What is evil maid attack and How to Prevent It?

What is evil maid attack and How to Prevent It
Evil maid" attacks can be anything that is done to a machine via physical access while it is turned off, even though it's encrypted. An evil maid attack is characterized by the attacker's ability to physically access the target multiple times without the owner's knowledge. evil maid’ attack represents a very specific threat with limited opportunity for exploitation.  Evil Maid is fundamentally malware. Neither attack demonstrates flaws in the underlying cryptographic security of any other full disk encryption product.  

A security firm, F-Secure has issued a fresh warning about possible evil maid attacks by exploiting Intel’s Active Management Technology and other techniques. The spate of fresh evil maid attacks in the wild was discovered by F-Secure senior security consultant Harry Sintonen.

Who is the target of Evil Mad Attacks?

For an encrypted device, the most likely evil maid attacks are some form of keylogger, either physical or software. Physical loggers are all-but-impossible to detect in software but can be found by physical examination. The name "evil maid" has caught on with security professionals and the label has been used in a general fashion to describe scenarios in which the attacker doesn't simply steal the device or access it once to clone the hard drive but instead, returns multiple times to wreak havoc.

Company executives, government officials, and journalists are the most likely targets of evil maid attacks. Whether the purpose of the attack is to change, steal or sell information, chances are high that the attacker will also make changes to the device's software that will permit remote entry later on.

How to protect against evil maid attacks?

No security product on the market today can protect you if the underlying computer has been compromised by malware with root-level administrative privileges.
Following steps should be taken to prevent this Attack:
  • Use a strong password and change it often - Most users realize that it is unwise to enter their password into a computer given to you by an unknown individual. Once an attacker has installed a new operating system on your computer, the computer may still look like your computer, but it is no longer yours. It is now the attacker’s computer. If you type your password into the attacker’s computer, your password will soon be theirs as well.
  • Never leave computing devices or small peripherals, such as USB drives, unattended.
  • Avoid using any unknown peripheral.
  • Ensure BIOS and firmware updates are always applied without delay.
  • Enable input–output memory management unit (IOMMU) features.
  • Enforce secure boot protection and change full disk encryption keys on a regular basis. 
  • Set a password on the bios to prevent changes to the bios.
  • Only boot the system off of the hard drive.
  • Set up alerts for changes to the hardware.
Some attackers are so skilled that they can replace a device with an identical one without the victim knowing it, the guide warns.
Advertisement