What is an "Evil Maid" Attack and Why Should You Care?

6/18/2020

gloved hand placing usb with skull on it into a laptop

Have you ever seen a movie or TV show where a good guy or a bad guy enters an office or hotel room, sticks a USB drive into a computer, and very quickly extracts all the information from the computer? Believe it or not, that kind of attack has a name: it is an "evil maid" attack. The names come from the concept that someone on night staff at a company or housekeeping staff at a hotel could compromise a computer that was left unattended. From Wikipedia, "An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device or the data on it."

I lock my laptop in the hotel room safe when I leave the room, but even those are not truly protection and I will address that issue in the future. I think the bigger danger may be businesses that are cleaned at night. But with so many people working at home today, work computers at home may be vulnerable especially as people begin to leave their homes.

I have had my office at home for many years. I have implemented additional security mechanisms at my house because that is my normal office, but not everyone has done that. The types of locks used to secure homes, for instance, are not the same types used to secure businesses. The home versions are generally less expensive to fit homeowner budgets. Likewise, home alarm systems may not be up to the standards of commercial systems.

The lower level of security may make unauthorized access easier. And many people allow access to their residences when they are away. From dog walkers to house cleaners to tradespeople, authorized access can also be an issue: few of us vet those people as well as contractors and employees at work might be vetted.

Mitigations

It would likely be cost-prohibitive for companies to changes locks on employee residences; it may even be impossible where employees live in apartments or condos. It would also be unwieldy to ask employees to formally vet all the workers who come to their residences. Even if these measures were possible, physical security of the devices is essential.

Laptops and tablets that might contain any sensitive information need to be secured when not in use. A good safe that is difficult to enter and difficult to move would be appropriate. I have seen people lock laptops in safes that are small enough that the safe and contents can be carried by one person. Unless that safe is secured to the structure, it becomes fundamentally useless.

A monitored alarm system would be a good additional mitigation, too. Some residential alarm systems are more secure than others, which should go without saying. Online videos show how some can be easily defeated. (I am intentionally not sharing links.) Corporate security organizations should recommend specific systems to those working at home.

Additionally, systems should use very strong passwords, be regularly patched, disabled unneeded ports, have locked cases, and use other cyber security measures we discuss in Learning Tree's Cyber Security introduction, Course 468.[:]

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.