Cyber Threats #evil maid#physical security#disk encryption

Evil Maid Attacks: Physical Security for Laptops

Understand evil maid attacks against encrypted laptops and learn defenses including Secure Boot, TPM+PIN, and anti-tampering techniques.

6 min read

The “evil maid” attack is named for the scenario where an attacker has brief, unsupervised physical access to your device — like a hotel housekeeper. With the right tools and 5–10 minutes, an attacker can compromise an encrypted laptop in ways that survive a reboot and defeat full-disk encryption. This guide explains the attack vectors and how to defend against them.

Why Full-Disk Encryption Isn’t Enough

Disk encryption like BitLocker or VeraCrypt protects data when your device is off. But an evil maid can:

  1. Boot from a USB drive and install a bootkit that captures your encryption password
  2. Modify the bootloader on disk to log your password before passing it to the real OS
  3. Cold boot attack: freeze RAM with compressed air, extract it, and read encryption keys from memory
  4. DMA attack: connect a malicious device to a Thunderbolt/FireWire port and read RAM while the machine is running or recently suspended

These attacks don’t need to break encryption — they capture the key before or during decryption.

Attack Vector 1: Bootloader Tampering

Without Secure Boot and measured boot, an attacker can:

  1. Boot from a USB (requires BIOS access or no USB boot restriction)
  2. Replace your bootloader (GRUB, Windows Boot Manager) with a malicious version
  3. The modified bootloader logs your encryption password on next boot
  4. Attacker returns, boots the USB again, extracts the logged password, and decrypts your drive

Defense: Secure Boot + TPM

Secure Boot prevents booting unsigned operating system components. If the bootloader is modified, it won’t boot (signature mismatch).

TPM (Trusted Platform Module) measures the entire boot chain and refuses to release the disk encryption key if anything changed. BitLocker with TPM uses this by default.

Enable in Windows:

Settings → Privacy & Security → Device Encryption → BitLocker settings

Verify Secure Boot status:

Confirm-SecureBootUEFI
# Returns True if Secure Boot is enabled

Attack Vector 2: Cold Boot Attack

DRAM retains data for seconds to minutes after power loss, especially when cooled. An attacker can:

  1. Spray compressed air (inverted canister) on RAM modules to freeze them
  2. Quickly remove and transfer RAM to another machine (or reboot to a cold-boot tool)
  3. Dump RAM contents and extract BitLocker/LUKS keys

This works against a sleeping/hibernating machine with keys in memory.

Defense: TPM + PIN / No Hibernate

BitLocker with TPM + PIN: requires a user-entered PIN at every boot. The disk encryption key is never released without the PIN, even with a TPM. Cold boot captures memory but not the PIN.

# Enable BitLocker with TPM + PIN
Enable-BitLocker -MountPoint "C:" -TpmAndPinProtector

Disable hibernate (encryption key stays in RAM file on disk otherwise):

powercfg /hibernate off

For Linux (LUKS): Use encrypted swap, disable suspend-to-disk, or enable kernel lockdown mode.

Attack Vector 3: DMA (Direct Memory Access) Attacks

Thunderbolt, FireWire, and some USB-C ports support DMA — direct access to RAM without CPU involvement. An attacker with a malicious device (e.g., a Thunderbolt attack tool) can:

  • Read RAM contents from a running or recently suspended machine
  • Inject malicious code directly into memory

Defense: Disable DMA Before Boot / Kernel DMA Protection

Windows Kernel DMA Protection (available on modern hardware with IOMMU):

Settings → Privacy & Security → Windows Security → Device Security → Core isolation
→ Memory access protection: On

Thunderbolt Security Level (BIOS): Set to User Authorization or Secure Connect — requires authorization for each new Thunderbolt device before allowing DMA.

Linux: Enable IOMMU in kernel parameters:

# GRUB config: add to GRUB_CMDLINE_LINUX
intel_iommu=on iommu=pt   # Intel
amd_iommu=on iommu=pt     # AMD

Attack Vector 4: BIOS/UEFI Attacks

An attacker with physical access can flash a malicious UEFI firmware that persists across OS reinstalls and disk encryption:

  • Solution: set a strong BIOS/UEFI password that prevents booting from USB and prevents BIOS settings changes
  • Some enterprise laptops (ThinkPad, HP Elite, Dell Latitude) support BIOS signing and chassis intrusion detection

Practical Defense Checklist

For high-risk users (journalists, executives, security researchers):

  • Full-disk encryption enabled (BitLocker/VeraCrypt/LUKS)
  • TPM + PIN configured (not TPM-only)
  • Secure Boot enabled in UEFI
  • BIOS password set — prevents boot order changes and USB boot
  • Hibernate disabled — use sleep with a short auto-lock, or shut down
  • Kernel DMA Protection / Thunderbolt Security enabled
  • Never leave device unattended in a hotel room without a portable safe or tamper-evident seals

Tamper-evident seals: apply over screws and ports of your laptop with nail polish, glitter nail polish (random pattern is hard to replicate), or purpose-made security tape. Photograph before leaving your device. Any tampering disturbs the pattern.

Travel-Specific Practices

  • Never leave a laptop in a hotel room safe — staff typically have override codes
  • Use a laptop cable lock for public locations
  • When crossing borders, consider traveling with a clean “travel device” that has no sensitive data and can be wiped if seized
  • Some people use tamper-evident holographic stickers on their laptop’s accessible screws

Evil maid attacks require physical access and are resource-intensive — they’re relevant to specific threat models (targeted corporate espionage, crossing hostile borders, high-risk journalism) rather than everyday users. Understanding the attack helps you calibrate your defenses accordingly.

#TPM #disk encryption #physical security #evil maid