Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you can't modify victim's computer itself, just do that on another computer?

The evil maid will need less time to replace the computer with another one that looks alike the original one, than to install a Linux distro



The maid could even install a USB keylogger, if the goal is compromising just the credentials.


This is what I mean when I say adopting the TPM is a fool's errand; I think protection against evil maid attacks is impossible.

Unless you're willing to go full iphone/xbox with no third-party hardware or OSes.


> Unless you're willing to go full iphone/xbox with no third-party hardware or OSes

And even then, you still have the entire 1st party OS attack surface to play with. Which is just _huge_ specially considering this evil maid scenario implies you have a large amount of time with full control of the device itself and all its hardware.

These evil maid scenarios are so academical in nature by now, that there is practically no way to defend against them outside academia itself.


Presumably, if you can't touch the bootloader & the device has BitLocker enabled, then you can't even get into the OS unless you either (A) know the user's password, or (B) have an exploit that can be triggered from the lock screen.


You are saying that down in a thread about how it's much easier to just switch the entire computer...


In the case of the Xbox, you can replace the mainboard with like a rpi and still achieve it quite easily (I'd say budget ~ 100€). That's harder for a smartphone (I'd say budget ~ 2000€). Either way, the budget is still lower than the price of security flaws to circumvent secure boot.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: