Abstract
Historically, the boot phase on personal computers left systems in a relatively vulnerable state. Because traditional antivirus software runs within the operating system, the boot environment is difficult to protect from malware. Examples of attacks against bootloaders include so‐called “evil maid” attacks, in which an intruder physically obtains a boot disk to install malicious software for obtaining the password used to encrypt a disk. The password then must be stored and retrieved again through physical access. In this paper, we discuss an attack that borrows concepts from the evil maid. We assume exploitation can be used to infect a bootloader on a system running macOS remotely to install code to steal the user's password. We explore the ability to create a communication channel between the bootloader and the operating system to remotely steal the password for a disk protected by FileVault 2. On a macOS system, this attack has additional implications due to “password forwarding” technology, in which a user's account password also serves as the FileVault password, enabling an additional attack surface through privilege escalation.
Highlights
The “evil maid” attack gets its name from a hypothetical situation in which, say, a high-ranking company official is out of his hotel room and a maid is paid by an adversary to go into the room and plant malware on an encrypted computer system
The goal of an evil maid attack is to obtain a full disk encryption (FDE) password to be able to decrypt a disk drive. This generally assumes that physical access will be used again once the password is stolen to exfiltrate sensitive data or that the disk drive was copied at the same time the malware was planted on the system
We begin with a discussion of the concepts of disk encryption and the function of the unified extensible firmware interface (UEFI) in the preboot environment
Summary
The “evil maid” attack gets its name from a hypothetical situation in which, say, a high-ranking company official is out of his hotel room and a maid is paid by an adversary to go into the room and plant malware on an encrypted computer system. The time the computer is used, the malware steals the encryption password Such an attack takes advantage of the vulnerable state of a computer system before it boots into its operating system environment. The goal of an evil maid attack is to obtain a full disk encryption (FDE) password to be able to decrypt a disk drive This generally assumes that physical access will be used again once the password is stolen to exfiltrate sensitive data or that the disk drive was copied at the same time the malware was planted on the system. This is true regardless of any login credentials that may be present in the operating system installation; the plaintext data can be viewed as long as the disk volume can be mounted To render such stolen disk drives useless to thieves, FDE can be employed
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
