What is an Evil Maid Attack?

An evil maid attack targets an unattended device. The attackers with physical access to the device make undetectable changes to it so they can access it or the data stored on it later on.

The attack got its somewhat derogatory name from the scenario where a hotel maid could access an unattended device while cleaning a room. Note, though, that the concept can also occur in situations where a device is temporarily taken away from its owner, such as by airport personnel or law enforcement agents.

Other interesting terms…

• What is Camfecting?
• What is a DNS Sinkhole?

Read More about an “Evil Maid Attack”

While you may only see evil maid attacks done in movies today, they remain doable and can result in dire consequences. Here’s a video showing what an evil maid attack is and how it is done:

In the video, the businessman left his laptop in his room to get drinks with a client who just invested in the product he’s selling. The attackers bribed a hotel maid to copy his hard drive and plant malware on his unattended computer. Before his company could launch the product, it’s already available in the black market. The businessman, his company, and their investors were the victims of an evil maid attack.

When Was the Term “Evil Maid Attack” Coined?

The first time the term “evil maid attack” was used was way back in 2009. Security analyst Joanna Rutkowska used it in a blog post since devices are often left unattended in hotel rooms. She used the term to describe a way to compromise the firmware on an unattended computer via an external Universal Serial Bus (USB) flash drive, which allowed the attacker to bypass TrueCrypt disk encryption.

The first cybersecurity expert to state the possibility of performing an evil maid attack, however, was D. Defreez. He said it could be done on Android smartphones in 2011 concerning WhisperCore Android distribution and its ability to encrypt such devices’ disks.

What Are Some Evil Maid Attack Examples?

Former U.S. Commerce Secretary Carlos Gutierrez allegedly suffered from an evil maid attack while traveling to China in 2007. That incident caused the U.S. government to be warier of so-called “physical attacks.”

Another notable example occurred in 2009 to Symantec CTO Mark Bregman, who was advised by several U.S. agencies to leave his devices before traveling to China.

What Are the Types of Evil Maid Attacks?

There are two kinds of evil maid attacks—classic and network. We differentiated between them below.

Classic Evil Maid Attack

A classic evil maid attack starts when victims leave their devices unattended. Attackers can tamper with their systems if these are not password-protected or use some form of authentication. Password-protected and encrypted devices are not safe, though, as their firmware can still get compromised using an external drive. In such cases, the compromised firmware shows victims fake password prompts. When they key in their passwords, the compromised firmware sends these to the attackers. The malware used is deleted when the devices reboot. To complete attacks, threat actors reaccess the devices when they are left unattended to steal data.

Another way to perform a classic evil maid attack is through a direct memory access (DMA) attack. Here, attackers access the victims’ information through hardware directly connected to the target devices.

Network Evil Maid Attack

In some cases, threat actors perform evil maid attacks by replacing the victims’ devices with identical ones. Network evil maid attacks work when the victims’ devices have a bootloader password. When the victims input their passwords on the false devices, these get sent to the attackers who can use them on the real devices, allowing them to access the data on them.

You usually see network evil maid attacks in movies like “Mission Impossible.”

What Can You Do to Prevent Evil Maid Attacks?

Users with strictly confidential information on their computers and smartphones are ripe for evil maid attackers. But they can avoid becoming victims by following these best practices:

• Avoid leaving devices unattended where strangers can access them.
• Use strong passwords and set a minimal lock screen timeout.
• Encrypt your device’s entire disk.
• Update system software and device drivers regularly.
• If possible, set up the basic input/output system (BIOS) to restrict direct access to device memory through communication ports like FireWire, Thunderbolt, Peripheral Component Interconnect (PCI), and PCI Express.
• Set a BIOS password to prevent changes to it.
• Check your devices for keyloggers, Trojans, and other malware regularly.
• Use device sensors, such as touch, movement, weight, and pressure, to add another layer of security to your devices if possible.
• Avoid using unknown peripherals or anything you can connect to your devices.
• Set up alerts for changes made to your devices’ hardware.

—

While you should not believe everything you see in movies, know that evil maid attacks are real and can have truly horrific consequences.