Evil Maid Attack
What is Evil Maid Attack?
Evil Maid AttackA physical attack in which an adversary briefly accesses an unattended device to tamper with firmware, bootloader, or hardware and steal secrets later.
An Evil Maid Attack, named by Joanna Rutkowska in 2009, describes a scenario where an attacker with brief physical access to a powered-off device modifies it to capture credentials or plant a persistent implant. Classic variants tamper with the bootloader of a full-disk-encrypted laptop to log the pre-boot passphrase the next time the owner unlocks it. More advanced variants add hardware keyloggers, firmware implants, or compromised peripherals. The attack defeats software-only disk encryption because trust is rooted in unverified boot code. Defences include measured boot, TPM-bound keys, Secure Boot, tamper-evident seals, and never leaving devices unattended in hotels, conferences, or border crossings.
● Examples
- 01
A hotel-room attacker boots a target laptop from USB and patches its GRUB bootloader to capture the LUKS passphrase.
- 02
A border official briefly takes a journalist's laptop and installs a firmware implant before returning it.
● Frequently asked questions
What is Evil Maid Attack?
A physical attack in which an adversary briefly accesses an unattended device to tamper with firmware, bootloader, or hardware and steal secrets later. It belongs to the Attacks & Threats category of cybersecurity.
What does Evil Maid Attack mean?
A physical attack in which an adversary briefly accesses an unattended device to tamper with firmware, bootloader, or hardware and steal secrets later.
How does Evil Maid Attack work?
An Evil Maid Attack, named by Joanna Rutkowska in 2009, describes a scenario where an attacker with brief physical access to a powered-off device modifies it to capture credentials or plant a persistent implant. Classic variants tamper with the bootloader of a full-disk-encrypted laptop to log the pre-boot passphrase the next time the owner unlocks it. More advanced variants add hardware keyloggers, firmware implants, or compromised peripherals. The attack defeats software-only disk encryption because trust is rooted in unverified boot code. Defences include measured boot, TPM-bound keys, Secure Boot, tamper-evident seals, and never leaving devices unattended in hotels, conferences, or border crossings.
How do you defend against Evil Maid Attack?
Defences for Evil Maid Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Evil Maid Attack?
Common alternative names include: Maid attack, Unattended device tampering.
● Related terms
- attacks№ 082
BadUSB
A class of attacks that reprograms a USB device's controller firmware so it claims a malicious identity such as a keyboard, network adapter, or storage volume.
- attacks№ 1192
USB Rubber Ducky
A USB device sold by Hak5 that masquerades as a keyboard and injects pre-programmed keystrokes at machine speed when plugged into a target computer.
- malware№ 117
Bootkit
Malware that infects the boot process — MBR, VBR, or UEFI — to load before the operating system and obtain persistent, privileged control.
- malware№ 097
BIOS Rootkit
A rootkit that infects legacy BIOS firmware so it executes before the operating system, achieving deep persistence below the OS.