Stefan Esser is an iOS security researcher based in Cologne, Germany. Last month when returning to his Frankfurt hotel room after dinner one evening, he noticed that his laptop had been tampered with in his absence. On investigation he concluded that the hard drive had been removed and then improperly replaced. It appears Stefan may have become victim of an Evil Maid attack. A bit of a give-away indication was the hotel room door handle which also appeared to have been the target of tampering.
An Evil Maid attack is carried out on an unattended computer (generally a laptop) that has been powered down. The name comes from the scenario of an unattended laptop in a hotel room as experienced by Stefan Esser. Typically, enterprises employ full-disk encryption to protect against laptop theft and laptop tampering.
When a user starts up a laptop which has been encrypted, the bootloader file is the first to run. This file prompts the user for the decryption passphrase which is used to access the decryption key stored on the drive. The system is designed this way so that the user can change his/her passphrase without having to re-encrypt the hard drive. Even when the hard drive is encrypted, the bootloader remains unencrypted as it needs to execute in order to obtain the passphrase.
It is possible for an attacker with physical access to the laptop to modify the bootloader. After gaining physical access to the device, the attacker can remove the drive, then boot it from another machine, and install a modified bootloader onto the target drive. When the laptop owner later fires up their laptop, it boots with the modified bootloader which key logs the decryption passphrase. The modified bootloader can then transmit the passphrase to the attacker or store it for later retrieval.
As described, an Evil Maid attack relies on the laptop owner entering the decryption passphrase after the attacker has tampered with the laptop.
The Trusted Platform Module (TPM) is designed to thwart the Evil Maid attack. The TPM stores the decryption key, and only releases it after confirming that the bootloader has not been modified. Although it is technically possible to steal keys directly from the TPM, it is considerably more difficult than the Evil Maid attack, and is beyond the means of all except the most sophisticated attackers such as State actors.
Commenting on the Evil Maid attack, Bruce Schneier puts it this way: “there’s no real defence to this sort of thing. As soon as you give up physical control of your computer, then all bets are off”.
In an IoT environment, devices are mostly unattended and generally powered on. They are thus susceptible to attacks where the attacker has physical access to the device.