Joanna Rutkowska of The Invisible Things Lab recently made an interesting post on her blog about the work they have been doing to capture the passphrase of users using TrueCrypt full disk encryption.
Due to the requirement for physical interaction to plug in a USB device, they have coined this the Evil Maid attack. The scenario being that a maid in a hotel with evil intent gets upto no good with someones laptop who is staying in the hotel.
How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda
) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.
Its my belief that this sort of solution could be used to bypass other full disk encryption products that dont use a TPM (Trusted Platform Module).
This does look like a really interesting project, but for one reason or another I cant get my evil maid attack to work. I have tried to create a couple of USB drives, but all of them just end up with a flashing cursor at boot time, and thats it.
When I get this working, I will post an update. For now enjoy reading the informative blog post from Joanna.