Friday, October 23, 2009

Mitigating the Evil Maid Attack

The security world is buzzing with news of the so-called "evil maid" attack. The basic warning is this: no matter how secure you think you are, you aren't. Full-disk encryption is now provably breakable, and without actually having to break the encryption itself. All you need to do is get ahold of a computer that has been shut down, boot to your own boot device, screw with the boot loader, and shut down again... and then come back after the computer has been turned on and logged into by the real user.

This attack has been called the evil maid attack because a hotel maid is in a perfect position to accomplish this. They have access to the room when you're not around, and leaving a "do not disturb" sign on your door is hardly a deterrent. If you stay at a hotel multiple nights in a row, and you leave your computer in your room while you're not around, you are leaving yourself at risk. You may be the subject of a targetted attack, where the attacker poses as a maid or otherwise gains access to your hotel room while you're out. Or an attacker may get an actual job as a maid at a high-profile hotel, where they know that plenty of secrets will always be passing their way, waiting to be stolen.

There are measures you can take to try and prevent this attack from occuring in the first place. Think of them in terms of both intrusion prevention, and intrusion detection. For instance, a BIOS password can be difficult at best to compromise on a laptop. This is an aspect of intrusion prevention. Of course, it is still possible to reset the BIOS password on a laptop, which will then give the attacker access to install the attack MBR. But if you turn on your computer and there is suddenly no password, when you previously had one, then you know that something is amiss. This is a form of intrusion detection.

You could always use a thumb drive to boot your machine, which would make an evil maid attack against your actual hard drive completely worthless. This introduces another aspect of computer security, which security experts will always disparage, called "security through obscurity". If the attacker doesn't know that you use this method, then they won't be able to attack against it. The problem with this method is, now you have to protect both your boot key, and your laptop. If you only use one thumb drive to boot your machine, and that drive somehow gets damaged (water, static electricity, EMF), then you lose the ability to use your computer.

You could change your password on every boot. Using traditional methods, this is is tedius, and inconvenient, and ignores the fact that the modified boot record might be prepared for it anyway. You could use a password dongle, but that suffers from the same limitations as the thumb drive.

You could leave your computer on, of course. If somebody shuts it down and messes with your boot record, then you'll at least be able to detect that. But then your computer is also susceptable to a cold boot attack, which doesn't require the attacker to return later, so that's out. Using a fingerprint scanner for authentication? Your fingerprints are probably everywhere on your computer already, and even the Mythbusters were able to fool these using little more than a photocopy.

So it would seem that leaving your computer off while you're not in the room is safer than leaving it on. Using alternative boot methods helps, but cannot completely prevent. Using a combination of methods is best, and while it may not provide 100% protection, it can slow down the attacker, and that may be enough.

Anybody else have any other methods that I missed?

No comments:

Post a Comment

Comments for posts over 14 days are moderated