Red Devils's Solution to Maid Evil
From a long time I am hearing boom buzz about a new hacking technique known as “Evil Maid†or “Cleaning Maidâ€. The attack is performed against Full Disk Encryption (FDE) on laptop of a person with confidential information. In this attack an attacker replaces boot loader with a boot-kit and then waits the user to boot and put his password, installed boot-kit then logs the keys and saves it in boot-kits database. So finally the attacker has to take move to anyhow have his hands on laptop when no one is around and poof your disk encryption password is stolen. This type of attack can be performed by a person disguised as cleaning maid when you might leave your laptop in hotel room while on tour; hence this kind of attack is called as Evil Maid attack. Since the attack is out, I heard a lot people talking something like: There’s no solution to this kind of attack so you must not leave your laptop alone. I spent lot of time finding out someone must have got solution to this problem and I found only one person to propose a solution but after reading his solution I was not quit satisfied so I tried to find my own solution.
#-Link-Snipped-##-Link-Snipped-#So before we discus solutions first of all I would like to make clear why these solutions will work. As stated earlier the attacker replaces the boot loader with a boot-kit that means even though whole disk is encrypted boot loader is not so that it can boot normal. Attacker uses this flaw to replace it with a boot-kit. With this it is clear why we can’t have access? All solutions that are placed below work on above concept and most likely to work. So lets move on to the solutions,
1. When you install your OS take a recovery backup with backup of bootloader in a boot-able USB drive or CD-ROM. So when you leave your laptop for long time at a susceptible place then after returning back insert your USB drive or CD-ROM and re-install you boot loader rather than directly booting it so that your bootloader should retain its original state. That means if someone had altered your laptop when you were out then the boot-kit will automatically get replaced by a legal copy that means all changes will revert back to normal. Isn’t that clever? Hagai Bar has found a solution.
Of course the solution is awesome but sometimes this solution may not work well for you. Let’s see why. Consider you have multiple OS installed on your laptop and backing up boot loader may lead to loss of one of the partition on which an OS is installed. Also re-installing backup may take your lot of time. Below this are the solutions which I think are better to use, I found them as I was not satisfied by above solution.
2. The solution has following steps:
a.Before you proceed note which is your master OS if you have installed multiple OS’s on your system.
b.Then search online to find out in which folder and in which file your boot loader is located.
c.Get any mini Linux Distro and install it on any flash drive, then install tripwire on it.
Tripwire is program designed for Linux and Unix system to check file integrity.
d.Now boot USB on your laptop and mount master partition check integrity of files and folder using tripwire and save integrity check file in your flash drive.
e.When you arrive back insert and boot from USB mount partition and check for integrity of files and folders using tripwire and compare with previous one. If someone has altered your laptop then changes will be 100% visible else just shutdown and boot normal. This procedure will hardly take 5 minutes.
#-Link-Snipped-#
3.This solution is meant for programmers only. Perform first step of second solution. As a programmer you must know which files are especially responsible for booting your system. Write a program that will associate itself with boot loader as a counter code. Each time the system will boot your boot loader should call this program and your program should increment counter by one then check integrity of bootloader and after comparing it with previous one details should be displayed before you log in. It is acceptable that if your bootloader is replaced then this program will not run and if it runs, will show counter is reset even if that fails then it will show size is different and even if attacker manages to make boot-kit size equal to original bootloader there’s no way he can ever match integrity of previous boot loader and thus you’ll find you have been hacked or not. And since the program will display result before you log on you can press shutdown and reset bootloader if altered.
4.This is final and most easiest solution. Install mini-Linux on USB. While leaving your laptop alone attach your USB drive boot from it mount master boot partition and copy all files and folders related to booting in a separate folder. Then create a password protected archived copy of it and save it in USB from which you booted you laptop. Next step is move inside bootloader folder and type this command,
shred *.*
This will damage all files in that folder that are related to booting your system. So now you laptop can’t be booted because all files which are required for booting are damaged. When you arrive back just replace all shredded files with files you have archived in your pen drive. Isn’t that easy even a kid can do.
After reading last three solutions you might have found that they all are any how related to buzz words file integrity, for your kind information I must tell, you are not wrong at all. All those preventive ideas struck my mind when I found a forum where guys were discussing about using Tripwire on Free BSD. And of course all credit goes to Mr. Red Devil (Free BSD) who got solution to the problem of “Maid Evilâ€. If you are the one among people who was till now searching solution to “Evil Maid†is requested to tell others the solution is out and 100% working.
------------------------------------------------------------------------------------------------------------------------------------------------
Note: We know that PGP and Truecrypt have already came up with software based solution to “Evil Maid†problem but the recent fact is both solutions are Windows based solutions, next “Evil Maid†Software has been updated to bypass Truecypt and above preventive measures are not only for Windows only PC but for all kind of OS on which FDE is ready to protect your information. So the actual information is currently you don't have real software based protection against “Evil Maidâ€.
#-Link-Snipped-##-Link-Snipped-#So before we discus solutions first of all I would like to make clear why these solutions will work. As stated earlier the attacker replaces the boot loader with a boot-kit that means even though whole disk is encrypted boot loader is not so that it can boot normal. Attacker uses this flaw to replace it with a boot-kit. With this it is clear why we can’t have access? All solutions that are placed below work on above concept and most likely to work. So lets move on to the solutions,
1. When you install your OS take a recovery backup with backup of bootloader in a boot-able USB drive or CD-ROM. So when you leave your laptop for long time at a susceptible place then after returning back insert your USB drive or CD-ROM and re-install you boot loader rather than directly booting it so that your bootloader should retain its original state. That means if someone had altered your laptop when you were out then the boot-kit will automatically get replaced by a legal copy that means all changes will revert back to normal. Isn’t that clever? Hagai Bar has found a solution.
Of course the solution is awesome but sometimes this solution may not work well for you. Let’s see why. Consider you have multiple OS installed on your laptop and backing up boot loader may lead to loss of one of the partition on which an OS is installed. Also re-installing backup may take your lot of time. Below this are the solutions which I think are better to use, I found them as I was not satisfied by above solution.
2. The solution has following steps:
a.Before you proceed note which is your master OS if you have installed multiple OS’s on your system.
b.Then search online to find out in which folder and in which file your boot loader is located.
c.Get any mini Linux Distro and install it on any flash drive, then install tripwire on it.
Tripwire is program designed for Linux and Unix system to check file integrity.
d.Now boot USB on your laptop and mount master partition check integrity of files and folder using tripwire and save integrity check file in your flash drive.
e.When you arrive back insert and boot from USB mount partition and check for integrity of files and folders using tripwire and compare with previous one. If someone has altered your laptop then changes will be 100% visible else just shutdown and boot normal. This procedure will hardly take 5 minutes.
#-Link-Snipped-#
3.This solution is meant for programmers only. Perform first step of second solution. As a programmer you must know which files are especially responsible for booting your system. Write a program that will associate itself with boot loader as a counter code. Each time the system will boot your boot loader should call this program and your program should increment counter by one then check integrity of bootloader and after comparing it with previous one details should be displayed before you log in. It is acceptable that if your bootloader is replaced then this program will not run and if it runs, will show counter is reset even if that fails then it will show size is different and even if attacker manages to make boot-kit size equal to original bootloader there’s no way he can ever match integrity of previous boot loader and thus you’ll find you have been hacked or not. And since the program will display result before you log on you can press shutdown and reset bootloader if altered.
4.This is final and most easiest solution. Install mini-Linux on USB. While leaving your laptop alone attach your USB drive boot from it mount master boot partition and copy all files and folders related to booting in a separate folder. Then create a password protected archived copy of it and save it in USB from which you booted you laptop. Next step is move inside bootloader folder and type this command,
shred *.*
This will damage all files in that folder that are related to booting your system. So now you laptop can’t be booted because all files which are required for booting are damaged. When you arrive back just replace all shredded files with files you have archived in your pen drive. Isn’t that easy even a kid can do.
After reading last three solutions you might have found that they all are any how related to buzz words file integrity, for your kind information I must tell, you are not wrong at all. All those preventive ideas struck my mind when I found a forum where guys were discussing about using Tripwire on Free BSD. And of course all credit goes to Mr. Red Devil (Free BSD) who got solution to the problem of “Maid Evilâ€. If you are the one among people who was till now searching solution to “Evil Maid†is requested to tell others the solution is out and 100% working.
------------------------------------------------------------------------------------------------------------------------------------------------
Note: We know that PGP and Truecrypt have already came up with software based solution to “Evil Maid†problem but the recent fact is both solutions are Windows based solutions, next “Evil Maid†Software has been updated to bypass Truecypt and above preventive measures are not only for Windows only PC but for all kind of OS on which FDE is ready to protect your information. So the actual information is currently you don't have real software based protection against “Evil Maidâ€.
Replies
You are reading an archived discussion.
Related Posts
These days everyone seems to be talking about trends, analysis and doing business the intelligent way so what this business intelligence is all about? Is it common sense. business acumen ...
Google Nexus One phone was released in January 2010 and it was a runaway hit. The phone had pure Android installed on it. The phone is expected to be available...
Architecture is one field where innovations are made absolutely necessary almost every progressing day. This article will introduce you to one such architectural innovation.
World Expo 2010 Shanghai Expo of...
When Motorola invented the first ever cell phone, they'd not have known that the device will be an integral part of every human on the planet. The company has launched...
A lot of college students are taking up to entrepreneurship.
As a newbie, it must be really tough as well as challenging to face the various hurdles that come bundled...