On Thwarting Evil Maid Attacks


Above: Thwarting Evil Maid Attacks , Eric Michaud and Ryan Lackey, 30c3.

Guardian journalist Luke Harding pecked out Writing The Snowden Files, an op-ed in which he details the moments when he realized his laptop and cell phone were compromised, and his subsequent experiences with his hardware as it behaved in a compromised manner. Harding was the careless target of a successful Evil Maid Attack, an increasingly sophisticated set of methods in which a target’s hardware is compromised, and the attacker gets access to everything going in and out of the compromised device.


These attacks can be avoided and thwarted. In December 2013, Rift Recon CEO Eric Michaud and Cryptoseal’s Ryan Lackey presented Thwarting Evil Maid Attacks on the main stage at 30c3, the 30-year anniversary of the world’s largest and longest-running hacker conference. In the talk, Michaud and Lackey cover the rapidly changing, bloodthirsty landscape of hardware attacks for the purposes of IP theft and surveillance, with real and practical techniques for preventing, detecting and recovering from the attacks.

What Lackey and Michaud have to offer is invaluable. In the talk, they also show video of a tool used by attack teams specifically in hotel rooms. From Thwarting Evil Maid Attacks:

Increasingly, users and their computing hardware are exposed a range of software and hardware attacks, ranging from disk imaging to hardware keylogger installation and beyond.

The attack addressed is an entire class of hardware, firmware, and software attacks around the attacker gaining surreptitious access and modification (of hardware/firmware/software) on one or more occasions, followed by the authorized user making normal use of the device after these modifications.

The talk would have done Mr. Harding a world of good, and likely saved everyone he carelessly exposed a world of pain. Still, Harding’s lack of basic operational security practices are a glaring concern – one which deserves our attention.


Harding’s Guardian essay about walking into an Evil Maid Attack was clearly intended to paint a dramatic and exciting picture of what it was like to write his new book on Snowden, for fluffing up PR. But the picture he paints is only entertaining if being a lucid patsy for surveilling all your trusted contacts – and putting them in harm’s way – is your idea of fun times you don’t need to take very seriously.

I had been leaving my own laptop in the safe of my hotel room each day; returning from meeting Greenwald I found the safe would no longer lock.

I ventured out the next morning. My laptop was in the unlocked safe. (It didn’t contain any secrets; merely a work in progress.) A tall American immediately accosted me. He suggested we go sightseeing. (…)

I declined the beer and dinner, later texting my wife: ‘The CIA sent someone to check me out. Their techniques as clumsy as Russians.“ She replied: “Really? WTF?” I added: “God knows where they learn their spycraft.’

Instead of telling us he’s done anything to remedy the situation, Harding goes on to note his experiences allegedly being surveilled as amusing, and never explains why he allowed it to continue – or if he notified all of his contacts. Further, Harding closes the essay bemusedly wondering who spied on him, vainly asking his attackers what they think of his book. Harding manages to show us simultaneously the worst way to deal with Evil Maid Attacks from start to finish, while demonstrating why most journalists who write about hacking and security really should never be trusted.

This kind of attention isn’t cool, it puts other people’s lives at stake, and if you think that being spied on and wiretapped is a sign of your impending fame, then you are most certainly someone who should not be trusted with a computer and internet access, let alone a high-risk story.

The essay, in fact, is currently getting him laughed at by every hacker with a shred of OPSEC sensibility, yet his story paints a disturbing picture of the state of security journalists’ cavalier – and dangerous – attitudes about operational security, in light of what is arguably a wholly avoidable episode of surveillance.



Guest post by Violet Blue. Full disclosure: Ms. Blue is a security journalist for Zero Day (CBS Interactive) and is in a personal relationship with Mr. Michaud.

Posted in ,