Hey dudes, and dudettes, Happy Diwali to y’all !
Today’s post is about the Evil maid's exploits on an unsuspecting computer user...
Scenario
Full disk encryption with Truecrypt in this case...
The author mentions PGP whole disk encryption but never mentions about testing it on the humor-me FAQ, LOL! :D
Attack
Joanna of Invisible things has come up with an attack (social engineering + physical access + usb drive?!) - WTF I say... If a person has physical access to your box, it is pretty much a goner... what difference does it make if I boot from a live-cd and use a keylogger or do the same thing from an USB drive?
Solution
Disable USB boot from BIOS options (this ain't nothing new to talk about, building a custom USB drive with a small kernel and a simple keylogger is NOT new)
If you know your way around in Linux, and you use it as a base for your penetration testing laptop. Try modprobe -r usb_storage and blacklist in your conf file, if you are paranoid.
You can easily convert the install/remove commands into a shell-script. Alternately, USB devices can be disabled at the kernel level via GRUB or any other boot loader by editing menu.lst / grub.conf
There is also a humor-me FAQ that says...
Q: Is this Evil Maid Attack some l33t new h4ck?
Nope, the concept behind the Evil Maid Attack is neither new, nor l33t in any way.
Q: So, why did you write it?
Because we believe it demonstrates an important problem, and we would like more attention to be paid in the industry to solving it.
As if nobody has covered these hardware based and/or social engineering attacks in the past?
Q: I've disabled boot from USB in BIOS and my BIOS is password protected, am I protected against EM?
No. Taking out your HDD, hooking it up to a USB enclosure case and later installing it back to your laptop increases the attack time by some 5-15 minutes at most. A maid has to carry her own laptop to do this though.
I loved this part... Every maid knows how to pull apart a laptop and remove the hard-drive enclosure without damaging the drive... Do all maids have prior training in corporate espionage, and basic computer/laptop hardware and operations? LOL!
Q: Why did you choose TrueCrypt and not some other product? Because we believe TrueCrypt is a great product, we use it often in our lab, and we would love to see it getting some better protection against such attacks.
Encryption must protect against physical attacks? Since when did that become a pre-requisite for a fool-proof encryption system/software... since the day "Evil maid was coded" I guess... ;))
Their solutions: Protect your laptop (wow, you discovered something here…), TPM (aka snake oil), Disk Hasher (oh, hashing is a “reasonable” solution even though it is broken)
Let me get this straight, you invent a problem out of nothing and you suggest YOUR own solution, roflmao!
Bottom-line
General unsuspecting public will leave a laptop like this fine lady here suggests. If a person identifies himself/herself a hacker, they are NOT supposed to leave their laptops in a hostile environment... When you leave like that, don't identify yourself as a hacker.
Acknowledgments
Thanks to the ennead@truecrypt.org for all the polemics we had which allowed me to better gather my thoughts on the topic. The same thanks to Alex and Rafal, for all the polemics I have had with them (it's customary for ITL to spend a lot of time finding bugs in each other's reasoning).
The person demonstrating such a GREAT attack will go to any extent to prove that an attack is possible, but will not think one bit as to whether it is practical??
Truecrypt clearly mentions about physical attacks in their documentation, which means they are not addressing the issue, and they want you to find something more serious and interesting to work on and if you don’t have a lot of ideas, ping Halvar Flake – He’s a smart guy with a lot of ideas which are innovative. Stop rehashing old attacks and building small Linux kernels with a simple keylogger and write a humor-me FAQ with “we want more attention” (you want the industry to pay attention to the attack or you?)
Truecrypt Dev: My answer was a good safety case or strongbox with a good lock. If you use it, then you will notice that the attacker has accessed your notebook inside (as the case or strongbox will be damaged and it cannot be replaced because you had the correct key with you). If the safety case or strongbox can be opened without getting damaged & unusable, then it's not a good safety case or strongbox. ;-)
Well, what can I say, except … he pwned you!
I nominate “the Evil Maid” for the Pwnie Awards 2010 - Most Overhyped bug… perhaps someone can beat Joanna to the race… Let’s see… hehe!
Errr...Where's all the rum gone?
