Evil Maid Attack

Evil Maid CyberAttack

An Evil Maid Attack is a term used to describe a type of attack where a malicious actor gains physical access to a target computer or device. The term “evil maid” originates from the idea that someone with malicious intent could gain access to your device when you’re not around.

It might seem like a scenario that only happens in spy movies. But such situations can and do happen in real life, and more often than one would think. Despite the abundance of security measures that organizations put in place to mitigate cyber attacks, malicious actors are deploying increasingly deceptive techniques to bypass such security measures. And it could be taking place right in front of your eyes.

Evil Maid Attack Scenario

In the video below, we demonstrated an evil maid attack scenario that threatens organizations all over the world. The maid vacuum cleaner is responsible for taking control of the endpoint. Well, it is the device hidden inside that is doing the damage, but the vacuum enables deception. The Rogue Device, referred to as a Raspberry Pi, is small enough to conceal within the vacuum cleaner. And, when in proximity to the target laptop, provides the perpetrator with remote control of said laptop through its wireless capabilities.

Hardware attacks such as this one require the attacker to gain some form of physical access. In this case, the vacuum is a perfect vessel to provide such access. So, next time you are nearby a vacuum cleaner, you might stop to think whether it is just cleaning the floor or if it is controlling a device nearby, too.

Insider Threats and Social Engineering

The evil maid attack scenario highlights two worrying threats to all organizations. Insider threats and the social engineering techniques used by bad actors. Let’s start with the first. Certainly, someone must have brought in the vacuum concealing the device. It might be concealing the evil maid attack, but the vacuum is not sophisticated enough to enter the premises alone…

Insider Threats Cyber Attacks

Insider threats are the greatest cybersecurity risk to organizations. According to a report on Insider Threats by Fortinet, nearly 70% of organizations think insider attacks are becoming more frequent. Furthermore, research found that businesses in the US encounter around 2,500 internal security breaches daily.

Evil Maid Attacks - Insider Threats
Insider Threats report by Fortinet

One possibility is that the cleaning maid is a malicious insider. Who purposely brought the harmful device inside the working environment. Although malicious insiders cause only around 5% of internal cyber incidents, their insider privileges and knowledge mean that such attacks can cause significant damage (insider threats). According to Fortinet, 60% of enterprises are most concerned about malicious insiders when asked which insider threat concerned them most. Outsourcing cleaning staff often heightens an enterprise’s vulnerabilities. The outsourced worker may be a malicious actor seeking financial gains or working for an adversary.

For half of organizations, service providers and temporary workers are the most threatening type of insider risk. Cleaning staff are not typically deemed a security risk and therefore do not raise alarms when doing their job. This of course, gives them the perfect disguise. 

But it is also possible that the cleaning maid unwittingly brought the device into the company’s premises. How, may you ask? That brings us to the next vulnerability, social engineering of cyberattacks

Social Engineering of Cyber Attacks

According to cyber observer, 30% of cyber-attacks rely on social engineering. This technique is one of the most common causes of data breaches. As hardware based attacks require physical access, social engineering techniques can provide external perpetrators with such access. For example, an evil twin attack is a type of WiFi network attack where an attacker sets up a rogue access point that mimics a legitimate network. The rogue access point typically has a name and configuration that is very similar to the legitimate network. This type of attack relies heavily on social engineering. The perpetrators can intercept the communication between the victim and the legitimate access point (rogue access points).

A Purplesec research about social engineering techniques found that 56% are carried out by malicious outsiders. A malicious actor might use social engineering techniques, such as blackmail, to compel an innocent cleaning maid to bring a device into the office. However, the attackers might also want to enter the office themselves and will again rely on social engineering techniques. Disguising themselves as part of the cleaning staff can provide them with internal access more easily than one might expect.

Evil Maid Attacks - Social Engineerings
Cyber Observer

How many times have you raised security concerns when you have seen unfamiliar cleaning personnel in the office? My guess is probably zero. Well, we hope that, by the time you have finished reading this, you will be a little more aware and cautious of those around you. Even if you think they are not posing a security risk. And an evil maid attack is usually unexpected… (Disclaimer: we are not suggesting that you bring up a security concern every time you see cleaning maid around the office. But we do want to highlight the importance of being vigilant of everyone around you).

Hardware Attack Tools

What exactly is the sneaky little device we call Raspberry Pi? It was not designed to be pernicious, but rather to teach the basics of computer science. The Raspberry Pi used in the evil maid attack scenario was manipulated on the Physical Layer to act with malicious intent. Operating on the wireless USB interface, the device hides its identity by impersonating a legitimate human interface device (HID). A lack of physical layer visibility means that such spoofing activities go by undetected.

The Raspberry Pi is just one of the many hardware attack tools available to anyone who wants, or knows how, to use them. Rogue Devices are malicious and covert by nature. This allows them to go under the radar of existing security solutions due to a lack of complete device visibility. An attacker can use such devices to carry out a range of harmful attacks such as data exfiltration, espionage, MiTM attacks, DDoS, and more. In this specific case, the perpetrator made their presence known, but what happens when the attack occurs behind the scenes? If you cannot see the attack taking place and security solutions cannot detect the presence of the malicious device, how are you, your device, and the organization protected?

Protecting Against Evil Maid Attacks

Sepio’s platform provides a panacea to the gap in network device visibility. As the leader in Rogue Device Mitigation, identifies, detects, and handles all peripherals. No device goes unmanaged. Sepio uses physical layer technology and machine learning to verify the electrical data characteristics of all devices and compares them against known data fingerprints. In doing so, Sepio provides organizations with ultimate device visibility and detects vulnerable devices and switches within the infrastructure.

In addition to the deep physical layer visibility, a comprehensive policy enforcement mechanism allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, Sepio automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware.

Attackers have found deceitful ways to implant a Rogue Device within a target’s premises. With Sepio’s platform that is about as far as they will go. A vacuum cleaner might be able to hide a Rogue Device from human eyes, but Sepio’s eyes see far deeper.

See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.

May 3rd, 2021