Keeping your hardware safe and avoiding the evil maid

This installment is about keeping your notebook and other technology items safe. I was recently asked what the Defcon locks were for that I have been distributing with the new notebooks. I jokingly said to keep people from taking your monitor and chair from your desk while your on travel but there is a better reason I distribute them.

People assume having your hardware stolen is the ultimate way to compromise your data. An adversary that is smart enough will know better though. A system running TrueCrypt or similar encryption is a near impossible target if powered off while you are away but a system running encryption that powered on on, not so much. Passwords and keys to most encryption are stored in memory while the system is running. Recovering said keys is not an easy task but is possible. If you cannot break the habit of leaving your device on when not around or putting it standby because you cannot stand the boot up time then make sure you are using strong passwords that a difficult to guess to avoid giving the attacker the chance to use tools to capture memory and parse it for your super secret pass-phrase.

Even this has it’s downfalls though, there have been attacks that can thwart the password mechanism on a device and run an attack such as stealing the pass-phrase. An example is the Firewire attack which provides direct hardware access from some devices to your system. If the attacker can do this then it is game over for your data as they can use a tool to crack your system password. Fix, do not let an attacker walk away with your device still powered on, i.e. use a lock when at clients or at a hotel room.

The evil maid attack is often not thought of. You are supporting a remote client, come back to your room to check your mail and leave for dinner leaving your notebook. While gone the evil-doer aka evil maid visits your room to fluff your pillows and notices your notebook on the table. Whether it’s on or off a device that you probably won’t notice is plugged into your system and it records your pass-phrase when you type it in. The evil maid returns to then steal the notebook as they now have the passphrase to get your data. To avoid this one, pay attention to rogue devices plugged into your hardware. Sounds simple but who would check for a small USB device plugged into the back their host. Also use a lock to keep the evil-doer from stealing the hardware after obtaining the key after such an attack.

What am I trying to say here?

  • Use encryption, the performance hit is very small and the newest notebooks with the “i” series chipsets use hardware encryption.
  • Avoid leaving your device running if not around when at foreign locations, i.e. hotels, clients, etc…
  • Use a lock to attach the notebook to a desk, chair, whatever. I know these are not exactly Fort Knox but it is a deterrent.
  • Epoxy ports (warning this may not be an available option for a corporate assets). Yes this is extreme but why do you think some companies enforce this on their desktop systems and/or servers.
This entry was posted in security and tagged , , . Bookmark the permalink.

3 Responses to Keeping your hardware safe and avoiding the evil maid

  1. You have posted superb article here. Sound interesting and perplexing. As I’ve understand the said artifact. Physical security is important. The “Evil Maid” attack serves as a reminder that briefly allowing a laptop out of your control, even with an encrypted hard disk, means that all security bets are off; the machine should be considered potentially compromised. Obviously different users have different levels of paranoia about their data security, but the Evil Maid attack shows just how simple it can be for others to access your data. Disk encryption is great for preventing accidental disclosure of private information when someone steals a laptop, but is much less useful for an attack that is focused on accessing the data on a particular laptop. Much like internet security, fairly straightforward protection techniques are fine to thwart the random attacker but are probably insufficient for one who is focused on subverting your defenses in particular. Thanks for partaking this great article. It really helps a lot.

  2. Brett says:

    Epoxy ports: Why not just rewire all your usb ports so they burn up whatever gets attached to them, or they simply won’t work. You create little widgets that cross the wires back and keep those things with you at all times. You could even put a sticker on the laptop stating that the usb ports aren’t working, don’t attach anything to them, or not…

  3. @Brett, interesting points and thanks for the feedback. Burning up devices (electric fence if you will) that are plugged into the USB port might be a liability issue, not to mention a fire hazard. Epoxy is suggested as it does not require someone to physical alter the device, such as desoldering the port or in your case, applying excessive power. A sticker or other warning banner may keep some out, but an attacker that is targeting a specific user will probably choose to pursue regardless.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>