“The ‘Evil Maid’, in the Hotel Room, with a Bootloader”

Should Companies Practise Cloud Computing?
February 13, 2016
This Social Network Lets You Hire a Follower to Follow Your Every Move for One Day
February 20, 2016
Show all

“The ‘Evil Maid’, in the Hotel Room, with a Bootloader”

If you have never heard of “Evil Maid” attacks, this form of security exploit which has a very catchy and unusual name has in fact been around for many years. The so-called “Evil Maid” attack was a term believed to be coined by Joanna Rutkowska as early as 2009. An “Evil Maid” attack unfolds just like a scene from the spy movies you watch, whereby an unattended computing or electronic device would be targeted, and an ‘evil maid’ or an attacker who manages to gain access to the device could tamper with it. Even with an owner’s efforts to keep data confidential with disk encryption, encryption still leaves attack vectors open for targeted attacks if the attacker can gain physical access to the computer such as in the “Evil Maid” attack.


Our lives could be a living, breathing spy movie!

Here in an “Evil Maid” attack, the ‘Evil Maid’ (aka. Attacker) who has gained access to the victim’s unattended device would tamper with the computer to compromise the platform that executes the encryption and decryption functions. Fraunhofer Security Test Lab informs how the attacker could modify software on the computer, or even its hardware, for instance by installing a hardware keylogger to obtain passwords. This way the attacker could gain access to confidential data or even compromise the entire operating system multiple times without the owner’s knowledge.

Extra: Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users’ keystrokes, including sensitive passwords.


In terms of a spy movie plot, here’s how a scene for an “Evil Maid” attack might play out:

A high-profile Chief Executive Officer (CEO) is staying overseas in a hotel for a conference. In the evening when he decides to go out to dinner for a little networking, he has left his computing device in the hotel room unattended with self-assurance that all his private and confidential corporate data on the computing device is secure because the hard drive is encrypted. With confidence, the CEO leaves the room.

This is when the ‘Evil Maid’ (who is actually a corporate infiltrator involved in industrial espionage) sneaks into the CEO’s room and boots up his computing device from a compromised bootloader on a USB stick. Then, the ‘Evil Maid’ subsequently installs a keylogger to capture the CEO’s encryption key and shuts the laptop back down.

The CEO returns from dinner and boots up his computing device, suspecting nothing has happened and enters his encryption key to unlock the computing device’s disk drive. The next morning while the CEO is out for breakfast, the ‘Evil Maid’ returns, retrieves the CEO’s encryption key and slips away unnoticed, just like in the spy movies.

evil maid

The main objective of this type of attack is to steal and sell any invaluable corporate data or make changes to the computing device’s software. No matter the reason for the attack, the laptop has already been compromised by an unauthorized person without any detection.

While Full Disk Encryption (FDE) software are often marketed as a solution using strong encryption algorithms to ensure that sensitive information is not exposed in the event that one of the organisation’s laptop is lost or stolen, even with a FDE, it can no longer be counted on to protect the electronic device once the ‘Evil Maid’ has physically accessed it.

Extra: Full Disk Encryption is encryption at the hardware level whereby it works by automatically converting data on a hard drive into a form that cannot be understood by anyone who does not have the key to ‘undo’ the conversion.


The “Evil Maid” in recent news

While the “Evil Maid” attacks have been around for a fair amount of time, of the late it has surfaced back in the news after a notable mention by The Verge. As a security exploit which was once thought of as being difficult to counter, a company called Metasensor has released an interesting approach to the problem.


(Source: Indiegogo)

Metasensor is developing a nifty portable security system that fits in the palm of your hand named the Sensor-1. Place your Bluetooth-powered Sensor-1 device on the items you want to protect and it helps detect real-time changes in motion as well as orientation of your device, and alert the user through the smartphone application when your important items move. Albeit it will not stop the attacker from planting the virus per se, but the user will be aware of any movement in their electronic devices. Metasensor’s Sensor-1 has already picked up the interests of The Verge, Mashable, SlashGear and other press sources. While the Sensor-1 is still under crowd-funding from Indiegogo, however this product is considered very useful not just as a preventive solution for the “Evil Maid” attacks, but also for other items you want to protect.

sensor-1 app
The Aletha mobile app allows you to set how and when the Sensor-1’s alarm goes off, which includes preset settings for specific objects. (Source: Mashable)



[1] Fraunhofer Security Test Lab

[2] Tech Target

[3] The Verge

[4] Joanna Rutkowska’s blog

[5] Schneier on Security

Leave a Reply

Your email address will not be published. Required fields are marked *