Many people, myself among them, have recommended that people who keep sensitive information on laptop PCs use a disk encryption product like the free TrueCrypt, PGP’s disk encryption, or Microsoft’s BitLocker, especially if they travel with the laptop. This is a worthwhile security precaution: it will protect your data if your laptop is lost, confiscated, or stolen, for example. But it will not protect you against every kind of attack.
Joanna Rutkowska, the founder and CEO of Invisible Things Lab, has recently published a blog post on a so-called “evil maid” attack against a PC running with TrueCrypt. (The origin of the name, which I prefer to use as “evil housekeeper”, will be apparent a bit later.) The software to carry out the attack is loaded onto a USB stick; here is how the attack works:
- Security-conscious user is traveling with encrypted laptop. After checking his E-mail in his hotel room, he goes downstairs to get something to eat, turning the laptop off first.
- Evil housekeeper enters the room, and turns the laptop on, booting it from the USB stick. This boot image installs a low-level keyboard sniffer, which will capture the user’s TrueCrypt passphrase the next time (s)he starts up the PC.
- The passphrase is then stored somewhere on the disk, or perhaps transmitted over the network to the evil housekeeper’s command post.
Ms. Rutkowska has, as is her wont, demonstrated that this is not just a theoretical possibility by creating an implementation of the attack suitable for use on a USB stick; it is available for download from her blog post.
This attack demonstrates a couple of important things to remember about PC system security:
- You need to make sure you understand what any given security solution can and cannot do for you. Remember that security is a process or system, not a product.
- Having physical access to the machine, particularly during a period when it is also being legitimately used, trumps many otherwise good security measures. Note that this attack, although it required physical access to the machine, does not require any hardware modification.
There are some defenses against this kind of attack. Use of the Microsoft BitLocker encryption on a PC that also has a Trusted Platform Module [TPM] provides considerable, although not absolute, security against this kind of attack. Ensuring that the PC is kept physically secure will also prevent this attack; and Ms. Rutkowska has some further suggestions in the blog post.
There is more that could be done, in the encryption software, to mitigate this kind of risk. Better use of the TPM, and Trusted Computing facilities in general, would also help. The moral of the story is that, if you must have sensitive data on your laptop, make sure you understand the range of possible threats, and what can be done to reduce the risk of data compromise.
Bruce Schneier has a post on this in his “Schneier on Security” blog; he also has an excellent summary article (dating from 2005!) on Trusted Computing and the role of the TPM.