Definition

evil maid attack

An evil maid attack is a security exploit that targets a computing device that has been shut down and left unattended.  An evil maid attack is characterized by the attacker's ability to physically access the target multiple times without the owner's knowledge.

An evil maid attack might unfold like this:

Scene I:  A Chief Financial Officer (CFO) is at a conference. When she goes out to dinner for a little social networking with her peers, she leaves her laptop in her hotel room, confident that any corporate data on the laptop is safe because the hard drive is encrypted.

Scene II: An evil maid (who is actually a corporate spy involved in industrial espionage) spots the CFO leaving her room.

Scene III: The evil maid sneaks into the CFO's room and boots up her laptop from a compromised bootloader on a USB stick.  The evil maid then installs a keylogger to capture the CFO's encryption key and shuts the laptop back down. 

Scene IV: The CFO returns from dinner and boots up her computer. Suspecting nothing, she enters her encryption key and unlocks the laptop's disk drive.

Scene V:  The following morning, while the CFO is downstairs at breakfast, the evil maid comes back and retrieves the CFO's encryption key.

The purpose of the attack may be to steal and sell the key or make changes to the laptop's software right then and there -- but whatever the reason for the attack, the laptop has been touched twice by an unauthorized person without an alarm bell going off.

Besides giving this type of attack a very catchy name, Polish security researcher Joanna Rutkowska successfully demonstrated in 2009 that even full disk encryption (FDE) cannot be counted on to protect a laptop when an attacker has physically access the device. Since then, the name "evil maid" has caught on with security professionals and the label has been used in a general fashion to describe scenarios in which the attacker doesn't simply steal the device -- or access it once to clone the hard drive -- but instead, returns multiple times to wreak havoc.

See also: physical security, hard drive encryption, mobile device management

This was last updated in July 2013
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: