{"id":28470,"date":"2020-12-05T02:27:15","date_gmt":"2020-12-04T15:27:15","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/evil-maid-attack\/28470\/"},"modified":"2020-12-05T02:27:15","modified_gmt":"2020-12-04T15:27:15","slug":"evil-maid-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/evil-maid-attack\/28470\/","title":{"rendered":"How to avert an evil-maid attack"},"content":{"rendered":"

An evil-maid attack<\/a> is just about the most primitive type of attack there is, but it\u2019s also one of the most unpleasant. Preying on unattended devices, the \u201cevil maid\u201d tries to steal secret information or install spyware or remote access tools to gain access to the corporate network. Here\u2019s how to stay safe from intruder actions.<\/p>\n

Classic example<\/h2>\n

In December 2007, a delegation from the US Department of Commerce traveled to Beijing for talks on a joint counterpiracy strategy. On return to the US, however, the commerce secretary\u2019s laptop contained spyware<\/a> whose installation would have required physical access to the computer. The owner of the laptop said he\u2019d had the device with him at all times during the negotiations, and had left it in his hotel room \u2014 in the safe \u2014 only while dining downstairs.<\/p>\n

In theory, a pro can compromise a device in 3 to 4 minutes, but that sort of thing tends to occur when the computer is left unattended and unlocked (or not password-protected). But even with basic security measures in place, an evil-maid attack still has a chance.<\/p>\n

How attackers gain access to information<\/h2>\n

Loads of ways exist to get to critical information. They depend on the age of the computer and the security software on it. For example, older machines that do not support Secure Boot are bootable from external drives and therefore are defenseless against evil-maid attacks. Modern PCs tend to come with Secure Boot activated by default.<\/p>\n

Communication ports that support fast data exchange or direct interaction with device memory can serve as siphons for extracting personal or corporate secrets. Thunderbolt, for example, achieves its high speed of data transmission through direct access to memory \u2014 which opens the door to evil-maid attacks.<\/p>\n

Last spring, computer security expert Bj\u00f6r\u00adn Ruytenberg shared a way he\u2019d found to hack any Thunderbolt-enabled Windows or Linux device<\/a>, even one locked and with connections by unfamiliar devices through external ports disabled. Ruytenberg\u2019s method, dubbed Thunderspy, assumes physical access to the gadget and involves rewriting the firmware of the controller.<\/p>\n

Thunderspy requires the attacker to reprogram the Thunderbolt chip with their version of the firmware. The new firmware disables built-in protection, and the attacker gains full control over the device.<\/p>\n

In theory, the Kernel Direct Memory Access Protection policy patches the vulnerability, but not everyone uses it (and those with Windows versions prior to 10 couldn\u2019t). However, Intel announced a solution to the problem: Thunderbolt 4.<\/p>\n

Good old USB can also serve as an attack channel. A miniature device, inserted into a USB port, becomes active when the user turns on the computer and execute BadUSB attack.<\/p>\n

If the information they\u2019re after is particularly valuable, cybercriminals might even attempt the difficult and costly task of stealing the device and replacing it with a similar one that already contains spyware. Sure, the spoofing will be revealed soon enough, but most likely not until after the victim enters their password. Fortunately, as we said, pulling off that switch is both difficult and expensive.<\/p>\n

How to minimize your risk<\/h2>\n

The easiest and most reliable way to guard against evil-maid attacks is to keep your device where only you can access it. Don\u2019t leave it in a hotel room if you can help it, for example. If your employees have to go on business trips with work laptops, however, here are some steps you can take to mitigate the risk:<\/p>\n