loader gif

Evil Maid attacks could allow cybercriminals to install a firmware backdoor on a device in just minutes

Evil Maid attacks could allow cybercriminals to install a firmware backdoor on a device in just minutes
  • Evil Maid is an exploit that physically targets an unattended computer.
  • Evil Maid attacks are generally extremely hard to defend against.

Cybercriminals have developed various malicious codes and techniques that allows them the ability to remotely access a targeted computer, smartphone or any other kind of electronic device.

However, malicious attacks that involve attackers having physical access to a computer are still considered to be one of the simplest, fastest and most effective attack methods. Such attacks are called the “Evil Maid” attacks.

According to Yuriy Bulygin and Alex Bazhaniuk, founders of the US-based firm Eclypsium, it is now possible for attackers to potentially conduct a classic Evil Maid attack targeting Intel-powered workstations and servers. Such attacks could be launched by abusing a USB system debugging mode to hijack a vulnerable system.

“We confirmed that debug access over USB enables installation of persistent rootkits in UEFI firmware and runtime SMM firmware on systems that do not securely set debug policy,” Eclypsium researchers said in a blog. “This weakness would allow an attacker with physical access to the device to perform an “Evil Maid” attack without opening the case. As others have reported, it is quite difficult to defend against this type of attack.”

Modus operandi

The Evil Maid attack is so simple that security experts believe that even low-level “script kiddies” or unsophisticated cybercriminals could pull of the attack. Essentially, the attack involves injecting a widget into a vulnerable system’s USB port to install a malware, spyware, rootkit or any other malicious software.

The attack only requires two things - a specific debug mode enabled in the chipset and for the attacker to gain physical access to the targeted system for a limited period of time.

“One could say that the ease and availability of these tools and techniques make firmware rootkits accessible to non-experts, even “script kiddie” material. We were able to install this rootkit on an enterprise laptop with under 4 minutes of physical access,” Eclysium researchers added.

How to stay safe

The very nature of the Evil Maid attack makes it extremely difficult to defend against. This is primarily because, in most cases, it is nearly impossible to ascertain whether a system has been compromised. There are very few steps that one can take to stay safe, apart from physically locking down computers or applying glitter nail polish to detect if someone has attempted to compromise your computer.

loader gif