Evil Maid Attack Takes Your PC To The Cleaners With Sub-4 Minute Backdoor Firmware Install

Evil Maid
If your laptop contains sensitive data, it is best not to leave it unattended. That is sound advice even it does not have any work secrets or other potentially compromising data, and you want to avoid falling prey to malware. In case you need a reason why, a security firm recently posted a video showing how quickly a hacker with physical access to someone's laptop can install malicious firmware onto the device.

These types of security intrusions are called "evil maid" attacks, named after the scenario of someone breaking into a hotel room to physically access a target's notebook. Normally only the hotel's maid would go in and out of the hotel room, hence the clever "evil maid" designation. Of course, these types of attacks can occur anywhere, not just in hotels.

Realistically, this is not something the average user has to worry about—it's more likely they would have their unattended laptop stolen, versus a hacker going through the trouble of installing malicious firmware and giving themselves backdoor entry into the compromised system. However, anyone with sensitive data, particularly top secret documents, should take extra precautions against this sort of thing, like locking their laptop in a safe (most hotels provide one in the room).

While a bit more difficult to pull off than a phishing email, executing an evil maid attack isn't overly difficult, provided the attacker has the right tools. Security firm Eclypsium demonstrated this by having one of its researchers, Mickey Shkatov, open up a laptop and hack the firmware in just four minutes.

"An attacker with physical access can simply attach a hardware programmer and modify firmware. While this may seem like it requires specialized equipment and detailed knowledge, it is actually quite easy in most cases. Most firmware is stored on a Serial Programmable Interface (SPI) flash chip. This creates a physical standard for reads and writes to the storage chip, and SPI flash programmers are relatively easy to buy or create," Eclypsium explains.

In the video, Shkatov is shown unscrewing the bottom panel from a Dell laptop, and then removing a heatspreader to gain access to the flash chip. Using a device that is purpose built for flashing firmware and that only costs around $285, he proceeded to load a generic proof-of-concept backdoor obtained from GitHub onto the laptop. From start to finish, the hack took just over four minutes complete, which includes disassembling and reattaching the laptop's bottom panel.

"The first protection is to maintain complete physical control over sensitive systems. This can be difficult, however. If a sensitive system does fail this check, there is very serious risk from anyone who has physical access to the system even for a very limited period of time. Just by plugging a cable into the USB port and running a script, they may be able to bypass nearly all security technologies," Eclypsium adds.

Another precaution that users can take is to disable the firmware's debug features, if that is an option in the BIOS. Either way, if you own a laptop that is easy to service and are worried about this sort of thing, keep it within sight or lock it away when not in use.

Thumbnail/Top Image Source: YouTube via Eclypsium