FS#75585 - USB install drives are vulnerable to "evil maid"s
Attached to Project:
Arch Linux
Opened by Pellegrino Prevete (tallero) - Friday, 12 August 2022, 12:20 GMT
Last edited by Morten Linderud (Foxboron) - Tuesday, 23 August 2022, 17:33 GMT
Opened by Pellegrino Prevete (tallero) - Friday, 12 August 2022, 12:20 GMT
Last edited by Morten Linderud (Foxboron) - Tuesday, 23 August 2022, 17:33 GMT
|
Details
Problem
Since USB drives are not write-once, an evil maid can easily replace the whole content of the drive with something else, letting an unaware user install an already compromised system. More in general any system residing on disks in a BIOS or UEFI computer not protected with secure boot seems vulnerable to this kind of attack. Encryption is not relevant as defense since the attacker can always replace the bootloader and the kernel to acquire the necessary data from the user himself. [1] Proposed solution The easiest feasible mitigation I've found for maids able to alter or replace storage (NB: I suppose we're just scratching the surface here) is to move kernel, bootloader, checksums and signatures on a separate safe dongle device. This solution is implemented in https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/279. While people are usually not concerned about physical attackers, we should explicitly advice users not to use any single writable drive setup for more than a couple sessions and always refer them to an iso+dongle buildmodes combo, or simply enable it by default. References [1] Fitting Everything Together, Lennart Poettering, 2021 https://0pointer.net/blog/fitting-everything-together.html |
This task depends upon
Closed by Morten Linderud (Foxboron)
Tuesday, 23 August 2022, 17:33 GMT
Reason for closing: Won't implement
Additional comments about closing: This is not something that Arch can solve.
Tuesday, 23 August 2022, 17:33 GMT
Reason for closing: Won't implement
Additional comments about closing: This is not something that Arch can solve.
Authenticated Boot and Disk Encryption on Linux
https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
gpn20 - PoC: Implementing evil maid attack on encrypted /boot
https://www.youtube.com/watch?v=5HCZXWfIk5Y
However is this simply about an "evil mad" attack then this is up to the user to prevent and setup secure boot.