We have seen several stories of journalists, politicians and other targets talking about having their machines hacked inside hotel rooms. These type of attacks (known as an “evil maid attack) are so popular for scenarios where attackers have physical access to the device that Edward Snowden went ahead to create a free tool to secure your devices when you have to leave your devices in a hotel room, even if for just a few minutes.
These attacks don’t need a lot of time since anyone with physical access, the right tools, and some skills can break into a room to install malware that is nearly impossible to detect. In an effort to raise awareness around the issue, security researchers have shared a demo video showing how easy these attacks are to pull off.
Related Yet Another Critical Bluetooth Bug: Enables Attackers to Snoop on You
“Physical attacks are hard to defend against and most people aren’t doing anything to defend against them,” John Loucaides of Eclypsium told Motherboard. “It’s not that hard of a attack to pull off as most people think.”
Evil Maid Attack: “It takes less time and less effort than most people realize.”
In the demo, Mickey Shkatov, one of the security researchers at Eclypsium, is shown opening up a laptop that he then connects with a device, and proceeds to install malicious firmware onto the chip that contains the BIOS. How long did it take him? Less than 5 minutes and that too on an enterprise machine.
Researchers wrote that the ease and “tools and techniques make firmware rootkits accessible to non-experts, even a ‘script kiddie’,” ensuring that even not-so-experts can install a firmware backdoor on a laptop in a few minutes.
Related More Russia, More Hacks – Now Inside the US Electric Utility Control Rooms
While this type of an “evil maid attack” takes someone to have physical access to your laptop, it’s not such a difficult feat as many believe. Spies, security researchers, and politicians aren’t the only targets. The ease and availability of these tools enable everyone – even your friends and foes – to get access to your devices. However, to get access to your devices, the attacker does need to learn about your whereabouts and when exactly you are out of your hotel room. Suddenly those Instagram vacay pics no longer look so harmless…
– Details over at Eclypsium
