An Evil Maid assault is when a device has physically tampered without the device owner’s knowledge. Evil Maid attacks where a bootloader has been installed onto the victim’s computer which defeats full disk encryption. Now, however, thanks to solutions like Edward Snowden’s new Android program, which is called Haven, people can help prevent Evil Maid strikes and protect their devices from physical tampering while they’re not present.

Whenever a computer starts, it has to implement firmware to initialise hardware in a usable configuration. This generates the familiar environment for software to execute. If malware can change some of this setup, it can elevate its privilege over that of other applications either by executing in a privileged manner or reconfiguring the system to violate the assumptions of regular applications and violate the security properties. The most direct method to do this is to alter the firmware.

An attacker with physical access can attach a hardware programmer and modify the firmware. While this may seem like it requires specialised equipment and detailed knowledge, it is quite comfortable in most cases. The majority of firmware is stored on the Serial Programmable Interface (SPI) flash chip. However, another researcher (Dmytro Oleksiuk) has developed a generic proof-of-concept backdoor (available at ) that can be installed into many firmware modules. The availability of these tools and techniques make firmware rootkits accessible to even amateur hackers.

Another way to modify firmware is through free software. An excellent alternative to defend against this type of attack would be to have the firmware configure protection bits related to firmware storage during the early boot phase. Once this is done, standard software (even including malware that elevated privileges to the kernel) would not be able to perform changes to the firmware storage. A trusted code, executing in SMM during runtime, can be used as an alternative to bypass the protections and write to firmware storage. Therefore, SMM is a primary target for an attacker trying to install a persistent firmware rootkit.

The first protection is to maintain complete physical control over sensitive systems. This can be difficult, however. If a sensitive system does fail this check, there is a severe risk for anyone who has direct access to the system even for an insufficient period. Just by plugging a cable into the USB port and running a script, they may be able to bypass nearly all security technologies.
Few systems have a setting in the BIOS/firmware setup menu that enables or disable the debug features. After disabling the setting, administrators can check for this configuration to pass the chipset test module mentioned earlier. In this case, it will be essential to protect these settings with a secure password or encryption.

In some instances, it is necessary to contact the system manufacturer and inquire about a firmware version that securely disables the debug access.

Another recent alternative is to use the Haven app. The Haven program allows users to secure a small-medium size space and alert the user if someone tries to enter the space and modify or later the hardware located there. To use Haven, a user must have a spare Android device such as a burner phone or tablet. Haven uses the detectors on the Android device to detect when someone is trying to tamper with your hardware. Some of the sensors Haven uses include the camera, the mic, the camera, light sensor, as well as utilising the power supply to detect if the Android device has been unplugged. Once a sensor was triggered, the program will send a notification to the user. Users can set up Haven to send notifications via a standard SMS text message, or even better, via an end-to-end encrypted message delivered over Signal.

The app could be configured to snap pictures and capture sound to help identify who the attacker is, or what tripped off the sensors. Notifications and any audio or photos captured by the app may also be accessed over Tor. This requires the user to set up and operate Orbot on the device running the Haven program.
It is essential for users to make sure the Android apparatus with all the installed Haven app, has assessed settings and made sure that device encryption was enabled and they are using a secure password. Technically, an attacker can stop Haven from sending alarms by dialling WiFi and mobile service. Future variations of Haven may be upgraded to alert users when their Haven device loses net access, so they could be aware of any attempts to jam WiFi and cellular services.
The new Haven app for Android has released a beta version of the software. It can be downloaded in the Google Play Store in, or from Github at Haven is a free and open source program, so users can also build the .apk file from the source code if they would like to.

To set up in the F-Droid app store, users must include the Haven Nightly” Bleeding Edge” repository ( ) from the settings. Haven is maintained through The Guardian Project, which also contributes to many other privacy-related apps for Android, for instance, cellular Tor Browser is known as Orfox. Snowden helped develop the Haven program through funding from a job he leads at the Freedom of the Press Foundation.

Haven is maintained through The Guardian Project, which also contributes to many other privacy-related apps for Android, including the mobile Tor Browser called Orfox. Snowden helped develop the Haven app through funding from a project he leads at the Freedom of the Press Foundation.

When setting up the program, the average noise level of this space is assessed, to prevent false positives. Unfortunately, there still may be some noise artefacts, but it’s important to remember that Haven is in early development and remains only in beta testing. Future versions of the program will be less likely to produce false positive alarms. This program is vital for those that have sensitive information on their devices and need extra protection against Evil Maid attacks. It’s especially useful for men and women who travel with devices that store sensitive data.

Haven is not available for the Apple iPhone, but iPhone users can still check on notifications if Tor services are enabled by checking notifications using the Onion Browser app for iPhone.

If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking

Pin It on Pinterest

Share This