James Thew - Fotolia

Manage Learn to apply best practices and optimize your operations.

Evil maid attacks: How can they be stopped?

What is an 'evil maid' attack and how can enterprises prevent it? Expert Nick Lewis explains the threat and the precautions employees should take when traveling.

I've heard about several "evil maid attacks" recently. How do these attacks work, and what precautions should I take when traveling? Is full disk encryption enough to protect my data in case an attacker steals my laptop?

Full disk encryption (FDE) is not a panacea for data protection. There are a number of ways that FDE can be bypassed to access the encrypted data on a device. One way to bypass FDE is via an evil maid attack. An evil maid attack is when an attacker has physical access to a device such as a laptop; the owner assumes the device is safe in a hotel room, but an evil maid comes into the room and accesses the computer. Once accessing the computer, the attacker can install malware in the boot loader or keystroke logger to capture the password, and then return to the room later to access the data on the system.

Basically, the owner of the device is making an assumption about a security control -- in this case the device's physically security in a hotel room. The responsible party doesn't feel it needs to plan for what happens if that security control fails. Many people in information security make reasonable assumptions, intentionally and unintentionally, because they need to solve particular problems at hand using their available resources. Most do not have the luxury to do a comprehensive risk assessment for every device or scenario, such as a rare evil maid attack, but these assessments must be thorough and flexible to quickly adapt when risks and security controls change.

Full disk encryption is not enough to protect your data if an attacker gains access to your physical laptop. There are some things you could do to protect against evil maid attacks: using a strong password, setting a password on the bios to prevent changes to the bios, only booting the system off of the hard drive and having some sort of tamper-evident alert if someone changes the hardware. The simplest measure may be to always keep your device with you instead of leaving it in a hotel room or other unattended location.

Next Steps

Read more on how to change enterprise security programs based on new threats

Find out how banking malware can bypass two-factor authentication

Learn about the value of self-encrypting drives for enterprises

This was last published in March 2016

Dig Deeper on Disk and file encryption tools