Evil maid attack on an encrypted hard drive

An article was published yesterday that, with some help from Microsoft, reveals interesting details about the internals of BitLocker. The article is long and its contents can be summarized as "generally looks adequate, obvious vulnerabilities do not seem to be visible." But the links have a lot of interesting information about different attacks on an encrypted hard drive. I believe that the hawkers will be interested in a summary of the attack with the romantic name "evil maid" and its logical continuation. Is your business correspondence securely protected from young curious customs officers if you were asked to inspect a laptop with an encrypted hard drive for 10 minutes at a sunny Spain airport?

It would seem that if an adequate encryption algorithm is used and an attacker or just a curious person does not know your password, then business correspondence is completely safe. Is it so?

Not really. Encryption is implemented by the operating system. When you start a computer with Linux, Windows, or OSX, a certain operating system code starts first, which asks you for the passphrase from the encrypted hard drive, and then uses it to decrypt the hard drive in real time (or only home dir, if encryption is used by default on OSX). The “evil maid” attack consists in the fact that the backdoor, which sends all the necessary information to the attacker, is embedded in the code requesting the password. Which is not encrypted, because it must be executed when the computer starts, before the user enters the passphrase. The laptop was returned to you, you laughed at the near-by testers, turned it on, entered the password, loaded the operating system - and that’s all, backdoor is already on your computer.

Security paranoiacs are aware of this approach and in case of suspicion that someone modified the computer’s disk, they boot from usb and overwrite the part of the operating system that is responsible for the initial boot and password entry. Or use a usb key instead of entering a passphrase. Or boot from usb. Or any other way. But is that enough?

It turns out, no. Most hard drive encryption solutions use the AES algorithm in CBC block mode. And block cipher mode has a fun feature. If the attacker knows the contents of the encrypted file on the hard drive, but does not know the key, then he can modify the encrypted data in such a way that after decryption, the content he needs will be obtained. Suddenly, huh? You can not touch the bootloader. Knowing the version of the operating system and the location of its standard files on disk, you can embed backdoor into system files by simply overwriting some of the encrypted blocks. Such an attack is described in detail in another article , there is also a practical implementation for Ubuntu 12.04 (starting from 12.10, XTS is used by default, which protects the OS from this attack).

Starting with OSX Lion (10.7), the encryption tool is changed to File Vault 2 by default, which uses XTS-AESW, which is protected from such an attack, instead of AES-CBC.

Of course, such attacks are known to any reader familiar with the basics of information security. To everyone else, I hope that the information about these two attacks will be at least curious. The work of this artist was used as an illustration .

Also popular now: