Of Encrypted Hard Drives and "Evil Maids" 376
Schneier has a blog piece about Joanna Rutkowska's "evil maid" attack, demonstrated earlier this month against TrueCrypt. "The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. ... [A] likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. ... [P]eople who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too."
Fine line between security and paranoia (Score:5, Interesting)
Seriously, if you're worried about some hacker assassin breaking into your house or office and installing a bootloader, you're either doing something REALLY secretive (in which case the computer probably shouldn't even be on a network to upload any data back in the first place) or you're the kind of person who thinks Obama has your name on an "important persons" list and is coming for your guns. If someone has physical access to your machine and has the skills to install a bootloader, you're pretty much boned anyway, encryption or not (encryption isn't going to stop a simple keylogger). That's nothing new. Fortunately, for the vast vast majority of us, there are very few hacker black operatives who are running around breaking into hotel rooms just so they can get a single Visa number from Bob the dipshit middle manager. Newsflash Bob, YOU'RE NOT THAT IMPORTANT!
Oh, and I love how the article calls the prospect of a ninja hacker hotel maid sneaking a bootloader onto your laptop and then sneaking back into your room later to retrieve the data a "likely scenario." What hotels is this guy staying at anyway?
My bootloader is on USB (Score:1, Interesting)
Sorry, but my bootloader, GRUB, kernel and boot partition are on USB. The hard drive really is wholly encrypted... except a few hundred bytes in LUKS partition headers.
The evil maid will thus have to work harder: devise a LUKS partition header which will thoroughly corrupt my copy of cryptsetup as it tries to decrypt the partition.
With TrueCrypt, which doesn't put any identifiable information in partition headers, the job might be harder still.
Re:Bootloader? BitLocker? (Score:3, Interesting)
A lot of designs do not have the tpm chip implemented. I know, because I am a designer, and most of the design requirements I fill do not include or want a tpm chp. This will only be in all systems when Intel makes it a part of their system chips (what used to be the north bridge / south bridge combination, and is now the PCH or silverthorne).
Re:bootloader checksum (Score:4, Interesting)
That won't work if the attacker use a hardware keylogger (which can be inserted under a laptop's keyboard - how often do you check there?).
An easier way to checksum bootloader is via a tamper-proof hash stored in the encrypted area. But that require that the computer is actually telling you the truth, which is doubtful if they already went far enough to change the bootloader. But then again, your idea also require that the computer is honest... They could have replaced the bios itself, or made a small bootloader that worked its magic fast and silent, and then proceeded like a normal boot, starting from usb like bios would do..
I was thinking of this a few months ago, actually, and the only solution I found was to either always have it with you (impractical), or store it in a trustworthy safe (could also be slightly impractical to haul around). And still you have to be certain of your environment (spy cameras, tempest type snooping, in some cases recording the sound of your key clicks...).
Also, if you want it connected to a network, well darnit, you got another can of worms.. First, you need to update it, or else its vulnerable fast. Second, you need to trust the OS providers and the actual update. Could someone have stolen the signing key and faked an update? Is the company / employees really trustworthy? Are you sure the developer's machine isn't hacked and is used to spread dangerous code?
I tried to make a system where I (if I had a lot of resources) couldn't possibly find any way around. I just couldn't find any. All of them had a potential loophole.
My conclusion was : Pick an approperiate level of paranoia and go from there. And never expect it to be 100% secure.
Re:surprise (Score:3, Interesting)
Re:Bitlocker? (Score:4, Interesting)
I like the theory. However one thing to bear in mind is that the integrity of Bitlocker itself is questionable. I know for a *FACT* that "3 letter agencies" have backdoor keys. Ask any IT forensics person. Microsoft even have closed, invite only sessions for enforcement agencies to show them how to bypass bitlocker security.
That in itself means that the government/big brother is guarenteed to be able to bypass MS based secruity. Ask yourself this, can you see Osama Bin laden using bitlocker to protect his stuff ?
Take this further, do you want the government to have access to your files, just a quick phone call to MS and wham, all your shit laid bare.
Re:Fine line between security and paranoia (Score:0, Interesting)
Seriously
You obviously do not have any siblings, and the siblings which you do not have obviously do not have access to the global network.
Family members are the most notorious for saying,"Uhhhh... we did not do that. But it was damn funny."
That is a whole new perspective on Osama.
The thought of the people that I know wearing evil maid costumes for Halloween is equally entertaining.