Evil maid attack on encrypted hard drive

An article was published yesterday in which, not without the help of Microsoft, reveals interesting details about the internals of BitLocker. The article is long and its contents can be summarized as “in general, it looks adequate, there are no obvious vulnerabilities”. But the links have a lot of interesting information about various attacks on an encrypted hard drive. I suppose habrazhiteli will be interested in a brief statement of the attack with the romantic name “evil maid” and its logical continuation. Is your business correspondence securely protected by young, curious customs officers, if at the airport in sunny Spain you were asked to watch a laptop with an encrypted hard drive for 10 minutes?

It would seem that if an adequate encryption algorithm is used and the attacker or the curious simply does not know your password, then the business correspondence is completely safe. Is it so?

Not really. Encryption implements the operating system. When you start a computer from Linux, Windows or OSX, first starts some operating system code that asks you for the passphrase from the encrypted hard drive, and then uses it to decrypt the hard drive in real time (or only home dir if encryption is used) by default in OSX). The evil maid attack is that the backdoor, which sends all the necessary information to the attacker, is embedded in the code requesting the password. Which is not encrypted, because it must be executed when the computer starts up before the user enters the passphrase. You got your laptop back, you laughed at close-minded checkers, turned it on, entered your password, downloaded the OS, and that's it, the backdoor is already on your computer. Bitlocker is partially protected from this attack - its bootloader verifies its own integrity (of course, nothing prevents you from changing the verification code, but it is much more difficult), OSX and popular Linux distributions do not even have such protection.

Paranoids from security know about this approach and in case of suspicion that someone modified the computer disk is loaded from usb and overwrites part of the operating system responsible for the initial boot and password entry. Or use the usb key instead of entering a passphrase. Or downloaded from usb. Or any other way. But is that enough?
')
It turns out no. Most hard disk encryption solutions use the AES algorithm in CBC block mode. And the block encryption mode has a funny feature. If the attacker knows the contents of the encrypted file on the hard disk, but does not know the key, then he can modify the encrypted data in such a way that after decryption, the content he needs will be obtained. Suddenly, yes? You can not touch the bootloader. Knowing the version of the operating system and the location of its standard files on the disk, you can embed the backdoor into the system files simply by overwriting a part of the encrypted blocks. Such an attack is described in detail in another article ; ibid. Is a practical implementation for Ubuntu 12.04 (starting from 12.10, XTS is used by default, which protects the OS from this attack).

Starting with OSX Lion (10.7), the default encryption tool is changed to “File Vault 2”, which uses XTS-AESW protected against such an attack instead of AES-CBC.

Of course, such attacks are known to any reader familiar with the basics of information security. All the rest, I hope, information about these two attacks will be at least curious. As an illustration, the work of this artist was used .