The "Evil Maid Attack" against full disk encryption

Introduction

In October 2009, Joanna Rutkowska (InvisibleThingsLab.com) has released a "proof of concept" tool to demonstrate that it is possible to attack a computer protected by a full disk encryption solution such as “TrueCrypt”, or “PGP Whole Disk Encryption” (The Microsoft "Bitlocker" solution is not vulnerable to this attack).

The attack, dubbed "Evil Maid Attack", was first described by Joanna in January 2009. But the release of a tool implementing it in the real world changes the threat: it moves from a theoretical risk to a real and demonstrated risk.

 

Principle of the attack

A laptop protected by full disk encryption is left unattended in a hotel room (e.g. while the owner is having a breakfast). A malicious maid enters the room, inserts a specially prepared USB drive in the laptop and starts it. The laptop boots on the USB drive (assuming the laptop allows to boot from USB, which is the most common setting) which immediately modifies the hard disk boot sector in order to install a keylogger on the laptop. This keylogger will now be launched each time the computer is started. The maid shutdowns the laptop, takes the USB drive and leaves the room. The whole operation took less than 5 minutes to complete.

The next time the owner will start his laptop and enter the disk encryption password, the keylogger will catch the password and record it on an unused part of the hard disk. Some time later, the maid comes back, steals the laptop, extracts the recorded password and can now decrypt the hard disk data.

To demonstrate the actual risk posed by this attack, Invisible Things team has build a bootable USB drive that implements this attack against TrueCrypt 6.x. full disk encryption software.

Note: how to install the keylogger, and the keylogger code itself, depends on the disk encryption software used. This means that the USB drive built by Invisible Things can be used only against a computer that runs TrueCrypt 6.x.

 

Joanna in her paper suggests several solutions that we will not describe here (e.g. disabling USB boot, or verifying that the disk boot sector has not been altered, etc ...). She also indicates that, for her, the root cause which makes this attack possible is the fact that full disk encryption software such as TrueCrypt or PGP WDE (Whole Disk Encryption) does not verify that their execution environment has not be altered before asking the user to enter the disk unlock password. In contrast, she explains that Microsoft Bitlocker is not vulnerable to the attack because it relies on the TPM (Trusted Platform Module: a component defined by the TCG - Trusted Computing Group) to deliver the decryption key only if the integrity of the underlying system has been demonstrated first.

To avoid this attack, Joanna suggests that any full disk encryption software should include a "Trusted Boot" mechanism similar to the one included in “Bitlocker” with TPM.

 

Response

The PGP Company commented the Joanna publication and stated that there is little chance for the attack to succeed in case of a laptop protected by PGP Whole Disk Encryption. This is because, most of the time, WDE is combined with a 2-factors authentication mechanism (e.g. an external authentication token) which makes the captured password unusable by the attacker. Joanna Rutkowska has responded on his blog that the attack would still be possible even if a 2-factors authentication is used. In this case, instead of capturing the password, the keylogger should be modified to capture the final decryption key that WDE produces once the authentication phase has been successfully completed.

About the Joanna's suggestion to implement a "Trusted Boot", we can also argue that the "Trusted Boot" is not a panacea because it is very difficult to correctly implement the concept. For example Loïc Duflot demonstrated during his presentation at the SSTIC 2009 conference that trusted computing (via mechanisms such as TPM or technologies such as Intel TXT) could be defeated through low level mechanisms such as SMM (see our article on this subject) or APCI tables (see our report for the JSSI conference). Thus, the TPM used by BitLocker could probably also be circumvented.The German Fraunhofer Institute also published this year a study which describes several methods to bypass the TPM protection.

From this discussion, we can conclude that the "Evil Maid Attack" is:

• Trivial on a system that uses TrueCrypt,
• Theoretically possible (but harder) on other systems (like PGP WDE) which does not implement a "Trusted Boot" mechanism.
• Might even be possible, using other attack schemes, on systems which implement a "Trusted Boot".

This debate highlights how important it is to clearly define the risks against which we wish to protect when using a full disk encryption protection.

If the objective is to protect against accidental loss or theft of the laptop, full encryption is certainly a very satisfactory solution (including when encryption is based on freely available solutions such as TrueCrypt).

On the other hand, if the objective is to protect against targeted attacks (the case where someone wants your laptop because he wants to steal the data you stored in it) then you must be very cautious about the level of security provided by full encryption disk. There are several examples of other forms of attack (which can be performed even with a very limited budget) such as:

• Someone is watching you when you type your password (e.g. an over the shoulder attack from your neighbor in the plane)
• Someone is listening to the electromagnetic radiation from your keyboard (see the study conducted on this topic at the EPFL).
• Etc ...

 

Conclusion

The Invisible Things publication demonstrates the feasibility of the "Evil Maid Attack". It gives a new view at the level of security provided by full disk encryption. We already knew that this does not protect against "warm attacks" (if a virus infects your computer, as long as the computer is running, the virus has access to all the data that the current user can access on the PC, even if  full disk encryption is in place). We now also see that a simple USB key (equipped with an appropriate program downloaded from the Internet) makes possible to perform "cold attack", and more simply than the previous methods described on that topic (for example the "cold boot" attack we described in 2008).

From our point of view, this does not negate the real benefit of full disk encryption solutions. Too many PCs do not have this type of protection yet, and this is just a matter of chance if the data stored on them have not been stolen yet. But this shows that this protection is not unbreakable. When used alone, it cannot stop a motivated attacker.

 

For more information

• Joanna Rutkowska article: http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html