[go: up one dir, main page]
|
|
Log in / Subscribe / Register

"Evil Maid" attack against disk encryption

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 10:53 UTC (Thu) by ranmachan (guest, #21283)
Parent article: "Evil Maid" attack against disk encryption

Well obviously it's stupid if you forget to password-protect the system.
This leaves the 'hacker physically removes harddisk' and 'hacker adds hardware keylogger' attack vectors.

At least the first can be worked around by either password-protecting the harddisk (which modern disks support, but I have no idea if there are BIOSes that can boot from protected disks) or even better to always boot from a usb stick you carry with you at all times and not have the boot code on the system at all. :)

The only thing you can do about 'hardware keylogger' attacks is probably to physically lock away the system in a safe or some other safe place.

to post comments

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 12:12 UTC (Thu) by cesarb (subscriber, #6266) [Link] (3 responses)

Another theoretical way to defend against "hardware keylogger" attacks would be for the system to be always on, and detect attempts to attack it (it could detect keyboards being temporarily removed to install a keylogger in the middle of the cable, hard disks being removed to tamper with their boot sectors, new malicious hardware being added, or even physical movement of the computer using accelerometers).

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:00 UTC (Thu) by drag (guest, #31333) [Link] (2 responses)

If a normal PC was left on then it makes it even easier to grab passwords.

If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that. Plug that in, Linux detects it and configures it, and the attacker uses a separate PC running Linux to communicate over the firewire and send DMA requests to systematically shift through your memory until it finds the encryption key.

Even if you block against autodetecting hardware your RAM is still removable so that if the attacker is quick they can pull your RAM out of your machine and then read it before the memory goes all random on them.

And there are other attacks besides that.

Now this is with actual hardware you can actually buy. Theoretically if you have some sort of physical resistant hardware then that may help. For example you can currently purchase hardddrives that have self-destruct mechanisms that get set off if they are tampered with... doing such things as spraying the drive internals with acid mist to etch the platters. So you can do all sorts of stuff theoretically if the hardware supports it, but right now that is not typical consumer hardware most of us can afford.

---------------------------------

Now I can't believe people are avoiding obvious solutions to this particular attack (were they install a trojaned bootloader):

TAKE YOUR BOOTLOADER WITH YOU.

This is Linux. You don't have to boot off of internal media if you don't want to. Use a USB stick and boot from that and take that with you.

Or just take the laptop with you were ever you go. If it is a small device like a "open Linux smartphone" or a netbook that can adequately meet your needs then you can just keep it on your person.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

"If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that."

Not anymore. New platforms (including notebooks) have IOMMU, which separates each device into its own memory protection domain.

"TAKE YOUR BOOTLOADER WITH YOU."

Won't work. 'Evil maid' can infect your BIOS, so your whole Linux will run after 'evil' code is executed. Which can install backdoors into SMM, for example.

In short, TPM is the only real solution. You _need_ to have a hardware you trust as the base of the 'trust chain'.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 20:31 UTC (Thu) by drag (guest, #31333) [Link]

No.

Even if your using TPM the hardware can still be subverted if you allow
physical access to it. TPM does not solve any "evil maid" related issue
that putting the bootloader in removable media won't solve, except maybe
the BIOS thing.

TPM is useful for detection of problems with malicious software in your
bootloader and kernel. That way you can establish a chain of trust from
initial boot-up to running the OS. This allows you to hash every element
from the BIOS on upwards. This way you can reliably detect things like
rootkits by a simple reboot, which is impossible otherwise. Previously to
TPM you had to use a tool like tripwire or other host-based IDS while the
system was offline (like you were booted up in a live cd) and comparing
that result with last known good hash is the only reliable way to combat
rootkits. TPM can reduce the complexity, expense, and difficulty of that
considerably.

It is not really designed to secure your machine from physical access.

------------------------------------

Really the only solution using current technology is just not to leave your
stuff were other people have access to it when your not around.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds