'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

Summary: Security researcher Joanna Rutkowska has released a PoC (proof of concept) of a keylogger that is capable of logging TrueCrypt's disk encryption passphrase enabling the attacker to successfully decrypt the hard drive's content.Dubbed, the 'evil maid' attack due to its 'plug-and-exploit' functionality requiring 1-2 minutes for the infection process to the take place, works with the latest TrueCrypt versions 6.


Security researcher Joanna Rutkowska has released a PoC (proof of concept) of a keylogger that is capable of logging TrueCrypt's disk encryption passphrase enabling the attacker to successfully decrypt the hard drive's content.

Dubbed, the 'evil maid' attack due to its 'plug-and-exploit' functionality requiring 1-2 minutes for the infection process to the take place, works with the latest TrueCrypt versions 6.0a - 6.2a.

Here's how it works, and TrueCrypt's response:

"So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else. Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version)."

TrueCrypt's response to the so called 'janitor attacks' is pretty straight forward - as long as someone had physical access to your hardware you should assume the worst if truly paranoid. Moreover, according to the developer, the physical security of the hardware is not TrueCrypt's problem, and that a good strongbox might offer a clue that the hardware has been tempered with in the absence of its owner.

Similar hardware-based attacks were among the main reasons why Symantec's CTO Mark Bregman was recently advised by "three-letter agencies in the US Government" to use separate laptop and mobile device when traveling to China, citing potential hardware-based compromise.

And whereas strongboxes can improve the physical security of the laptop, there are many other alternatives to achieve better awareness on what is going on around your laptop while you're away from your hotel room. Low-cost mobile proximity alarms are ubiquitous, however they will now raise an alarm in the case of 'Evil Maid" attacks due to the fact that the laptop will get infected without moving it to another location. There are on the other hand much more pragmatic motion detection laptop alarm solutions, as well as portable wireless cameras with 3G connectivity in event of wireless signal jamming, taking snapshots, emailing and SMS-ing detected activity while you're enjoying your drink.

Attacks similar to the full disk encryption 'Evil Maid' one, have been demonstrated against PGP Whole Disk Encryption (2007), and most recently against Utimaco SafeGuard Easy v4.5.x, once again emphasizing on the importance of physical security.

Topics: Security, Hardware, Laptops, Mobility

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • nonsense

    anybody who is truly concerned about security will have set the BIOS to require a password at boot...and will set 'boot from USB' to 'Disabled'.
    • Then all I'd do

      is set the jumper to reset the password. Then unless the computer is put under lock and key (sure you may discover that the BIOS password is gone, but most people wouldn't suspect foul play) the HD password would be obtained. Then even if the BIOS password is reset I came back, I wouldn't need it anymore because all I'd need at this point is a netbook and some SATA-to-USB cables. And perhaps a screwdriver.
      Michael Kelly
      • Huh?

        You'd reset the password on a laptop by jumpering the reset pins? Good luck with that!
  • Can't you password protect from even booting up?

    I assume we are talking about business class laptops.
    • I assumed a paranoid person using encrption

      would not use a computer without a logon password.
      • Wrong password

        This just requires the machine to be turned on, not logged in.

        • re: Wrong password

          Business-class laptops (Dell Latitude and Precision, for example) can require a password to get past the BIOS into the boot sequence.

          So they would not get as far as booting from (and, hopefully, even sniffing for) a USB drive.

          Yes, i have "casual" users who are that paranoid, and activate the BIOS challenge.
          • Nothing but physical security works

            It takes about a 5 minutes to get by a login password, and popping the HDD into another unit defeats the BIOS password. You have to use some type of software or hardware that encrypts the entire drive in order to stop a schoolboy from getting all your info.
          • Hear hear! So which encryption software?

            So...which encryption software would you say
            is the best...I am really only worried about the schoolboy not the international spy.

          • Bitlocker

            IMO, Bitlocker is the best (if your hardware and OS version support it).
          • Which encryption software?

            The Department of Defense has approved the use of
            10 different full disk encryption (data at rest)
            software packages. Check out
            decree07-03-07.pdf for more information. All of
            the packages support FIPS 140-2 encryption and
            hardware token (smart card) authentication.

  • Interesting

    Physical security is paramount - especially when it comes to data security. What are the ways to mitigate this? Sounds to me like disabling booting from USB and enabling strong BIOS/boot passwords as supplicants.
    • Yes but this is what happened to me..

      I was using every single password that you can setup in the bios (boot, admin, HD).
      When keyboard went faulty, couldn't boot PC and could not read HD in another computer or in a USB unit. Decrypting the HD password relied on some piece of the BIOS data. News to me!
  • your idea just adds a moment

    That moment to pull out the hard drive, drop it
    in a
    casing, and inject it on an infector machine,
    then put it
    right back in your laptop.

    Now how safe do you feel???

    [ed. this was meant to attach to either of the
    suggestions to use a BIOS password; I get
    easily confused by ZDNet's plethora of bright
    shiny things.]
    Narr vi
    • removing hard drive

      That would indeed work on those laptop owners who aren't concerned about security. For those who take security seriously we replace the mfr screws with proprietary screws.

      How's removing the hard drive working out for you now??
      • Um, $6.95 for a set of special screwdriverheads?

        How safe are you feeling again? If a geek wants your data and has physical access to the computer, all you can do is slow them down.

        A professional (national agency level) spy? Nothing in this world will even slow them down...
        • unattended critical data?

          Nearly every comment here about securing one's laptop against high and low level theft is utterly laughable. Proprietary laptop screws? yet leaving it unattended in a hotel room. 2-4 layers of mfg bios pwds? .. again.. unattended?

          The incredible vast majority of what these encryption schemes prevent is private dataloss to physically stolen machines by non to mildly tech savvy thieves, or, walk by tampering (which, actually, those screws are mostly unneeded there, too, as case tamper switches and locking case tabs are available on nearly -any- non-portable unit). I don't think proprietary screws help anywhere but bathroom stalls.

          For those few that require such sophisticated protection as traveling to remote locations bringing sensitive data... particularly to foreign countries.. the sheer idea of bringing a laptop with highly sensitive resident data is absurd. The recommendation by "three letter agencies" about using a non-primary laptop (ie. cheap, wipable, blank) is simple smarts, and a cheap laptop is a far lower risk/loss if stolen (ie. by a run of the mill thief, which is by far more likely regardless of the sensitive nature of the data.)

          Leaving any machine unattended, anywhere, is inviting trouble regardless, and most sensitive data could be carried on-person, 24/7 by their own usb key. Though, this particular infection would likely be one way to actually counter that.

          Now that the vector has been identified, I am sure a solution will be implemented (ie. modularized, optional addon of jostled onscreen click-able symbols/text.. etc.) The potential to siphon the final unlock code from the running app's memory -might- be possible, but the keylogging and/or siphoning from private memspace should also be picked up by a multitude of additional security apps... hopefully.

          Regardless, the person knowing they have valuable, sensitive data.. ie. corporate espionage risk, or governmental level, etc. and leaving that unit unattended without appropriate additional physical security is absurd... not that I bet it doesn't happen, as people prove themselves to be idiots every moment. Nothing is idiot proof. And nothing what-so-ever is safe from a highly trained, motivated thief. Except for bunnies, I hear they are afraid if them, and their proprietary screws.
  • POC Deveoper admits there are simple actions to prevent the problem

    Security researcher Joanna Rutkowska in the Q and A section linked to in this article admits that there are some simple things you can do to make ?evil maid? extremely hard to use.
    Quote from http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

    ?Q: I've disabled boot from USB in BIOS and my BIOS is password protected, am I protected against EM?
    No. Taking out your HDD, hooking it up to a USB enclosure case and later installing it back to your laptop increases the attack time by some 5-15 minutes at most. A maid has to carry her own laptop to do this though.

    Q: What about using a HDD with built-in hardware-based encryption?
    We haven?t tested such encryption systems, so we don?t know. There are many open questions here: how is the passphrase obtained from the user? Using software stored on the disk or in the BIOS? If on the disk, is this portion of disk made read-only? If so, does it mean it is non-updatable? Even if it is truly read-only, if the attacker can reflash the BIOS, then he or she can install a passphrase sniffer there in the BIOS. Of course that would make the attack non-trivial and much more expensive than the original Evil Maid USB we presented here.?

    So the solution is to password protect your BIOS and use a Hard Drive password. As far as I know ALL business class laptops have this ability. My company requires both and they have a ?spy? program installed on all of out machines (desktops as well) to make sure they are always enabled.

    I am sure that with enough time the laptop could be disassembled and the hardware modified to accomplish the keystroke logger, however as Joanna Rutkowska say above ?Of course that would make the attack non-trivial and much more expensive than the original Evil Maid USB we presented here.?

    The final take-away is simple options settings and physical security if the data on the laptop is worth the effort to hack it.
    • thank you

      and here we can use something Microsoft made, the
      disk encryption.
      Narr vi
      • Not quite

        Microsoft's disk encryption does pretty much the same thing as TrueCrypt, we're talking hardware level drive encryption where the password is passed to the drive controller itself and there is no software intervention at the operating system level in the encryption process. Microsoft's disk encryption is essentially identical to TrueCrypt from a security standpoint since it relies on the operating system or other non-BIOS software.