October 19th, 2009
'Evil Maid' USB stick attack keylogs TrueCrypt passphrases
Security researcher Joanna Rutkowska has released a PoC (proof of concept) of a keylogger that is capable of logging TrueCrypt’s disk encryption passphrase enabling the attacker to successfully decrypt the hard drive’s content.
Dubbed, the ‘evil maid’ attack due to its ‘plug-and-exploit’ functionality requiring 1-2 minutes for the infection process to the take place, works with the latest TrueCrypt versions 6.0a - 6.2a.
Here’s how it works, and TrueCrypt’s response:
“So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else. Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.
So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).”
TrueCrypt’s response to the so called ‘janitor attacks’ is pretty straight forward - as long as someone had physical access to your hardware you should assume the worst if truly paranoid. Moreover, according to the developer, the physical security of the hardware is not TrueCrypt’s problem, and that a good strongbox might offer a clue that the hardware has been tempered with in the absence of its owner.
Similar hardware-based attacks were among the main reasons why Symantec’s CTO Mark Bregman was recently advised by “three-letter agencies in the US Government” to use separate laptop and mobile device when traveling to China, citing potential hardware-based compromise.
And whereas strongboxes can improve the physical security of the laptop, there are many other alternatives to achieve better awareness on what is going on around your laptop while you’re away from your hotel room. Low-cost mobile proximity alarms are ubiquitous, however they will now raise an alarm in the case of ‘Evil Maid” attacks due to the fact that the laptop will get infected without moving it to another location. There are on the other hand much more pragmatic motion detection laptop alarm solutions, as well as portable wireless cameras with 3G connectivity in event of wireless signal jamming, taking snapshots, emailing and SMS-ing detected activity while you’re enjoying your drink.
Attacks similar to the full disk encryption ‘Evil Maid’ one, have been demonstrated against PGP Whole Disk Encryption (2007), and most recently against Utimaco SafeGuard Easy v4.5.x, once again emphasizing on the importance of physical security.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
