Defending from the Evil Maid Attack
Assume I have an encrypted hard drive in my laptop. I’d like to be able to keep my data secure in the case that I lose physical control over the laptop (i.e. a malicious agent gains access to it), assuming that the malicious agent can perform software attacks but not hardware attacks.
There are two attack vectors I know of: the boot sector and the BIOS. In the Evil Maid Attack, the agent overwrites your bootloader or reflashes your BIOS, and copies all your encrypted data. When you boot up, the malicious software recordes your encryption passphrase and ultimately makes it available to the agent. Now, the agent can decrypt your data.
The boot sector attack vector can be defended by booting from a USB drive that you maintain physical control over.
What about the BIOS attack? I’m not sure how sophisticated a BIOS-based attack can be. For example, would it work to always boot from the trusted USB, reflash the BIOS, and then proceed as normal? Or, could the infected BIOS “pretend” to be reflashed, when it isn’t really?
If we actually operate with an infected BIOS, what kind of attacks can be done? Can the BIOS keylog? (I would assume so.) If so, can it send the log out over the network to the agent, or would the agent need to gain physical access to the computer a second time to retrieve the log?
It seems that answering these questions should be pretty important to travellers. I would assume an *actual* maid (or other malicious agent) could typically carry out any form of software attack (given instructions by some sort of black hat), but not a hardware attack, so there’s a solid “use case”. I haven’t found answers yet, though I have no doubt they’re out there. An LWN comment (which may be behind a paywall, let me know) suggests that the BIOS attack vector is indefensible, but little information is provided.
Intresting idea. I would doubt that the BIOS would be able to send any keylog out over the internet. I wouldn’t think the BIOS has the space (on the EEPROM chip) it support a kernel with a TCP/IP stack. But it may, perhaps on newer computers, or you may be able to hook into the running kernel and get it to run it somehow.
If you’re worried about someone overwriting your BIOS, you can simply use a regular ROM chip. I’m betting it would actually be pretty easy to get a non-EEPROM chip, program your desired BIOS onto it, and stick it in the motherboard. Then again, the attacker could also do that, but with the compromised bios flashed onto the chip.
My suggestion of a way to somewhat protect against it: Get a Trusted Platform Module (TPM, which may be a good topic for another post, either yours or mine). Get a special USB or ExpressCard or something token. When the computer boots up, the TPM takes over. It looks for your hardware token, and does a 2-way RSA or ECC handshakes of sorts. So, both the TPM and the Auth token are verified to each other. Perhaps the token could have a light that is red for a failed exchange, and green for a good one. Then the TPM could either do a SHA2 hash of the hard drive and send the auth token the results, or just dercypt the entire drive with a key stored on the auth token or the TPM itself. It could also presumably do a hash of the BIOS and see if it has been modified.
If someone monkies with the computer, they would have to remove your TPM, compromise it’s private key (which is burned into the hardware when it’s build, and presumably very hard) to be effective. If all the disk encryption/decryption was done in the TPM also, it would protect against cold boot attacks as well, since your decrpytion key is not stored anywhere in (main system) memory.
Or, if you don’t want to spend millions developing some new hardwares and softwares, store all your important files on a USB key. Encrypt it, and keep it on your person at all times. Only use it on computers that you know are secure. Don’t use it on computers that are connected to the internet
.
But, even then, all this could be easily defeated by a keystroke logger hardware the connects to the keyboard. I can have the keyboard disconnected and off of my thinkpad within two minutes. Just add a logger onto the ribbon cable, and you could use ultra-wideband or something to retrieve the logs remotely, which would be very difficult to detect. If you’re using hardware tokens for authentication, then you would never enter a decryption key or password, but an attacker would still potentially get sensitive information.
Bottom line: If you don’t have physical security, then you don’t have system/data security. The hardware security needs to be balanced with the technical security of the system, otherwise the extra work on one of the two will be useless.
On another, unrelated side note: I was thinking of ordering my current laptop with a X509 smartcard reader. Then ordering up some smartcards and using that for system authentication, perhaps as one of a two factor authentication system, with a password (or add biometrics for strong, three factor). Never got around it. Might on my next system, we’ll see.
Thanks for the extensive thoughts
Of course, you’re right that if you lose physical security over the machine, you can no longer guarantee data security. However, I want to have a practical solution for travelling with a laptop, recognizing that I cannot gurantee absolute physical security. If my practical solution is “good enough,” I will continue travelling with confidential data on my laptop or person (depending on the security mechanism used); otherwise, I won’t.
I am willing to assume that hardware attacks won’t happen. Yes, if the CIA were after me, they would. However, I don’t expect evil maids and crooked TSA personnell who want to steal my credit card to be up to the task of hardware hacking. I just want to make sure I’m safe from them in a software sense.
Given this scenario (using my laptop), putting in a non-flashable BIOS is not an option; nor is using TPM. (I would like to see you do a post on that though; I know little about it.)
Keeping my bootloader on a USB is secure if I assume that BIOS attacks are not sophisticated enough to steal my data off the running computer. Which is probably a safe assumption and what I’ll go with.
What would be ideal would be to buy an extra laptop HDD, load an OS onto it, and keep that in my laptop whenever I leave it in suspicious hands. Keep my “real” HDD on me. But I’ve heard that TSA and suchlike can just take extra HDDs if you have them. Even if I had it encrypted, I’d then lose all my data.
That’s an alright plan – assuming you need plausible deniability for some reason. I’m not really sure why you would in this country unless you’re super-paranoid.
You could concivably put GURB on a usb disk and use that to boot the encrypted partition. Wouldn’t require the disk to be in the computer after you boot up.
I’ll try to do a article on TPM later, but I don’t know all the much about them right now. But it is a topic I need to research, so I might as well write about it.
As far as loosing your data – you are doing backups, right
. I don’t do backups like I should, I know, but I do have a couple of copies of the “mission-critical” stuff in various places. I really need to get a formal system to do it.
[...] worth it unless you really want to (mostly) defend against the Evil Made Attack, which I’ve written about before. I’m not that paranoid. Additionally, there is concern about /tmp. If you set up /tmp to be a [...]