October 24, 2009 at 1:09 am #4362Dark_KnightParticipant
How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.
October 30, 2009 at 10:37 am #27588UNIXParticipant
Interesting article, seems to be similar to a hardware keylogger though.
As the record is stored on the disk itself, the attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?
October 30, 2009 at 11:25 am #27589dalepearsonParticipant
I made a post about this on my blog.
I have tried this a couple of times, but couldnt get it to work.
I am not sure if its an issue with the image file, or something I am doing wrong, but its just not doing what it says on the tin.
November 10, 2009 at 5:35 am #27590
attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?
Yes, it does require access a second time.
November 10, 2009 at 2:07 pm #27591slimjim100Participant
Anytime you have physical access to a PC you can call it quits for security. I think the Evil Maid stuff is just a little over the top.
November 15, 2009 at 4:47 pm #27592
According to a Bruce Shneier and a commenter on his blog:
“Actually Bitlocker is the only Microsoft product that does support Trusted Computing, and thus (if configured that way) will prevent exactly that attack (different bootloader = TPM won’t release the Key).
And what used to be called Palladium is going much further than TPMs, it more corresponds to, for example, Intel Trusted Execution Technology.”
So when the victim returns to use the laptop it won’t boot since the bootloader has been modified. A clear indication that it has been tampered with.
The problem is BitLocker doesn’t natively support pre-boot authentication so without a 3rd-party plug-in KonBoot would work fine.
November 18, 2009 at 2:24 pm #27593dalepearsonParticipant
I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was 🙂
November 29, 2009 at 4:58 am #27594
- You must be logged in to reply to this topic.