Evil maid attack

In a 2009 blog post, security analyst Joanna Rutkowska coined the term "Evil Maid Attack" due to hotel rooms being a common place where devices are left unattended.

[1][2] The post detailed a method for compromising the firmware on an unattended computer via an external USB flash drive – and therefore bypassing TrueCrypt disk encryption.

[2] D. Defreez, a computer security professional, first mentioned the possibility of an evil maid attack on Android smartphones in 2011.

[1] In 2007, former U.S. Commerce Secretary Carlos Gutierrez was allegedly targeted by an evil maid attack during a business trip to China.

[8] Unified Extensible Firmware Interface (UEFI) provides many necessary features for mitigating evil maid attacks.

[9] The ability to create a communication channel between the bootloader and the operating system to remotely steal the password for a disk protected by FileVault 2, is also explored.

This was followed in 2020 by "Thunderspy" which is believed to be unpatchable and allows similar exploitation of DMA to gain total access to the system bypassing all security features.

[1] Thus, when the victim inputs their password, the attacker will instantly be notified of it and be able to access the stolen device's information.

[14] The Haven Android app was created in 2017 by Edward Snowden to do such monitoring, and transmit the results to the user's smartphone.

[15] In the absence of the above, tamper-evident technology of various kinds can be used to detect whether the device has been taken apart – including the low-cost solution of putting glitter nail polish over the screw holes.

[17] TPM-based secure boot has been shown to mitigate evil maid attacks by authenticating the device to the user.

[9] The Anti Evil Maid program builds upon TPM-based secure boot and further attempts to authenticate the device to the user.