Preventing the Evil Maid Attack on FDE

  2010-10-28

Preventing the Evil Maid Attack on FDE

  22:33, by Hagai Bar-El   , 467 words
Categories: IT Security

The attack referred to as the ”Evil Maid Attack”, or the “Cleaning Maid Attack” against full disk encryption (FDE), is considered as one of the serious attacks concerning people who travel with laptops full of confidential information. This attack involves an attacker, who can obtain physical access to an FDE-protected laptop. The attacker boots the laptop from a second drive, and modifies the boot-sector so that subsequent boot-ups, e.g., by the owner, will cause the execution of malicious code that will capture the passphrase and/or key that is used to boot the system. Then, the attacker should get the laptop again to collect his loot. This attack was discussed everywhere, including in the PGP Blog, LWN.net, ZDNet, and the blog of Bruce Schneier.

Some people claimed that there are no feasible countermeasures against this attack, other than making sure your laptop is never left alone for too long. A while ago, I traveled to a place where laptops were not allowed; I had to leave it at the hotel every day for two weeks. This made me devise a practical solution which can be dubbed as: be the cleaning maid yourself.

The evil maid attack involves someone replacing your boot-sector (the only non-encrypted part of the FDE-protected disk) with a modified one. Since the boot-sector is not encrypted, and loads before decryption starts, you can neither prevent nor detect such changes to it just by booting.

What you can do, however, is re-program the boot-sector from a genuine, trustworthy copy, before each boot; or just before the first boot-up after leaving the laptop alone. All modern laptops allow you to boot from a USB disk-on-key. All you need to do is prepare such a USB disk-on-key dongle with a copy of the hard-drive's boot-sector, and boot from this dongle rather than from the hard-drive. Once booted (or just before), copy the boot-sector from the dongle to the hard-drive, so that you do not need the dongle at subsequent boot-ups, until you leave your laptop alone again. A CD, instead of the dongle, will also do.

This is actually far less complex to carry out that you may think. Every decent FDE application, including TrueCrypt, allows you to prepare a copy of the boot-sector on a bootable image, for recovery purposes. TrueCrypt, for example, will happily generate a CD (which can be converted with mild effort into a bootable USB), that when booted from, will present a menu allowing you to overwrite the boot-sector of the hard-drive with that which is stored on the CD.

Overwrite that boot-sector, and whatever the evil maid got to do is reverted back to normal.

Obviously, you will need to carry this dongle (or CD) with you, so it is not modified or replaced. Attach it to your car keys or something.

No feedback yet