‘Evil Maid’ USB stick attack keylogs TrueCrypt passphrases

Viewing 7 reply threads
  • Author
    Posts
    • #4362
      Dark_Knight
      Participant

      http://blogs.zdnet.com/security/?p=4662

      How the Evil Maid USB works
      The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

    • #27588
      UNIX
      Participant

      Interesting article, seems to be similar to a hardware keylogger though.
      As the record is stored on the disk itself, the attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?

    • #27589
      dalepearson
      Participant

      I made a post about this on my blog.
      I have tried this a couple of times, but couldnt get it to work.
      I am not sure if its an issue with the image file, or something I am doing wrong, but its just not doing what it says on the tin.

    • #27590
      timmedin
      Participant

      @awesec wrote:

      attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?

      Yes, it does require access a second time.

    • #27591
      slimjim100
      Participant

      Anytime you have physical access to a PC you can call it quits for security. I think the Evil Maid stuff is just a little over the top.

      Brian

    • #27592
      timmedin
      Participant

      According to a Bruce Shneier and a commenter on his blog:

      “Actually Bitlocker is the only Microsoft product that does support Trusted Computing, and thus (if configured that way) will prevent exactly that attack (different bootloader = TPM won’t release the Key).
      And what used to be called Palladium is going much further than TPMs, it more corresponds to, for example, Intel Trusted Execution Technology.”

      So when the victim returns to use the laptop it won’t boot since the bootloader has been modified. A clear indication that it has been tampered with.

      The problem is BitLocker doesn’t natively support pre-boot authentication so without a 3rd-party plug-in KonBoot would work fine.

    • #27593
      dalepearson
      Participant

      I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was 🙂

    • #27594
      timmedin
      Participant

      @dalepearson wrote:

      I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was 🙂

      That is extremely suprising to me.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?