Thursday, October 22, 2009

The Hotel Maid Can Defeat Your Full Disk Encryption


Corporate America is beginning to finally get their act together when it comes to full-disk encryption of laptop hard drives, nearly a decade after an avalanche of thefts and data breaches made CIOs and CTOs take notice.

So are you safe leaving your laptop or notebook in your hotel room when you travel? Even if you chain it to the desk, the answer is, "Not so much."

Over at InvisibleThings, founder Joanna Rutkowska details how she and Alex Tereshkin were able to successfully launch an Evil Maid attack using a bootable USB stick against TrueCrypt system disk encryption. The results were frightening, and not altogether surprising.

Here's the process they followed, reduced for clarity to a couple of small, easy steps: Somebody leaves a laptop unsupervised somewhere, like a hotel room or coffee shop. In a matter of minutes, an attacker posing as a maid, room service, or maintenance can enter, insert the USB drive, and boot the laptop using an Evil Maid tool, compromising the TrueCrypt loader while loading what's essentially a keylogger before they take their USB drive and depart.

When the user returns and boots the laptop again, TrueCrypt prompts for the password as normal, and the unsuspecting user enters the code or phrase. The Evil Maid attack has now captured this credential. The next time the user leaves their laptop unsupervised, the attacker returns, again boots the laptop with the USB drive, and now has possession of the TrueCrypt login credentials.

No more encryption. No more protection. Say goodbye to your data.

Now, the TrueCrypt folks mount the defense that if you can't ensure the security of the hardware, then that's your problem. If you can't know for certain that your device has been compromised, you shouldn't use it for sensitive data, they posit.

While technically true, it's something that encryption vendors don't typically highlight in their product literature. As Rutkowska points out when speaking to TrueCrypt reps, if she's locking her laptop in a safe or strongbox when it's not in use, why does she need full disk encryption?

It's easy for consumers and corporations to lapse into complacency once they implement full disk encryption. Physical security becomes less of a priority because of the mistaken belief that they only existing threat is device theft, and since theoretically the entire hard disk is protected by strong encryption, no data loss can occur.

As we've seen in the above scenario, device theft is just one attack vector. I'd be more worried about the attacker booting into the OS and loading a rootkit or other malware that would avoid detection and allow for remote data retrieval or monitoring. Why steal the device when you can access the contents whenever you'd like?

Further, what if the installed malware allows penetration of your network, perhaps spreading similar malicious code to other workstations, servers, and network devices? A lack of physical security focus on a single laptop could conceivably compromise your enterprise.

There's no easy answer here. You could implement two-factor authentication which would render capturing keystrokes ineffective, since a second component would be needed in addition to the passphrase or password. Another solution would be to utilize a secure boot loader process, but none of the current vendor solutions are configured to implement any sort of "root of trust" technologies.

The best solution is to continue a defense-in-depth strategy with hardware security as a key component. Don't leave your laptop unsecured in areas without controlled access that you trust - including hotel rooms, checked baggage, and your local Starbucks. Assuming you're not concerned with an NSA-level attack, the combination of full disk encryption and robust physical security should protect you against most threats, although nothing prevents 100% of attacks.

Rutkowska's article is an excellent expose' of this particular weakness in the security chain, and she even walks us through how to download and use Evil Maid.

Remember - it's for lab use only. We've sworn to use our powers only for good.












Image via Wikimedia Commons


No comments:

Post a Comment

Please tell me what you think.