“Evil maid attack”的意思、由来-开放百科全书

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

The name refers to the scenario where a maid could subvert a device left unattended in a hotel room – but the concept itself also applies to situations such as a device being intercepted while in transit, or taken away temporarily by airport or law enforcement personnel.

Overview

Origin

In a 2009 blog post, security analyst Joanna Rutkowska coined the term "Evil Maid Attack"; due to hotel rooms being a common place where devices are left unattended.^[1]^[2] The post detailed a method for compromising the firmware on an unattended computer via an external USB flash drive – and therefore bypassing TrueCrypt disk encryption.^[2]

D. Defreez, a computer security professional, first mentioned the possibility of an evil maid attack on Android smartphones in 2011.^[1] He talked about the WhisperCore Android distribution and its ability to provide disk encryption for Androids.^[1]

Notability

In 2007, former U.S. Commerce Secretary Carlos Gutierrez was allegedly targeted by an evil maid attack during a business trip to China.^[3] He left his computer unattended during a trade talk in Beijing, and he suspected that his device had been compromised.^[3] Although the allegations have yet to be confirmed or denied, the incident caused the U.S. government to be more wary of physical attacks.^[3]

In 2009, Symantec CTO Mark Bregman was advised by several U.S. agencies to leave his devices in the U.S. before travelling to China.^[4] He was instructed to buy new ones before leaving and dispose of them when he returned so that any physical attempts to retrieve data would be ineffective.^[4]

Methods of attack

Classic evil maid

The attack begins when the victim leaves their device unattended.^[5] The attacker can then proceed to tamper with the system. If the victim does not have password protection or authentication on their computer, an intruder can turn on the computer and immediately access the victim's information.^[6] However, if the device is password protected, as with full disk encryption, the firmware of the device needs to be compromised, usually done with an external drive.^[6] The compromised firmware often provides the victim with a fake password prompt identical to the original.^[6] Once the password is input, the compromised firmware sends the password to the attacker and removes itself after a reboot.^[6] In order to successfully complete the attack, the attacker must return to the device once it has been unattended a second time to steal the now-accessible data.^[5]

Another method of attack is through a DMA attack in which an attacker accesses the victim's information through hardware devices that connect directly to the physical address space.^[6] The attacker simply needs to connect to the hardware device in order to access the information.

Network evil maid

An evil maid attack can also be done by replacing the victim's device with an identical device.^[1] If the original device has a bootloader password, then the attacker only needs to acquire a device with an identical bootloader password input screen.^[1] If the device has a lock screen, however, the process becomes more difficult as the attacker must acquire the background picture to put on the lock screen of the mimicking device.^[1] In either case, when the victim inputs their password on the false device, the device sends the password to the attacker, who is in possession of the original device.^[1] The attacker can then access the victim's data.^[1]

Vulnerable interfaces

Legacy BIOS

Unified Extensible Firmware Interface

Full disk encryption systems

Many full disk encryption systems, such as TrueCrypt and PGP Whole Disk Encryption, are susceptible to evil maid attacks due to their inability to authenticate themselves to the user.^[8] An attacker can still modify disk contents despite the device being powered off and encrypted.^[8] The attacker can modify the encryption system's loader codes to steal passwords from the victim.^[8]

Any unattended device

Any unattended device can be vulnerable to a network evil maid attack.^[1] If the attacker knows the victim's device well enough, they can replace the victim's device with an identical model with a password-stealing mechanism.^[1] Thus, when the victim inputs their password, the attacker will instantly be notified of it and be able to access the stolen device's information.^[1]

Mitigation

Detection

One approach is to detect that someone is close to, or handling the unattended device.

Proximity alarms, motion detector alarms, and wireless cameras, can be used to alert the victim when an attacker is nearby their device, thereby nullifying the surprise factor of an evil maid attack.^[9] The "Haven" Android app was created in 2017 by Edward Snowden to do such monitoring, and transmit the results to the user's smartphone.^[10]

In the absence of the above, tamper-evident technology of various kinds can be used to detect whether the device has been taken apart – including the low-cost solution of putting glitter over the screw holes.^[11]

After an attack has been suspected, the victim can have their device checked to see if any malware was installed, but this is challenging. Suggested approaches are checking the hashes of selected disk sectors and partitions.^[2]

Prevention

If the device is under surveillance at all times, an attacker cannot perform an evil maid attack.^[9] If left unattended, the device may also be placed inside a lockbox so that an attacker will not have physical access to it.^[9] However, there will be situations, such as a device being taken away temporarily by airport or law enforcement personnel where this is not practical.

Basic security measures such as having the latest up-to-date firmware and shutting down the device before leaving it unattended prevent an attack from exploiting vulnerabilities in legacy architecture and allowing external devices into open ports, respectively.^[5]

CPU-based disk encryption systems, such as TRESOR and Loop-Amnesia, prevent data from being vulnerable to a DMA attack by ensuring it does not leak into system memory.^[12]

See also

References

1. ^¹²³⁴⁵⁶⁷⁸⁹¹⁰¹¹{{Cite web|url=http://isyou.info/jowua/papers/jowua-v5n1-4.pdf|title=Analysing Android's Full Disk Encryption Feature|last=Gotzfried|first=Johannes|last2=Muller|first2=Tilo|date=|website=Innovative Information Science And Technology Research Group|archive-url=|archive-date=|dead-url=|access-date=October 29, 2018}}
2. ^¹²{{Cite web|url=http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html|title=The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!|last=Rutkowska|first=Joanna|date=2009-10-16|website=The Invisible Things Lab's blog|access-date=2018-10-30}}
3. ^¹²{{Cite news|url=http://www.nbcnews.com/id/24880526/ns/us_news-security/t/did-chinese-hack-cabinet-secretarys-laptop/|title=Did Chinese hack Cabinet secretary’s laptop?|date=2008-05-29|work=msnbc.com|access-date=2018-10-30|language=en}}
4. ^¹{{Cite news|url=https://www.zdnet.com/article/evil-maid-usb-stick-attack-keylogs-truecrypt-passphrases/|title='Evil Maid' USB stick attack keylogs TrueCrypt passphrases {{!}} ZDNet|last=Danchev|first=Dancho|work=ZDNet|access-date=2018-10-30|language=en}}
5. ^¹²{{Cite web|url=http://images.secure.f-secure.com/Web/FSecure/%7B319382b2-a040-4c88-bd94-20eed01bf22f%7D_F-Secure-Evil-Maid-Guide.pdf?_ga=2.108141442.1259543769.1518690658-1494122846.1518690658|title=F-Secure's Guide to Evil Maid Attacks|last=|first=|date=|website=F-Secure|archive-url=|archive-date=|dead-url=|access-date=October 29, 2018}}
6. ^¹²³⁴{{Cite web|url=https://lwn.net/Articles/651021/|title=Thwarting the "evil maid" [LWN.net]|website=lwn.net|access-date=2018-10-30}}
7. ^¹²³⁴⁵⁶⁷⁸{{Cite web|url=https://cansecwest.com/slides/2013/Evil%20Maid%20Just%20Got%20Angrier.pdf|title=Evil Maid Just Got Angrier|last=Bulygin|first=Yuriy|date=2013|website=CanSecWest|archive-url=|archive-date=|dead-url=|access-date=October 29, 2018}}
8. ^¹²³{{Cite book|last=Tereshkin|first=Alexander|date=2010-09-07|chapter=Evil maid goes after PGP whole disk encryption|chapter-url=http://dl.acm.org/citation.cfm?id=1854099.1854103|publisher=ACM|pages=2|doi=10.1145/1854099.1854103|isbn=9781450302340|title=Proceedings of the 3rd international conference on Security of information and networks - SIN '10}}
9. ^¹²{{Cite news|url=https://www.zdnet.com/article/evil-maid-usb-stick-attack-keylogs-truecrypt-passphrases/|title='Evil Maid' USB stick attack keylogs TrueCrypt passphrases {{!}} ZDNet|last=Danchev|first=Dancho|work=ZDNet|access-date=2018-10-30|language=en}}
10. ^{{Cite news|url=https://wccftech.com/nsa-snowden-turn-phone-guard-dog/|title=Edward Snowden Now Helps You Turn Your Phone into a "Guard Dog"|last=Shaikh|first=Rafia|date=2017-12-22|work=Wccftech|access-date=2018-10-30|language=en-US}}
11. ^{{Cite news|url=https://cyware.com/news/evil-maid-attacks-could-allow-cybercriminals-to-install-a-firmware-backdoor-on-a-device-in-just-minutes-98496c75|title=Evil Maid attacks could allow cybercriminals to install a firmware backdoor on a device in just minutes {{!}} Cyware|work=Cyware|access-date=2018-10-30|language=en}}
12. ^{{Cite book|last=Blass|first=Erik-Oliver|last2=Robertson|first2=William|date=2012-12-03|title=TRESOR-HUNT: attacking CPU-bound encryption|url=http://dl.acm.org/citation.cfm?id=2420950.2420961|publisher=ACM|pages=71–78|doi=10.1145/2420950.2420961|isbn=9781450313124}}
13. ^¹{{Cite web|url=https://pdfs.semanticscholar.org/a9b3/3811f30c4986bc1071b10bbd30003d163333.pdf|title=Intel x86 considered harmful|last=Rutkowska|first=Joanna|date=October 2015|website=|archive-url=|archive-date=|dead-url=|access-date=October 29, 2018}}