). A well-engineered piece of malware will recover it, and two-factor authentication isn't going to help you.

    Even trusted boot will only get you so far against a motivated adversary with this much sophistication. Don't leave your vital computing equipment behind in your hotel room.

  10. Re:Bucket List by Gulthek · · Score: 5, Funny

    The hypnotoad security tool protects against the all-knowing frog attack, but comes with its own drawbac--ALL GLORY TO THE HYPNOTOOL.

  11. Re:My bootloader is on USB by russotto · · Score: 5, Funny

    If someone wants your information that bad, they just need a pair of pliers to succeed with the attack.

    1) Step one: apply pliers to target's scrotum.
    2) Ask them once to access the laptop.
    3) If any resistance is given, squeeze the pliers just a tad.

    Now, leave it to a bunch of nerds to come up with technical workarounds and miss the real point.

    Workaround 1) Make sure only women have the information.
    Workaround 2) Preventative castration
    Workaround 3) Shoot anyone with pliers who comes within 10 feet
    Workaround 4) Duress code which releases false information. (this one's likely practical but only as a delaying tactic; it's going to hurt a lot when the interrogator finds the information doesn't verify)