The Evil Maid Attack

An evil maid attack is a security exploit that targets a computing device that has been shut down and left unattended.  An evil maid attack is characterized by the attacker's ability to physically access the target multiple times without the owner's knowledge.

Besides giving this type of attack a very catchy name, Polish security researcher Joanna Rutkowska successfully demonstrated in 2009 that even full disk encryption (FDE) cannot be counted on to protect a laptop when an attacker has physically access the device. Since then, the name "evil maid" has caught on with security professionals and the label has been used in a general fashion to describe scenarios in which the attacker doesn't simply steal the device -- or access it once to clone the hard drive -- but instead, returns multiple times to wreak havoc.

Basically, the attack works like this:

Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.

Step 2: You boot your computer using the attacker's hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture your encryption key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later.

You can see why it's called the "evil maid" attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. The same maid could even sneak back the next night and erase any traces of her actions.

Defeating the Evil Maid

No security product on the market today can protect you if the underlying computer has been compromised by malware with root level administrative privileges. If someone has physical access to your computer, we assume that that person has complete access to everything on your computer.
Putting your data on a thumb drive and taking it with you doesn't work; when you return you're plugging your thumb into a corrupted machine.

That being said, there are some common sense defenses against the "Evil Maid":

The defenses include two-factor authentication: a token you don't leave in your hotel room for the maid to find and use. The maid could still corrupt the machine, but it's more work.

Setting a BIOS password to prevent your laptop from being booted with external media. Remember though that a BIOS password can be removed by clearing dip switches, jumpers, jumping BIOS, or replacing BIOS - and other techniques. Some people super-glue the screws that hold their laptop together. This prevents the case from being easily opened.

Have a secure locking case in which to store your laptop while it is unattended, such as PacSafe, or a Pelican Laptop Case.

The simplest measure may be to always keep your device with you instead of leaving it in a hotel room or other unattended location.

Joanna Rutkowska's Anti Evil Maid article (Sept 7, 2011) provides a more technical look at defense against the Evil Maid.

People who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too.