"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:00 UTC (Thu) by drag (guest, #31333)
In reply to: "Evil Maid" attack against disk encryption by cesarb
Parent article: "Evil Maid" attack against disk encryption

If a normal PC was left on then it makes it even easier to grab passwords.

If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that. Plug that in, Linux detects it and configures it, and the attacker uses a separate PC running Linux to communicate over the firewire and send DMA requests to systematically shift through your memory until it finds the encryption key.

Even if you block against autodetecting hardware your RAM is still removable so that if the attacker is quick they can pull your RAM out of your machine and then read it before the memory goes all random on them.

And there are other attacks besides that.

Now this is with actual hardware you can actually buy. Theoretically if you have some sort of physical resistant hardware then that may help. For example you can currently purchase hardddrives that have self-destruct mechanisms that get set off if they are tampered with... doing such things as spraying the drive internals with acid mist to etch the platters. So you can do all sorts of stuff theoretically if the hardware supports it, but right now that is not typical consumer hardware most of us can afford.

---------------------------------

Now I can't believe people are avoiding obvious solutions to this particular attack (were they install a trojaned bootloader):

TAKE YOUR BOOTLOADER WITH YOU.

This is Linux. You don't have to boot off of internal media if you don't want to. Use a USB stick and boot from that and take that with you.

Or just take the laptop with you were ever you go. If it is a small device like a "open Linux smartphone" or a netbook that can adequately meet your needs then you can just keep it on your person.

to post comments

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

"If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that."

Not anymore. New platforms (including notebooks) have IOMMU, which separates each device into its own memory protection domain.

"TAKE YOUR BOOTLOADER WITH YOU."

Won't work. 'Evil maid' can infect your BIOS, so your whole Linux will run after 'evil' code is executed. Which can install backdoors into SMM, for example.

In short, TPM is the only real solution. You _need_ to have a hardware you trust as the base of the 'trust chain'.

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 20:31 UTC (Thu) by drag (guest, #31333) [Link]

No.

Even if your using TPM the hardware can still be subverted if you allow
physical access to it. TPM does not solve any "evil maid" related issue
that putting the bootloader in removable media won't solve, except maybe
the BIOS thing.

TPM is useful for detection of problems with malicious software in your
bootloader and kernel. That way you can establish a chain of trust from
initial boot-up to running the OS. This allows you to hash every element
from the BIOS on upwards. This way you can reliably detect things like
rootkits by a simple reboot, which is impossible otherwise. Previously to
TPM you had to use a tool like tripwire or other host-based IDS while the
system was offline (like you were booted up in a live cd) and comparing
that result with last known good hash is the only reliable way to combat
rootkits. TPM can reduce the complexity, expense, and difficulty of that
considerably.

It is not really designed to secure your machine from physical access.

------------------------------------

Really the only solution using current technology is just not to leave your
stuff were other people have access to it when your not around.