Simon Says – Musings of a Technology CTO

Last month Joanna Rutkowska posted a very interesting article showing a practical “Evil Maid” attack against the open-source TrueCrypt FDE product.  The attack is reasonably simple, subvert the pre-boot authentication engine of the full-disk encryption product in question to add a password-sniffing routine, then wait for the unsuspecting user to authenticate to their machine and then retrieve the credentials at a later stage.

Evil Maid is simply hooking the pre-boot code of TrueCrypt and adding a routine to store the users password. Because the TrueCrypt code is quite simple, it’s a relatively easy thing to do, but the attack is theoretically valid regardless of this fact, just the effort to make the hook code increases with the sophistication of the pre-boot environment.

What Joanna shows, is that if you let your machine out of your sight, it may not be your machine any more. Evil Maid requires though a series of interactions. The Maid has to:

1. Get access to your machine without you knowning

2. Get you to login to your machine and use it

3. Get access to your machine for a 2nd time to retrieve the password.

Obviously the next generation of attack would be far more useful if it was sophisticated enough to cause your machine to send the password off over the network the next time it booted up. This may seem impossible, but think about it this way – companies like Computrace are already causing the re-installation and network connectivity of their PC tracking software through a BIOS hook, so it’s already been proven that a simple, out-of-band BIOS loader is enough to drive the activation of a full network aware product.

So how can you protect yourself from this kind of attack? Obviously the easiest route is not to let your machine out of your sight, but I can appreciate that’s not very practical advice. Trusted Root technology has some potential here, but even that does not provide strong protection as Joanna spells out. The best route at the moment may be simply to detect the presence of the Maid on boot, for example with something like McAfee AV which already has rules to detect Evil Maid, and variants.

Of course, if it’s clever enough, it should be able to hide itself from any OS initiated scan…

PS – I should add that McAfee are doing some interesting work with Intel, and the hardware encryption capable hard drive vendors which may mitigate these attacks completely. By storing the boot environment on a read-only area of the disk, and making the disk-proper only accessible after correct authentication, we could completely remove any possibility of installing the Trojan in the first place.