Evil maid attack definition
An evil maid attack is a type of cyberattack that targets unattended devices. If the device is unprotected, the attacker may attempt to steal data or infect the device with malware; if the device is protected, the evil maid attack may involve tampering with it imperceptibly to steal user credentials later on (for example, by altering firmware to produce a fake password prompt.)
See also: advanced evasion technique, cyberattack, cybercrime, cybercriminal, data theft, two-factor authentication
How an evil maid attack works
- 1.The attacker gains physical access to an unattended device, such as a laptop or mobile phone left in the owner’s hotel room.
- 2.If the device is unencrypted and not protected by a password, the attacker may attempt to immediately download any stored sensitive data (such as personal files, passwords, or encryption keys).
- 3.If the device is encrypted but not password-protected, the attacker may install malware or tamper with the device’s settings to create a backdoor to be exploited later. For example, the attacker may install a keylogger to capture the user’s credentials.
- 4.If the device is password-protected and encrypted, the attacker may modify its firmware to generate a fake password prompt the next time the user boots it up. This fake prompt relays the user’s credentials to the attacker and removes itself from the system after a restart.
- 5.After tampering with the device, the attacker will attempt to conceal their activities by restoring the device to its original state and erasing any compromising logs.
Stopping an evil maid attack
- Never leave devices unattended in vulnerable environments.
- Encrypt your hard drive to prevent attackers from easily stealing your data.
- Enable secure boot features to prevent unauthorized modifications to the boot process and ensure your device only boots trusted software.
- Use tamper-evident seals or other mechanisms to detect physical intrusion.
- Implement multi-factor authentication to protect against unauthorized access even if your password is compromised.
- Regularly inspect the device for signs of tampering, such as unexpected hardware modifications or unfamiliar software.