Evil Maid Attack Definition

An evil maid attack happens when an attacker gets brief physical access to an unattended device and secretly tampers with it. The goal is to steal data from it or set up a way to access the device remotely at a later time. Evil maid attacks are executed quickly and leave very few traces to reduce the risk of the owner noticing anything is happening.

The name was coined in 2009 by a security analyst, Joanna Rutkowska. It refers to a hypothetical scenario in which a maid could compromise a device left unattended in a hotel room. However, an evil maid attack could take place anywhere the device is away from the owner, like at an airport inspection, for example.

How an Evil Maid Attack Works

Once an attacker has the device, they may:

• Copy the data stored on it
• Install malware to access the device at a later time
• Add a keylogger to record everything typed on it
• Change startup or firmware settings to take control before the operating system loads

These attacks typically happen over very short periods of time but can leave long-lasting effects.

Evil Maid Attack Types

• Data theft: Harvesting data directly from the device, typically possible only if the device doesn’t have password protection or full disk encryption.
• Malware infection: Installing malware on the device to allow the attacker to remotely access the device.
• Keyloggers: Collecting everything the device’s owner types on the keyboard to get sensitive data, including the target’s passwords.
• Bootkits: Hiding malware in the device’s startup code to gain control once the device is booted up. Since it works before the operating system starts up, a bootkit could avoid some antivirus software.
• Firmware infection: Tampering with firmware like BIOS or UEFI to capture device credentials and gain control before the operating system starts.

Read More

• What Is a Man-in-the-Middle Attack?
• What Is a USB Drop Attack?
• What Is an Offline Attack?

FAQ