How to avert an evil-maid attack

An evil-maid attack is just about the most primitive type of attack there is, but it’s also one of the most unpleasant. Preying on unattended devices, the “evil maid” tries to steal secret information or install spyware or remote access tools to gain access to the corporate network. Here’s how to stay safe from intruder actions.

Classic example

In December 2007, a delegation from the US Department of Commerce traveled to Beijing for talks on a joint counterpiracy strategy. On return to the US, however, the commerce secretary’s laptop contained spyware whose installation would have required physical access to the computer. The owner of the laptop said he’d had the device with him at all times during the negotiations, and had left it in his hotel room — in the safe — only while dining downstairs.

In theory, a pro can compromise a device in 3 to 4 minutes, but that sort of thing tends to occur when the computer is left unattended and unlocked (or not password-protected). But even with basic security measures in place, an evil-maid attack still has a chance.

How attackers gain access to information

Loads of ways exist to get to critical information. They depend on the age of the computer and the security software on it. For example, older machines that do not support Secure Boot are bootable from external drives and therefore are defenseless against evil-maid attacks. Modern PCs tend to come with Secure Boot activated by default.

Communication ports that support fast data exchange or direct interaction with device memory can serve as siphons for extracting personal or corporate secrets. Thunderbolt, for example, achieves its high speed of data transmission through direct access to memory — which opens the door to evil-maid attacks.

Last spring, computer security expert Björ­n Ruytenberg shared a way he’d found to hack any Thunderbolt-enabled Windows or Linux device, even one locked and with connections by unfamiliar devices through external ports disabled. Ruytenberg’s method, dubbed Thunderspy, assumes physical access to the gadget and involves rewriting the firmware of the controller.

Thunderspy requires the attacker to reprogram the Thunderbolt chip with their version of the firmware. The new firmware disables built-in protection, and the attacker gains full control over the device.

In theory, the Kernel Direct Memory Access Protection policy patches the vulnerability, but not everyone uses it (and those with Windows versions prior to 10 couldn’t). However, Intel announced a solution to the problem: Thunderbolt 4.

Good old USB can also serve as an attack channel. A miniature device, inserted into a USB port, becomes active when the user turns on the computer and execute BadUSB attack.

If the information they’re after is particularly valuable, cybercriminals might even attempt the difficult and costly task of stealing the device and replacing it with a similar one that already contains spyware. Sure, the spoofing will be revealed soon enough, but most likely not until after the victim enters their password. Fortunately, as we said, pulling off that switch is both difficult and expensive.

How to minimize your risk

The easiest and most reliable way to guard against evil-maid attacks is to keep your device where only you can access it. Don’t leave it in a hotel room if you can help it, for example. If your employees have to go on business trips with work laptops, however, here are some steps you can take to mitigate the risk:

  • Deploy temporary laptops with no access to critical corporate systems or work data, and then format the hard drive and reinstall the operating system after each trip;
  • Require employees to turn off work laptops that must be left unattended;
  • Encrypt the hard drives of any computers that leave the office building;
  • Use security solutions that block suspicious outgoing traffic;
  • Ensure your security solution detects BadUSB attacks (Kaspersky Endpoint Security for Business does);
  • Update all software, especially the operating system, in a timely manner;
  • Restrict direct access to device memory through FireWire, Thunderbolt, PCI, and PCI Express ports on every device that allows it.