Full-disk encryption is often heralded as a panacea to the huge problems of data breaches and laptop thefts, and with good reason. Making the data on a laptop or other device unreadable makes the machine far less attractive or valuable to a thief. However, researchers are showing that this solution has its share of weaknesses, too.

Joanna Rutkowska, a well-known security researcher known mostly for her work on low-level rootkits and virtualization, has published a tool that enables an attacker to boot a protected laptop from a USB drive, record the encryption tool’s passphrase and then decrypt its contents without trouble. Known as Evil Maid, Rutkowska said the attack is simple enough to be pulled off by a hotel housekeeper and is effective against TrueCrypt.

The attack works like this: A laptop user, even one who is paranoid enough to power down his encrypted machine, leaves it alone for a few minutes. An attacker inserts the USB drive containing Evil Maid into the laptop and boots the machine from the USB drive. The tool installs a sniffer on the laptop, which will then log the encryption passphrase the next time the user enters it. The passphrase can be stored on the disk and then recovered by the attacker later.

Rutkowska said the Evil Maid tool is a very simple implementation that could be improved upon.

The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda)
and checks (looking at the first sector) if the code there looks like a
valid TrueCrypt loader. If it does, the rest of the code is unpacked
(using gzip) and hooked. Evil Maid hooks the TC’s function that asks
user for the passphrase, so that the hook records whatever passphrase
is provided to this function. We also take care about adjusting some
fields in the MBR, like the boot loader size and its checksum. After
the hooking is done, the loader is packed again and written back to the

Simple enough, and no mean feat to prevent.

Categories: Cryptography

Comments (17)

  1. Dominic White

    Seriously? The “maid” has physical access to you, your computer, and living space. She could also poison your toothpaste and smack you with a wrench until you gave her the password http://xkcd.com/538/ That’s only two options of a very long list covered.

  2. TheGift73

    That’s pretty worrying.

    So I’m guessing it acts as a root kit whist sniffing? Is there no way to prevent the programe from sniffing in the first place? I’m not talking about that particular programe, but anything that is recording the keystrokes/ passphrase?


    I always thought TC to be pretty secure, but I guess everything has it’s Achilles heel. 

  3. Waveguide

    The use of the TPM should prevent this, NO? I like the wrench approach, not very high tech but effective 🙂

  4. Anonymous

    what about power on passwords (BIOS) and hardware encrypted harddrives (like thinkpad series?)

    You can’t boot without entering the system password – and this is pre-bios startup!

  5. Anonymous

    Some people use keyfiles stored on thumb drives instead of passwords, can it record that as well?

  6. Dmitry Obukhov

    The solution is self-encrypting drive. SED drive allows user to access only shadow MBR partition with pre-boot authentication code. Shadow MBR is accessible in read-only mode. There is no way to install key logger or other tampering code on the drive without authentication.

  7. TheGift73

    That’s an expensive work around if you had to change all the drives on 100 plus machines. Then again it all depends on how much people need top security.

    Still a shame that there isn’t a piece of software that can guard against this. Maybe companies like TC may have to change how the encyyption itself is implemented to avoid this hole?

  8. Brian

    Guess its time to

    1) pull sensitive data off the harddrive.

    2) make application space read only and

    3) clean temporary storage on boot.

  9. Michael

    Dominic, while wrench weilding maids are certainly a possibility, part of the issue here is that they can do it without you knowing it. I can imagine a lot of cases where the theif would not want the user to know that sensitive data had been stolen.

  10. Anonymous

    As others have mentioned, this attack would not work against the TPM+Hardware Encryption found in ThinkPads.

  11. Pragmatk

    Oh no! Bullshit detector triggered!

    This attack is worthless because:

    a) It’s much less effective than a generic keylogger (be that hardware or pre-boot)

    b) The wrench method is always better, or, alternatively the – until-now, but hereby revealed – very secret “camera-in-hotel-room”-method.

    c) It’s easily guarded against by using simple measures like BIOS passwords for changing the boot order configuration + setting the harddisk with a higher priority. But let’s say that the maid is so technically advanced that she knows how to (OMG! OMG!) take out a screw and pick out the laptop’s HDD and connect it to her own, effectively removing the need for a bootdisk. How about STORING YOUR VOLUME HEADER AND BOOT LOADER on a usb, like Truecrypt for Windows actually forces you to set up when you install “system partition” encryption?

    d) I think that the conclusion is that using anything but a hardware keylogger / a hidden camera / a microphone bug / a long-range laser vibration-based microphone pointed at a window / a wrench / serum of truth + wrench is kind of stupid.


    That being said, it’s a cool project. Cool, but massively overhyped.

  12. afripilgrim

    “The tool installs a sniffer on the laptop, which will then log the encryption passphrase the next time the user enters it. The passphrase can be stored on the disk and then recovered by the attacker later.”

    Sure. BIOS and Harddisk passwords prevent that. If the maid can take out the CMOS battery to reset BIOS settings, no password, there’s still the hard disk password – copy the encrypted partitions to another hard disk, but then to get the user to type the password?

    As has been said, what about those who use USB keys instead of passwords?

  13. Anonymous

    While i appreciate and largely agree with previous posters re: wrenches, two-factor auth, BIOS boot order / disabling, and other such things… you know that, and I know that, but i believe the point of pointing out such flaws is for the 99% of the population that believes they can flip one FotM security switch, forget about it, and be Perfectly Safe.

Comments are closed.