Evil Maid: Where is your portable machine?

Road warriors, do you know where your notebook is? You better or Evil Maid may get the best of you and your computer.


maid-cartJoanna Rutkowska, founder and CEO of Invisible Things Lab is a well-known security researcher. You may remember Ms. Rutkowska as co-developer of the Blue Pill, a rootkit using virtualization to remain undetectable.

Well, Ms. Rutkowska has upset the order of things once again. Alex Tereshkin, Principle Researcher at Invisible Things Lab, and Ms. Rutkowska have perfected malcode that defeats whole-drive encryption. They named the malware Evil Maid. The name may seem odd, but it’s appropriate. Evil Maid requires attackers to physically interface with computers and hotels full of road warriors are perfect targets.

How it works

As a part-time road warrior I firmly believe in TrueCrypt. Yet, Ms. Rutkowska has me questioning my resolve. To explain why, let’s say I am on the road. After seeing my client, I return to the hotel and begin writing this article. In a few hours, it’s time to meet the client for dinner. So, I turn the notebook off and go to the hotel restaurant.

I’m not sure why, but someone really wants to see what I am writing. So he pays a hotel employee to sneak into my room and does the following:

  • The attacker starts out by booting my computer from the Evil Maid USB Stick.
  • After booting, an application called “Evil Maid Sniffer” is installed on the TrueCrypt loader, as shown below (courtesy of Ms. Rutkowska):


  • The attacker turns the notebook off and leaves.
  • I come back later that evening and decide to write some more.
  • As soon as I power up the notebook, the Evil Maid Sniffer application records my TrueCrypt passphrase, storing the information on a pre-arranged portion of the hard disk.
  • None the wiser, I continue writing. After awhile, I decide I’m thirsty. So I turn the notebook off and head to the bar for a drink.
  • Seeing an opportunity, the attacker sneaks back into my room, boots the notebook using the Evil Maid USB Stick.
  • The application detects that TrueCrypt loader is infected and displays the passphrase as shown below (courtesy of Ms. Rutkowska):


  • The attacker restarts my notebook, enters the correct passphrase decrypting the hard drive, and copies my article.

You can see why it is called the Evil Maid attack; it’s perfect for hotel environments. Ms. Rutkowska also mentioned that the notebook could be stolen once the passphrase is known.

Possible defenses

Mr. Bruce Schneier in his latest security blog has an interesting comment about Evil Maid:

“This attack exploits the same basic vulnerability as the “Cold Boot” attack from last year, and the “Stoned Boot” attack from earlier this year, and there’s no real defense to this sort of thing. As soon as you give up physical control of your computer, all bets are off.”

TrueCrypt has documentation that agrees with this assessment. Mr. Schneier goes on to point out that of all possible fixes, the following is probably the best:

“A few readers have pointed out that BitLocker can prevent these sorts of attacks if the computer has a TPM on the motherboard.”

The reason for creating Evil Maid

Ms. Rutkowska agrees with Mr. Schneier and has been trying to convince developers at TrueCrypt to implement a TPM version of TrueCrypt:

“Personally I would love to see TrueCrypt implementing TPM-based trusted boot for its loader, but, well, what can I do? Keep bothering TrueCrypt developers with Evil Maid attacks and hope they will eventually consider implementing TPM support.”

Until that happens, it appears the only absolute solution is to ensure the computer’s physical security at all times. That said, I noticed many interesting potential solutions in the comments after Mr. Schneier’s post about Evil Maid.


What is TPM? TPM stands for Trusted Platform Module which is the name of the specification that implements the TPM chip. This technology details the use of secure cryptoprocessor that can store cryptographic keys that protect information. TPM is the work of the Trusted Computing Group and more information and resources on the TPM specification is available at TPM Main Specification

Final thoughts

It seems that whole-disk encryption is not the panacea most people think it is. It protects against someone trying to obtain data after stealing the computer. All bets are off, if an attacker has physical access to the computer on more than one occasion.

Article courtesy of TechRepublic

SNETTSCOM is an IT company. We excel at providing solutions in systems integration, consultancy, outsourcing, applications development, networking and security. Aside from this, SNETTSCOM also specializes in creative design and marketing.

Recommended Posts