Evil maid
"Hello, my name is Miro Blackhat and this is Safety Thirst, your podcast about cybersecurity safety. We're hosting a very special guest tonight, but no, it's not David Bombal. David had come up with a cold and could not join us, but promised to come back next week. Our tonight's guest is known for her love for cats. She is known to appear out of nowhere and lives by the credo: "Expect the unexpected". Please welcome the Black Swan.""Hello, Miro, and thank you for having me.""And thank you for getting to us on such short notice. For those, who joined us only recently, we have a very special anniversary coming along, and we've asked Black Swan to tell us a bit more about it.""And a round anniversary at that — it's been 30 years since Joanna Rutkowska released her article on TrueCrypt and coined the term Evil Maid. So, for those, who don't know, the Evil Maid is a form of an attack, in which you leave the device unattended and so, potentially exposed for physical tampering."
Evil Maid with her faithful Rootkitty sidekick by MidJourney
Misconceptions
Evil Maid exiting the hotel room by MidJourney
"When I first heard the term I was like: 'Okay. There's this person dressed up as a maid, sneaking into a hotel room and disassembling a laptop in a flash.' How does it look in reality? Is there a dress code that comes with the job?""Not really, no. I mean, the actual Evil Maid would look like an ordinary person concerning clothing and manners."What other misconceptions come to your mind?Well, I would say that Evil Maid suffers from the same problem many Security positions have. Meaning, when you tell your friends and family you landed a job as a penetration tester, more likely than not they'll think you working in the porn industry. The same goes for Evil Maid, Red Team, etc.
Type of attacks
Evil Maid is a profession with the benefits of a classical software development profession, i.e., hybrid workplace, not to confuse with hybrid warfare. This means that the attack can be performed directly, by physically accessing the device or remotely by setting up a decoy that will send the Evil Maid credentials entered by the victim in real-time.
Direct attacks
"How is this attack carried out? Is there only one vulnerability the user needs to be aware of or are there several of them?""So, there are several scenarios that can happen, and they are strongly related to the type of device, software, etc. In the most popular one, from which the term was coined, a person leaves their computer in a hotel room to go, e.g., for a dinner. But the attack itself is not limited to the hotels. Think of leaving your computer screen unlocked while going for a coffee break at work, or when you leave your smartphone to be repaired. And the attack area can be much bigger than that, like a security guard leaving the surveillance panel. The term started from a hotel room but is not limited to hotels.""Right now probably a lot of listeners think of physically opening the device and messing around with the interior and this takes A LOT of time, especially since a lot of devices are hermetically sealed. Does the attack apply to those cases?""Sure. Back in 2009, the vast majority of laptops and personal computers were tight metal boxes fixed with screws, so it made perfect sense. Thirty years later, not so much, but you'd be surprised how fast skilled people work. With a smartphone, you need less than a minute to plug DIRECTLY into the motherboard. With laptops, it may take longer: up to several minutes with professional equipment. So once you have the motherboard and CPU exposed you can plug in, run a couple of special scripts and BOOM, everything's yours.""But then, one would have to assemble the compromised device without a trace?""Yeah, that part is more difficult, especially since the Evil Maid is working under a lot of pressure. But very rarely it is a lone wolf type of job and you can count on your team members to give you a heads up if things start to go wrong."
Indirect attacks
"You mentioned the attacker needs direct access to the device and that often takes a lot of time. What happens if the security level is pretty high and the Evil Maid won't be able to break into it?""In such and similar cases you can try and go for an indirect attack. This happens a lot if the device does not store the data but serves as a gateway. So say you have a special device, which is only used to log into the server and fetch the data.""Okay.""You switch the device for a replica, as close as you can to make the victim think they are using the original device. Now the original is in your possession and the replica is spiked with many, many MANY traps, including the basic ones, like keyloggers. So when the victim tries to log into the system, you do the same using the original device. It gets tricky with Universal 2nd Factor physical keys, but it's doable."
The perks
"So we talked about the types of attacks and some more popular mitigation systems out there. Could you tell us more about the perks of the Evil Maids, since these are pretty unusual in the industry?""Yes! The perks! Number one is working with the best Rootkitties out there. You won't hear any names mentioned since these are all classified and governments, the typical employer, loves their silence regarding security. Number two is working in a well-organized environment. Everyone understands that the stakes are high, so they will give their absolute best to lower the tension and increase the flow. You could argue that the classical movie "Inception" by Christopher Nolan is not one of the examples. And espionage is certainly the first thing that comes to mind when talking about Evil Maids. And finally, number three is visiting places you'd never dream to enter — expensive tourist resorts, military facilities, you name them. It is kind of similar to the pentesting job, but with stakes much higher on both sides.""The means are similar but the result is different, right?""Sure. Whatever information changes hands during the penetration tests must be returned and with Evil Maids, it's gone forever."
Stuxnet taking down a nuclear centrifuge by MidJourney
Drawbacks
"We've covered the fun stuff, that's awesome. What about the drawbacks of being an Evil Maid? Is there anything that comes to mind?""That's dark territory and depends on the target. On one scale you can have a bitter boyfriend, whose conversations were read, while on the other a handful of documents connected to head officials of a foreign government. At the latter, it can cost your life, but the fitting answer would be "it depends"."
Typical problems
"We've presented the Evil Maid as a kind of a supervillain now, but I've heard of methods to deal with the attacks you mentioned. What are some, that every one of us could try out?""Keep the device by your side and always use full disk encryption.""Okay. suppose we're in a hotel and want to go downstairs for a dinner. What then?""There are some tricks, like crushing potato chips onto your laptop and making a good quality photo of it. The downside is, in many countries, the cleaning staff will try to do a good deed of cleaning it up for you, so you won't be able to tell if the device was not tampered with. You'd have to consult a specialist on that one."
Glitches, ports and rubber duckies
"Suppose I used your advice and spread potato chip on my laptop and it's resting in a safe as we speak. I also took a photo of the scenery to know if anyone moved the chips. Can someone hack into the laptop without me knowing?""It's a good question and the answer is, unfortunately, yes. So we can safely assume that the safe can be easily opened since every model has a master key and there are databases for those. As for the laptop, several attacks need only as much as an open communication port, e.g., USB, firewire, etc.""How does that work?""You know how all communication is performed in bits, qubits, etc.? Well, the communication ports are often pretty vulnerable, meaning they are usually mass produced and security is not a priority. So often if you tamper with the signal, say the power voltage and make it glitch in a very specific manner, what you effectively end up with is transferring a set of commands through that communication port. You get a connection, even though the laptop is not even open!""I imagine this process, the glitching you mentioned can be automated. Are there some examples out there?""A very popular thingy, up to 2030, until the USB was patched, was the so-called Rubber Ducky. It was a very small circuit board with a tiny processor anyone could re-program with a special set of tools. At the end of the board was a USB tip. What made Rubber Ducky special was that you could plug it into a device and it would present itself as, say, a keyboard. More than that. It was a keyboard that could wait, send keystrokes, open terminals... So Rubber Ducky let you make a custom keyboard with a prefixed set of commands to fire up when plugged in, but you could embed it into a little fan, a cute nightlight. Rubber Ducky is only one of the reasons to be cautious of stray USB devices, but certainly not the only one. Only the most popular in its time.""So I take it the laptop would not be safe?""Well, no... But with information security, no computers are 100% safe. You only need to increase the difficulty level for the attackers to not become the low-hanging fruit. With the example above, the laptop could be empty?""I think I know where you're going but just for clarity I'll ask: 'What use would there be of an empty laptop?'""There are several operating systems, e.g., Tails, which run from a source device, like a USB dongle, but use the CPU, RAM and so on from the host device they are plugged into. The best part, however, is that no information is stored on the host device — when you plug out the source device, the host forgets anything you did use Tails. So in our example, the laptop hidden in a safe would be your host machine, but it would hold no information to steal."
Comments
Author's Notes
The Evil Maid attack is real and leaving your device unattended leaves it potentially exposed. Disk encryption and Universal 2nd Factor (U2F) can increase the level of protection. At the time of writing this article (Dec, 2022) the physical key U2F, e.g., in a form of a USB dongle/NFC is considered the most secure and can greatly improve resistance to phishing attacks — even with your credentials (username, password) the attacker would need the U2F key to acces the website/device/account. It's a lot harder to clone a physical device than to social engineer someone into giving their SMS code.
Some of the informations were exaggerated for novel purposses and because of the technological advancements made in the alternative timeline, the novel takes place.
Stay safe!