![]() ![]()
![]() So, how should we protect against such Evil Maid attacks? There are a few approaches.ġ. Remove truecrypt bootloader code#You can get the source code for the Evil Maid infector here. After the hooking is done, the loader is packed again and written back to the disk. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. If it does, the rest of the code is unpacked (using gzip) and hooked. It first reads the first 63 sectors of the primary disk ( /dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. The provided implementation is extremely simple. Invisible Things Lab cannot be held responsible for any potential damages this code or its derivates might cause. Use this code at your own risk, and never run it against a production system. You should always obtain permission from other people before testing Evil Maid against their laptops!ĬAUTION: The provided USB image and source code should be considered proof-of-concept only. Remove truecrypt bootloader password#NOTE: It’s probably illegal to use Evil Maid to obtain password from other people without their consent. The current implementation of Evil Maid always stores the last passphrase entered, assuming this is the correct one, in case the user entered the passphrase incorrectly at earlier attempts. To retrieve the recorded passphrase just boot again from the Evil Maid USB - it should detect that the target is already infected and display the sniffed password. Now, Evil Maid will be logging the passphrases provided during the boot time. Just boot the laptop from the stick, confirm you want to run the tool (press ‘E’) and the TrueCrypt loader on your laptop should be infected. Where HarddiskX should be replaced with the actual device the represents your stick.Īfter preparing the Evil Maid USB stick, you’re ready to test it against some TrueCrypt-encrypted laptop (more technically: a laptop that uses TrueCrypt system disk encryption). this one, and the command would look more or less like this one (depending on the actual dd implementation you use):ĭd if=evilmaidusb.img of=\\?\Device\HarddiskX\Partition0 bs=1M Remove truecrypt bootloader windows#On Windows you would need to get a dd-like program, e.g. dev/sdb), rather than a disk partition (e.g. Please be careful, as choosing a wrong device might result in damaging your hard disk or other media! Also, make sure to use the device representing the whole disk (e.g. ![]() Where /dev/sdX should be replaced with the device representing your USB stick, e.g. In order to “burn” the Evil Maid use the following commands on Linux (you need to be root to do dd): End of story.ĭownload the USB image here. Remove truecrypt bootloader how to#Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version). So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. Now, this is where our Evil Maid stick comes into play. Remove truecrypt bootloader full#So, let’s assume we have a reasonably paranoid user, that uses full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/ PCMCIA or ”Coldboot” attacks. this provided by TrueCrypt or PGP Whole Disk Encryption. Let’s assume the laptop uses full disk encryption like e.g. The scenario we consider is when somebody left an encrypted laptop e.g. Let’s quickly recap the Evil Maid Attack. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids. Recently Alex Tereshkin and I got some spare time and we implemented the Evil Maid Attack against TrueCrypt system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. chipset or TXT hacking, and do something simple, yet still important. From time to time it’s good to take a break from all the ultra-low-level stuff, like e.g. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |