PoC: Implementing evil maid attack on encrypted /boot


Playlists: 'gpn20' videos starting here / audio

Even if you use full disk encryption, there is still unencrypted code on the disk that asks you for the password. An evil maid attack is an attack on an unattended device, in which an attacker with physical access can backdoor the bootloader to grab the full disk encryption password.

This attack is easy to perform if the target uses an unencrypted boot partition. GRUB2 also supports encrypted boot partitions, where stage 1.5 of the bootloader decrypts the boot partition. Conceptual, evil maid attack is still possible, but it's harder to implement. I couldn't find a public exploit, so I wrote my own.

In this talk, I will explain the Linux boot process and the process of backdooring GRUB2 to get the full disk encryption password. The talk only covers Linux and GRUB2. There will be some slides, but most of the time you will see my terminal and some python code.