What is an Evil Maid attack and how is it different from Evil Twin attack?

• These type of attacks can occur in public places, hotels, and cafes.
• Evil Maid can pose a high risk for company executives, government officials and journalists as they possess a lot of confidential information.

Dealing with Evil Maid attacks is important as overlooking it can lead to loss of your sensitive data and more. These type of attacks usually occur in public areas, hotels, and cafes. The attacker can be in the form of anyone - a stranger, a maid or some friend.

In 2018, Harry Sintonen, a senior security consultant from F-Secure had issued a fresh warning about evil maid attacks exploiting Intel’s Active Management Technology and other techniques.

The investigation showed that insecure defaults in Intel’s Active Management Technology (ATM) could lead to the ‘evil maid’ scenario. The issue in the ATM could allow an intruder to completely bypass login credentials in any laptop in 30 seconds. He said even a minute of distraction from the laptop was enough for an attacker to gain access to the target machine.

What is an Evil Maid attack - An Evil Maid attack is an attack in which attackers gain physical access to an unattended computing device for their malicious activities. A simple and common way of launching the attack is as follows:

• You are out vacationing or sitting in a restaurant and you suddenly leave your laptop unattended due to some urgency.
• An evil maid or a hacker spots the unattended laptop.
• With the owner of the laptop not around, the evil maid boots the laptop with a compromised bootloader on a USB stick.
• The evil maid then installs a keylogger to capture your login credentials and other sensitive data.

The attack can pose a high risk for company executives, government officials and journalists as they possess a lot of confidential information. Whether the purpose of the attack is to change, steal or sell information, there is a high chance that the attacker can make changes to the device’s software in order to control the device remotely.

How is it different from the Evil Twin attack - The Evil Twin attack is basically a type of Wi-Fi attack. It occurs when a hacker places himself in the vicinity of a legitimate hotspot. Once it is set up, the victims identify the bogus SSID as the legitimate AP and connect their devices to it.

This simplifies the work of the attacker who can later collect personal or corporate information without the knowledge of users.

While both Evil Maid and Evil Twin attacks are intended at stealing sensitive information, Evil Maid attack can be limited by locking the device. The Evil Maid attack can occur only when a hacker gains physical access to the desktop or laptop.

Unlike the Evil Maid attack, Evil Twin attack occurs over wireless communication. Therefore, users must be cautious about connecting with public hot spots for web browsing and online shopping or banking. Corporate employees must connect the internet through a VPN while using free Wi-Fi in public places.

How to stay protected from the Evil Maid attack - The following preventive measures can help you stay safe from the Evil Maid attack:

• Never leave your device unattended;
• Avoid using any unknown external device;
• Ensure BIOS and firmware are up-to-date;
• Adopt full disk encryption;
• Shut down devices when unattended.