A exploit to bypass TrueCrypt encryption: Evil Maid

Discussion in 'encryption problems' started by Justintime123, Sep 10, 2015.

  1. Justintime123

    Justintime123 Registered Member

    Joined:
    Jun 15, 2013
    Posts:
    95
    This is a follow up on the Evil Maid exploit
    A software exploit called Evil Maid can bypass Truecrypt encryption
     
    Last edited by a moderator: Sep 10, 2015
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Pwning Past Whole Disk Encryption

    Published in Winter 2009-2010 (26:4) Issue of 2600 Magazine
    (This is posted in the linux forum here)

    This article contains an excellent read about pwning ANY full disk encryption machine using Linux, with a standard physical boot configuration. The process of doing the same thing with TrueCrypt is trivial. As a compiler of this product I have seen how easy it is to take control with physical access. I am not some master coder but I hold my own on this software.

    Absolutely the best way to protect yourself is to remove the bootloader (Linux /boot or Windows mbr loader (1-446 of 512) from your machine. You then use a bootable flash device to actually boot either system. I do both Linux and Win 10 in this fashion. If an adversary has physical access to your machine and has taken the time to construct a "script" ahead of time they can pwn you in very short order. Further; after pwning you the script will write back the original loader and you will not even know I was there!! Meanly: when you enter your credentials you make it all happen, because if you never came back to the machine I would have nothing.

    Although another thread all its own, there is so much to learn about protecting the MBR on a computer. Its a place that many an adversary will attack in an attempt to gain access. On modern computers with full disk encryption its the only bytes (512 mbr) that are unencrypted.

    I have even written executable bash scripts that automatically do sha256 checksums on my MBR when my Linux system boots up. Until I know the MBR remains unchanged I go nowhere. Simple and sure fire!

    So now we drop to the firmware/bios as the last spot left. That is another thread and has nothing to do with encryption.
     
    Last edited: Sep 10, 2015
  3. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    59
    Does using SecureBoot/UEFI help at all with these types of attacks?

    Also, how does one create a boot USB drive to boot Windows 10? Interesting idea!
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    This is a super easy thing to do. First off, if you are using TrueCrypt with any version of Windows the TC rescue disk will contain everything you need ---- except for one other simple process. The rescue disk image (under 2 meg in size) needs to be placed on a BOOTABLE usb flash stick.

    The TC rescue disk will not create the bootable stick, and that is the one simple thing you'll do on your own before copying the image to the stick. Google a quick Grub4Dos thread and read about how to create a bootable usb stick. I have written and pasted guides all over the web (different names) so you should get alot of hits with google. Once you get your usb working -- believe me its easy ---- then you can overwrite the MBR on your machine to plain/vanilla and never use it again. You will boot from the usb and remove the flash the instant the password is accepted. The OS won't be booted at that point and no adversary can attack a boot stick that isn't inserted! Get it?
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    This is a very cool attack, I must say. It's old, but cool :)

    The way I'd do it is keeping my boot partition on a flash drive, and keeping my BIOS firmware on another flash drive. Then I'd HASH these drives and copy the SHA512SUM's to multiple websites, in case I need to verify that the thumbdrives themselves aren't tampered.
    Also, it's good to keep a copy of the boot partition on the encrypted drive itself, at least on Linux it's very easy to de-crypt the drive and mess with it's contents so that I can copy that boot image into the thumb drive. This is an easier way of making sure the boot image on the drive is the correct one, instead of going online and checking things.

    Good thing that I don't consider myself a viable target for this kind of attack, though.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Ha ha! We think alike, might be a bad thing for you. I also keep my /boot and the loader completely off my linux machines. I have NO concerns for the physical presence of my usb sticks since they are under lock and key when I am absent and are only very briefly inserted to mount. I run shasums on the mbr when I boot Linux to be sure nobody has touched the mbr (even though I don't use it to boot). Exectuable shell scripts are easy to write and then run on boot.

    I would be interested in hearing about how you are handling the BIOS flash you mentioned. Without BIOS onboard I couldn't mount so what exactly is your spare usb bios stick doing for you? I seem to recall you are an Arch lover, which allows for an encrypted/boot. I am fond of Debian, which does not in the generic sense of the word. Again, since the "open internet" never sees my /boot I have no concerns unless I am missing something.

    Consider me an inquiring mind with regard to your bios usb stick procedures!!
     
  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    @Palancar

    Actually I keep my firmware image on the USB so that I can re-flash it if I find necessary. I don' t know if there is a way of booting the motherboard via USB :confused:

    How could you encrypt your /boot partition? For all I know there isn't an easy way of doing this, regardless of Linux distro.
     
  8. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    59
    I us Bitlocker so is this still possible (to boot off a USB flash drive)? I
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Bear in mind I've only given this a "casual" read since my particular needs don't require mobility (my /boot sticks are not out in public - ever). This same author has a guide for doing it in Linux Mint as well.

    http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/


    In response to your bios flash image: that is what I thought you meant but I wasn't sure until now. I guess the million dollar question is how does one know if they need to "re-hit" their flash? LOL!
     
  10. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    Thanks, I'll read that.

    On the BIOS question: I don't know if I need, because it will take too long analysing things. That's why just re-flashing it for a few seconds is my option :)
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I have no direct experience with Bitlocker.

    For anyone reading along there is always one very simple procedure that absolutely will work on ALL disks using MBR alignment. You can dd a clean KNOWN to be good image of your MBR (only 512 bytes) and add it to a Grub4Dos stick. Then you bring up the Grub4Dos flash (takes like 2 seconds) and have it execute an auto-write of the stored MBR file. This would mean that you KNOW the valid MBR's 512 bytes are being used to mount your OS. It can't get much easier but then I've done this stuff for a decade now. LOL!
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    That makes perfect sense except for I am quite a good friend of Mr. Murphy. Know Murphy's law?? I have flashed quite a few bios (s) over the years and so far I haven't bricked one yet. Its the one area of my computer tweaking where Murphy hasn't found me ---------------- but I am due. LOL!
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    Yes, flashing BIOS'es is a risky operation. Good thing that ASRock has this "Instant Flash" utility that allows users to flash their BIOS with the press of a button. It automatically scans the ROM image and proceeds if it's the right one :)
     
  14. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I haven't researched this yet. What would be nice is if it checked (would have to read bios out first) for changes. No changes; would mean no need to write anything. Also, in a dream world it would only write differences (like an incremental backup).

    I will only write a bios while connected to a nice UPS just in case.

    Thanks for taking the time to post along here. I enjoy your company and shared thoughts.
     
  15. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    Thank you for your kind words :) I think the same of you :-*

    I remember reading Bruce Schneier (or some other respected source) saying that it's easy to see if the BIOS was modified or not, but that program was running on Windows so it's pretty much useless to us :p
    I don't have the link ATM so I can't other people in this thread, sorry.
     
  16. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    This is why we have SecureBoot, no? TC, et. al. doesn't work with UEFI.

    Using a token (BitLocker can be configured to use a hardware key, like a flash drive) would guard against this.
     
Loading...