If an attacker can physically access the computer hardware and you use it after the attacker has physically accessed it, then TrueCrypt may become unable to secure data on the computer. TrueCrypt Developer: We generally disregard “janitor” attacks since they inherently make the machine untrusted. TrueCrypt Developer: Your question was: “And how can you determine that the attacker has or has not worked with your hardware?” My answer was a good safety case or strongbox with a good lock. Q: Which TrueCrypt versions are supported by the current Evil Maid USB? After cracking the TPM, the attacker would still have to mount an Evil Maid attack in order to obtain the passphrase or key. As explained a few months ago on this blog, a reasonably good solution against Evil Maid attack seems to be to take advantage of either static or dynamic root of trust offered by TPM. Nope, the concept behind the Evil Maid Attack is neither new, nor l33t in any way.

Q: How is Evil Maid different from Stoned-Bootkit? Of course that would make the attack non-trivial and much more expensive than the original Evil Maid USB we presented here. Sure, they write “or otherwise compromise the security of the computer”, which does indeed cover e.g. the Evil Maid Attack, but my bet is that very few users would realize what it really means. That’s a fair point, but this means that for the security of our data we must relay on the infeasibility to open our strongbox lock in a “clean” way, i.e. without visually damaging it. Anyway, to answer your question (as a side note), you could use e.g. a proper safety case with a proper lock (or, when you cannot have it with you, store it in a good strongbox). If you use it, then you will notice that the attacker has accessed your notebook inside (as the case or strongbox will be damaged and it cannot be replaced because you had the correct key with you).

If the safety case or strongbox can be opened without getting damaged & unusable, then it’s not a good safety case or strongbox. No. Taking out your HDD, hooking it up to a USB enclosure case and later installing it back to your laptop increases the attack time by some 5-15 minutes at most. We use this stick to verify the unencrypted portions of our laptops (typically the first 63 sectors of sda, and also the whole /boot partition in case of Linux-based laptops where we use LUKS/dm-crypt). Nevertheless, our Disk Hasher stick seems like a reasonable solution and we use it often internally at ITL to validate our laptops. It’s a bootable Linux-based USB stick that can be configured in quite a flexible way to calculate hashes of selected disk sectors and partitions. The best way to approach the situation is to prevent the entry into the home beforehand.

The first approach (SRTM) is what has been implemented in Vista Bitlocker. The dynamic root of trust approach (DRTM) is possible thanks to Intel TXT technology, but currently there is no full disk encryption software that would make use of it. 20And they did all eat, and were filled: and they took up of the fragments that remained twelve baskets full. With an access control system, businesses can issue access cards to employees while maintaining complete control over what each card will open. Please also note that even if we assume somebody “cracked” the TPM chip (e.g. using an electron microscope, or NSA backdoor), that doesn’t mean this person can automatically get access to the encrypted disk contents. You can get the source code for the Evil Maid infector here. A maid has to carry her own laptop to do this though. Do you carry your laptop with you all the time? Joanna Rutkowska: And how can you determine that the attacker have or have not “worked” with your hardware?

Joanna Rutkowska: If I could arrange for a proper lock or an impenetrable strongbox, then why in the world should I need encryption? Even if it is truly read-only, if the attacker can reflash the BIOS, then he or she can install a passphrase sniffer there in the BIOS. Of course it is a valid point, that if we allow a possibility of a physical attack, then the attacker can e.g. install a hardware keylogger. Several months ago I had a discussion with one of the TrueCrypt developers about possible means of preventing the Evil Maid Attack, perhaps using TPM (see below). Guru in Vienna”, is also claimed to be capable of “bypassing TrueCrypt”, which we take to mean a capability to sniff TC’s passphrases or keys. Personally I would love to see TrueCrypt implementing TPM-based trusted boot for its loader, but, well, what can I do? Q: I’ve disabled boot from USB in BIOS and my BIOS is password protected, am I protected against EM?