What’s an “Evil Maid” Attack?
It’s often repeated in cybersecurity: Once an attacker has physical access to your computing device, all bets are off. The “evil maid” attack is an example—and not just a theoretical one—of how an attacker could access and compromise an unattended device. Think of the “evil maid” as a spy.
When people travel for business or pleasure, they often leave their laptops in hotel rooms. Now, what if there was an “evil maid” working in the hotel—a cleaning person (or someone disguised as a cleaning person) who, in the course of their normal cleaning of the hotel room, used their physical access to the device to modify it and compromise it?
Now, this likely isn’t something the average person needs to worry about. But it is a concern for high-value targets like government employees travelling internationally or executives concerned about industrial espionage.
It’s Not Just “Evil Maids”
The term “evil maid” attack was first coined by computer security researcher Joanna Rutkowska in 2009. The concept of an “evil” maid with access to a hotel room is designed to illustrate the problem. But an “evil maid” attack can refer to any situation where your device leaves your eyesight and an attacker has physical access to it. For example:
You order a device online. During the shipping process, someone with access to the package opens the box and compromises the device. Border agents at an international border take your laptop, smartphone, or tablet into another room and return it a bit later. Law enforcement agents take your device into another room and return it later. You’re a high-level executive and you leave your laptop or other device in an office that other people might have access to. At a computer security conference, you leave your laptop unattended in a hotel room.
There are countless examples, but the key combination is always that you’ve left your device unattended—out of your eyesight—where someone else has access to it.
Who Really Needs to Worry?
Let’s be realistic here: Evil maid attacks aren’t like many computer security problems. They aren’t a concern for the average person.
Ransomware and other malware spreads like wildfire from device to device over the network. In contrast, an evil maid attack requires an actual person to go out of their way to compromise your device specifically—in person. This is spycraft.
From a practical perspective, evil maid attacks are a concern for politicians travelling internationally, high-level executives, billionaires, journalists, and other valuable targets.
For example, in 2008, Chinese officials may have secretly accessed the contents of a US official’s laptop during trade talks in Beijing. The official left his laptop unattended. As the Associated Press story from 2008 puts it, “Some former Commerce officials told the AP they were careful to keep electronic devices with them at all times during trips to China.”
From a theoretical perspective, evil maid attacks are a helpful way to think of and summarize a whole new class of attack for security professionals to defend against.
in other words: You probably don’t need to worry that someone will compromise your computing devices in a targeted attack when you let them out of your eyesight. However, someone like Jeff Bezos definitely does need to worry about this.
How Does an Evil Maid Attack Work?
An evil maid attack relies on modifying a device in an undetectable way. In coining the term, Rutkowska demonstrated an attack compromising TrueCrypt system disk encryption.
She created software that could be placed on a bootable USB drive. All an attacker would have to do is insert the USB drive into a powered off computer, turn it on, boot from the USB drive, and wait about one minute. The software would boot and modify the TrueCrypt software to record the password to disk.
The target would then return to their hotel room, power on the laptop, and enter their password. Now, the evil maid could return and steal the laptop—the compromised software would have saved the decryption password to disk, and the evil maid could access the contents of the laptop.
This example, demonstrating modifying a device’s software, is just one approach. An evil maid attack could also involve physically opening a laptop, desktop, or smartphone, modifying its internal hardware, and then closing it back up.
Evil maid attacks don’t even have to be that complicated. For example, let’s say a cleaning person (or someone posing as a cleaning person) has access to the office of a CEO at a Fortune 500 company. Assuming that CEO uses a desktop computer, the “evil” cleaning person could install a hardware key logger between the keyboard and the computer. They could then return a few days later, grab the hardware key logger, and see everything the CEO typed while the key logger was installed and recording keystrokes.
The device itself doesn’t even have to be compromised: Let’s say that a CEO uses a specific model of laptop and leaves that laptop in a hotel room. An evil maid access the hotel room, replaces the CEO’s laptop with a laptop that looks identical running compromised software, and leaves. When the CEO turns on the laptop and enters their encryption password, the compromised software “phones home” and transmits the encryption password to the evil maid.
What It Teaches Us About Computer Security
An evil maid attack really highlights how dangerous physical access to your devices is. If an attacker has unsupervised physical access to a device you leave unattended, there’s little you can do to protect yourself.
In the case of the initial evil maid attack, Rutkowska demonstrated that even someone who followed the basic rules of enabling disk encryption and powering off their device whenever they left it alone was vulnerable.
In other words, once an attacker has physical access to your device outside of your eyesight, all bets are off.
How Can You Protect Against Evil Maid Attacks?
As we’ve pointed out, most people really don’t need to be concerned about this type of attack.
To protect against evil maid attacks, the most effective solution is just to keep a device under surveillance and ensure no one has physical access to it. When the leaders of the world’s most powerful countries travel, you can bet they don’t leave their laptops and smartphones lying around unsupervised in hotel rooms where they could be compromised by another country’s intelligence service.
A device could also be placed in a locked safe or other type of lockbox to ensure an attacker can’t access the device itself—although someone may be able to pick the lock. For example, while many hotel rooms have built-in safes, hotel employees generally have master keys.
Modern devices are becoming more resistant to some types of evil maid attacks. For example, Secure Boot ensures that devices won’t normally boot untrusted USB drives. However, it’s impossible to protect against every type of evil maid attack.
A determined attacker with physical access will be able to find a way.
Whenever we write about computer security, we find it helpful to revisit a classic xkcd comic about Security.
An evil maid attack is a sophisticated type of attack the average person is unlikely to deal with. Unless you’re a high-value target likely to be the target of intelligence agencies or corporate espionage, there are plenty of other digital threats to worry about, including ransomware and other automated attacks.