'Evil Maid' USB stick attack keylogs TrueCrypt passphrases
Summary: Security researcher Joanna Rutkowska has released a PoC (proof of concept) of a keylogger that is capable of logging TrueCrypt's disk encryption passphrase enabling the attacker to successfully decrypt the hard drive's content.Dubbed, the 'evil maid' attack due to its 'plug-and-exploit' functionality requiring 1-2 minutes for the infection process to the take place, works with the latest TrueCrypt versions 6.
Security researcher Joanna Rutkowska has released a PoC (proof of concept) of a keylogger that is capable of logging TrueCrypt's disk encryption passphrase enabling the attacker to successfully decrypt the hard drive's content.
Dubbed, the 'evil maid' attack due to its 'plug-and-exploit' functionality requiring 1-2 minutes for the infection process to the take place, works with the latest TrueCrypt versions 6.0a - 6.2a.
Here's how it works, and TrueCrypt's response:
"So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else. Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.
So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version)."
TrueCrypt's response to the so called 'janitor attacks' is pretty straight forward - as long as someone had physical access to your hardware you should assume the worst if truly paranoid. Moreover, according to the developer, the physical security of the hardware is not TrueCrypt's problem, and that a good strongbox might offer a clue that the hardware has been tempered with in the absence of its owner.
Similar hardware-based attacks were among the main reasons why Symantec's CTO Mark Bregman was recently advised by "three-letter agencies in the US Government" to use separate laptop and mobile device when traveling to China, citing potential hardware-based compromise.
And whereas strongboxes can improve the physical security of the laptop, there are many other alternatives to achieve better awareness on what is going on around your laptop while you're away from your hotel room. Low-cost mobile proximity alarms are ubiquitous, however they will now raise an alarm in the case of 'Evil Maid" attacks due to the fact that the laptop will get infected without moving it to another location. There are on the other hand much more pragmatic motion detection laptop alarm solutions, as well as portable wireless cameras with 3G connectivity in event of wireless signal jamming, taking snapshots, emailing and SMS-ing detected activity while you're enjoying your drink.
Attacks similar to the full disk encryption 'Evil Maid' one, have been demonstrated against PGP Whole Disk Encryption (2007), and most recently against Utimaco SafeGuard Easy v4.5.x, once again emphasizing on the importance of physical security.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
nonsense
Then all I'd do
Huh?
Can't you password protect from even booting up?
I assumed a paranoid person using encrption
Wrong password
re: Wrong password
So they would not get as far as booting from (and, hopefully, even sniffing for) a USB drive.
Yes, i have "casual" users who are that paranoid, and activate the BIOS challenge.
Nothing but physical security works
Hear hear! So which encryption software?
is the best...I am really only worried about the schoolboy not the international spy.
Bitlocker
Which encryption software?
10 different full disk encryption (data at rest)
software packages. Check out
http://iase.disa.mil/policy-guidance/dod-dar-tpm-
decree07-03-07.pdf for more information. All of
the packages support FIPS 140-2 encryption and
hardware token (smart card) authentication.
~brian
Interesting
Yes but this is what happened to me..
When keyboard went faulty, couldn't boot PC and could not read HD in another computer or in a USB unit. Decrypting the HD password relied on some piece of the BIOS data. News to me!
your idea just adds a moment
in a
casing, and inject it on an infector machine,
then put it
right back in your laptop.
Now how safe do you feel???
[ed. this was meant to attach to either of the
suggestions to use a BIOS password; I get
easily confused by ZDNet's plethora of bright
shiny things.]
removing hard drive
How's removing the hard drive working out for you now??
Um, $6.95 for a set of special screwdriverheads?
A professional (national agency level) spy? Nothing in this world will even slow them down...
unattended critical data?
The incredible vast majority of what these encryption schemes prevent is private dataloss to physically stolen machines by non to mildly tech savvy thieves, or, walk by tampering (which, actually, those screws are mostly unneeded there, too, as case tamper switches and locking case tabs are available on nearly -any- non-portable unit). I don't think proprietary screws help anywhere but bathroom stalls.
For those few that require such sophisticated protection as traveling to remote locations bringing sensitive data... particularly to foreign countries.. the sheer idea of bringing a laptop with highly sensitive resident data is absurd. The recommendation by "three letter agencies" about using a non-primary laptop (ie. cheap, wipable, blank) is simple smarts, and a cheap laptop is a far lower risk/loss if stolen (ie. by a run of the mill thief, which is by far more likely regardless of the sensitive nature of the data.)
Leaving any machine unattended, anywhere, is inviting trouble regardless, and most sensitive data could be carried on-person, 24/7 by their own usb key. Though, this particular infection would likely be one way to actually counter that.
Now that the vector has been identified, I am sure a solution will be implemented (ie. modularized, optional addon of jostled onscreen click-able symbols/text.. etc.) The potential to siphon the final unlock code from the running app's memory -might- be possible, but the keylogging and/or siphoning from private memspace should also be picked up by a multitude of additional security apps... hopefully.
Regardless, the person knowing they have valuable, sensitive data.. ie. corporate espionage risk, or governmental level, etc. and leaving that unit unattended without appropriate additional physical security is absurd... not that I bet it doesn't happen, as people prove themselves to be idiots every moment. Nothing is idiot proof. And nothing what-so-ever is safe from a highly trained, motivated thief. Except for bunnies, I hear they are afraid if them, and their proprietary screws.
POC Deveoper admits there are simple actions to prevent the problem
Quote from http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html
?Q: I've disabled boot from USB in BIOS and my BIOS is password protected, am I protected against EM?
No. Taking out your HDD, hooking it up to a USB enclosure case and later installing it back to your laptop increases the attack time by some 5-15 minutes at most. A maid has to carry her own laptop to do this though.
Q: What about using a HDD with built-in hardware-based encryption?
We haven?t tested such encryption systems, so we don?t know. There are many open questions here: how is the passphrase obtained from the user? Using software stored on the disk or in the BIOS? If on the disk, is this portion of disk made read-only? If so, does it mean it is non-updatable? Even if it is truly read-only, if the attacker can reflash the BIOS, then he or she can install a passphrase sniffer there in the BIOS. Of course that would make the attack non-trivial and much more expensive than the original Evil Maid USB we presented here.?
So the solution is to password protect your BIOS and use a Hard Drive password. As far as I know ALL business class laptops have this ability. My company requires both and they have a ?spy? program installed on all of out machines (desktops as well) to make sure they are always enabled.
I am sure that with enough time the laptop could be disassembled and the hardware modified to accomplish the keystroke logger, however as Joanna Rutkowska say above ?Of course that would make the attack non-trivial and much more expensive than the original Evil Maid USB we presented here.?
The final take-away is simple options settings and physical security if the data on the laptop is worth the effort to hack it.
thank you
disk encryption.
Not quite