Updating intel ata controler
EDITED TO ADD (12/9): A similar attack is possible against Bit Locker with a TPM.
Tags: computer security, encryption, hacking, malware, privacy, TPM Posted on October 23, 2009 at AM • 189 Comments • October 23, 2009 AM The bootloader could also grab the code from the USB token and the password.
As soon as you give up physical control of your computer, all bets are off.
No security product on the market today can protect you if the underlying computer has been compromised by malware with root level administrative privileges.
It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever.
You can see why it's called the "evil maid" attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader.
It does not protect against an attacker who has access to your computer over a period of time during which you use it, too.
EDITED TO ADD (10/23): A few readers have pointed out that Bit Locker, the one thing that has come out of Microsoft's Trusted Computing initiative in the seven-plus years they've been working on it, can prevent these sorts of attacks if the computer has a TPM module, version 1.2 or later, on the motherboard.
If the thumb drive does not only contain the bootloader but also some kind of secret, you have two-factor-authentication, too.
(Note: Not all computers do.) I actually knew that; I just didn't remember it.
EDITED TO ADD (11/12): Peter Kleissner's Stoned Boot attacks on True Crypt.
That said, there exists well-understood common sense defenses against "Cold Boot," "Stoned Boot" "Evil Maid," and many other attacks yet to be named and publicized.
The defenses are basically two-factor authentication: a token you don't leave in your hotel room for the maid to find and use.The same maid could even sneak back the next night and erase any traces of her actions.This attack exploits the same basic vulnerability as the "Cold Boot" attack from last year, and the "Stoned Boot" attack from earlier this year, and there's no real defense to this sort of thing.Basically, the attack works like this: Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume.