.

'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Oct 23, 2009 8:09 pm

'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

http://blogs.zdnet.com/security/?p=4662

How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Oct 30, 2009 5:37 am

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

Interesting article, seems to be similar to a hardware keylogger though.
As the record is stored on the disk itself, the attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Fri Oct 30, 2009 6:25 am

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

I made a post about this on my blog.
I have tried this a couple of times, but couldnt get it to work.
I am not sure if its an issue with the image file, or something I am doing wrong, but its just not doing what it says on the tin.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Nov 10, 2009 12:35 am

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

awesec wrote:attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?


Yes, it does require access a second time.
twitter.com/timmedin | http://blog.securitywhole.com
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Tue Nov 10, 2009 9:07 am

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

Anytime you have physical access to a PC you can call it quits for security. I think the Evil Maid stuff is just a little over the top.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Nov 15, 2009 11:47 am

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

According to a Bruce Shneier and a commenter on his blog:

"Actually Bitlocker is the only Microsoft product that does support Trusted Computing, and thus (if configured that way) will prevent exactly that attack (different bootloader = TPM won't release the Key).
And what used to be called Palladium is going much further than TPMs, it more corresponds to, for example, Intel Trusted Execution Technology."

So when the victim returns to use the laptop it won't boot since the bootloader has been modified. A clear indication that it has been tampered with.

The problem is BitLocker doesn't natively support pre-boot authentication so without a 3rd-party plug-in KonBoot would work fine.
twitter.com/timmedin | http://blog.securitywhole.com
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Nov 18, 2009 9:24 am

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was :)
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Nov 28, 2009 11:58 pm

Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

dalepearson wrote:I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was :)


That is extremely suprising to me.
twitter.com/timmedin | http://blog.securitywhole.com

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software