Beware of the Evil Maid

Invisible Things Lab (founded by Joanna Rutkowska, who came up with the controversial Blue Pill) has released the Evil Maid tool. This tool is aimed at grabbing the passwords needed to decrypt entire hard drives using TrueCrypt.

The simplest mitigation factor from their list would be to physically secure the laptop when left unattended (i.e. shut down, lock it up). In addition, it’s a good idea to remove external drives from the BIOS boot sequence, and to set the BIOS to ask for a password whenever it boots up.

There’s another thing that can be done by the end user, though that needs to be properly managed too.  Read the entry for details.

How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

Edit: More discussion at Schneier’s blog post.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s