Every time I read stuff about secure boot, "evil maid" attack scenarios come up. And every time, they fail to mention the easiest one.
The attack described here involves dismantling the victim's hard drive. I have an attack that isn't defeated by secure boot, and doesn't even require dismantling anything.
Steal the original laptop. Take another physically identical unit. Replace it. Copy the login screen of original laptop on a brand new laptop, and have it log the password when the victim types it to you over wifi.
There. I stole your data. Without any security flaw. In the exact same threat model described.
This or the 'glitter nail-polish' pseudo-holographic identifiers both ignore that if you have a physically identical laptop save cosmetics, you can swap in the motherboard and hard disk from the replacement unit. Externally, it's identical, internally it's all compromised.
Presumably the laptop could be designed such that opening the case would separate some contacts in a circuit, which in turn would clear some important secret value from memory.
If you have a separate authentication device, it could warn you that this had happened, to prevent the attack of someone opening the case to add a circuit which broadcasts your key presses, for example.
This still only reduces the problem from keeping your laptop with you at all times to keeping your authentication device with you at all times, though.
If you put the nail polish on the screws or seams, you could make it where you couldn't take apart the laptop to replace the motherboard without damaging them, right?
Hmm it took me 2 hours when I had to do this a few years ago, but I'm pretty sure I could do it in 15 minutes if I practiced a few times and had 3 drills with two torx and one phillips driver bits.
Swapping the SSD and adding a keylogger to the ribbon cable would be a lot faster too, maybe 5 minutes with practice.
The solution is to use an HSM such as the Nitrokey/Purism Librem Key (same thing) that has a LED that lights up if boot integrity is fine, including a TPM secret matching (maid can't clone that).
This is essentially the same solution, right? It boils down to having a single device that verifies the integrity of everything and never letting that device out of your sight. It's just marginally easier to do that when the device in question is an HSM rather than a laptop.
> Copy the login screen of original laptop on a brand new laptop, and have it log the password when the victim types it to you over wifi.
This is why you need mutual authentication. The easiest is with 2 passwords. You enter a password, this authenticates you to the system. Now system presents you some secret. It may be a passphrase, something not obvious like a password prompt with a typo, or a splash screen with some pixels a bit off that are visible at the right angle. Something that a casual shoulder-surfing won't gather. Only when the system is authenticated to you then you enter the 2nd password o actually unlock the filesystem.
As for "identical replacement" of a system - good luck. A bit of glitter and nail polish on screws and it will cost a fortune to do so. If you have those capabilities you probably have the capabilities to "nicely ask me for the password".
We used glitter glue on ports for certain traveling individuals. Took pictures of the hardened glue. Very hard for a maid to replicate, be it evil or really good.
If someone is considering an "evil maid" style attack, the objective is to compromise your security without you knowing (so that you will continue using the device believing it is still secure). "Asking nicely" isn't going to accomplish that.
Replicating the chassis (including the scratches, etc.) and other laptop parts is the hardest part of your attack. I assume you don't know about the nail-polish with glitter based protection?
Even "copying the login screen" is not necessarily easy.
You know the scratches on the chassis of your laptop? I definitely don't. If someone replaces my laptop with a brand new one, I'll notice something is off, but I wouldn't be surprised I'd notice /after/ typing my password. If rather than brand new, it's replaced another laptop with approximately same age/usage, I would most definitely not notice.
> I assume you don't know about the nail-polish with glitter based protection?
Nope, can you explain?
But okay, you may extend my attack by saying that you exchange the motherboard between the victim and the attacker laptop, so that you don't need to replicate the chassis.
> Even "copying the login screen" is not necessarily easy.
Personally my login screen is ubuntu's default FDE screen untouched, so there is literally no work involved to attack me there. I have absolutely no idea how to customize FDE screen. But even if I did, I'd expect that it would be pretty easy to plug in an HDMI capture to have a close-enough duplicate of the screen.
>But okay, you may extend my attack by saying that you exchange the motherboard between the victim and the attacker laptop, so that you don't need to replicate the chassis.
Modern computers has tamper detection and if you open them you'll need to type the BIOS password.
However, replacing the motherboard is going to replace the TPM. This is easily detectable with something like tpm2_totp in the bootchain.
> Modern computers has tamper detection and if you open them you'll need to type the BIOS password.
Is that somehow configurable from Linux distribution's setup, or it will require user to manually set a BIOS password? (and it requires the user to set a different bios password. if the user sets the same password for fde and for bios, then back to square 1)
> However, replacing the motherboard is going to replace the TPM. This is easily detectable with something like tpm2_totp in the bootchain.
That sounds interesting. Though it still sounds totally impossible for the vast majority of users.
At that point, I don't really know what's the goal of TFA. If it's for extreme power users who want best security, it is missing the various counter-measures mentioned in this thread. If it's about pushing distributions to have better defaults, then I think it's quite moot, because secure boot won't improve security much to average users.
>Is that somehow configurable from Linux distribution's setup, or it will require user to manually set a BIOS password? (and it requires the user to set a different bios password. if the user sets the same password for fde and for bios, then back to square 1)
Not yet? And when I said "modern computers" i should probably clarify I'm thinking about more enterprise grade computers. Such as Thinkpads.
Thinkpads also recently got the feature to set the password from Linux userspace. But I forget where I read that, and where the patch is located :)
>That sounds interesting. Though it still sounds totally impossible for the vast majority of users.
It is. But this is why threat modelling is important. If a realistic threat scenario is someone replacing your motherboard, then tpm2_totp should be something you setup.
Listing all possible attack scenarios and assuming any generic distribution protect fully against them is a pipe dream. There needs to be some compromise between usability and security.
>> I assume you don't know about the nail-polish with glitter based protection?
>Nope, can you explain?
You take clear, semi-liquid glue that hardens. The glue has various colored Mylar flexes (aka glitter) floating in it. Slather it onto a device (we did it for exposed ports on devices). The glue is semi-liquid so it will flow reasonably. Once the glue hardens, the orientation, distribution, coloring and such of the flex are set. Take picture(s) of the hardened glue. (just search for glitter glue)
Reproducing the complexity of the glue plus glitter is very hard.
Possible attacks is attempting to remove it, and inserting it back in. The right glitter glue is quite brittle so hard to remove it. Heating it will make it hazy before pliable, and cooling it makes them even more brittle. Breaks show up as while surface inclusion in the glue.
The attack described here involves dismantling the victim's hard drive. I have an attack that isn't defeated by secure boot, and doesn't even require dismantling anything.
Steal the original laptop. Take another physically identical unit. Replace it. Copy the login screen of original laptop on a brand new laptop, and have it log the password when the victim types it to you over wifi.
There. I stole your data. Without any security flaw. In the exact same threat model described.