4

When using full disk encryption the bootloader is not encrypted thus allowing attacks like the Evil Maid.

My question is how can I secure myself from this? Can I encrypt the drive or store it in a USB?

BTW: There is no more news about the NSA HDD backdoors. Is there a way to secure against hardware backdoors?

Greenonline
  • 204
  • 2
  • 4
  • 14
Mark
  • 67
  • 8
  • BIOS passwords - user/admin and master –  Jul 09 '15 at 13:10
  • 1
    Hardware backdoor is really another topic, please limit yourself to a single question per post. In my answer I focused only on the question mentioned in the title. BTW, there is no universal protection against any kind of threats, this include hardware backdoor like anything else. – WhiteWinterWolf Jul 18 '17 at 15:32

2 Answers2

2

UEFI Secure Boot provides protection from this type of attack by requiring cryptographically signed executables.
Generally speaking, you need a tamper-resistant hardware module that validates the bootloader (e.g. a TPM chip).

To protect yourself from hardware backdoors you need something like the Intel Trusted Execution Technology. Basically, all your hardware modules (your HDD, your keyboard, etc.) have to have a way to identify themselves to the CPU. That means that all the chips on your motherboard and every peripheral devices you connect must include a tamper-resistant keystore (like a smart card or a TPM chip). And since the currently commercially available hardware does not include components like that you cannot do much.

KovBal
  • 313
  • 2
  • 8
1

Most TPM-based solution will warn you when it is most likely too late: you will first be invited to enter you hard-disk password by the Evil Maid malicious software, and then the OS boot process will detect (thanks to TPM) the system integrity failure and warn you... but at this step you will already have given your password to the malicious software.

Joanna Rutkowska, founder of the security-focused Qubes OS Linux distribution, created the Anti-Evil-Maid software which provides a way for the computer to authenticate itself to you before you have to authenticate yourself to it.

Instead of directly asking you for the hard-disk password, the Anti-Evil-Maid software first uses the TPM to decrypt and show you a message or an image. If the boot process has been modified to include a malicious software, the TPM will not present the correct values to allow the decryption of this image, and a malicious software should not know by advance the exact message or image you expect (it must remain a secret).

Once you have checked that the image or message is indeed the expected one, you can be confident that the software currently asking you your password is the correct one and you can safely type your hard-disk password.

Note that all these solution still require the presence of a TPM chip on your machine. Without a TPM chip, there is no real way to protect you against such attack (some software may check the booting files integrity once the system has booted, but this is most likely too late: at this step your password may already have been sent through the network and/or your encrypted system files are now infected with a backdoor).

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107