Less than an hour into a Tinder date in a Moscow restaurant last year, Patrick Wardle began to wonder about the laptop he’d left in his hotel room. Wardle had come to the city for a security conference; as a former NSA staffer who’d worked on the elite hacking unit known as Tailored Access Operations, he was paranoid enough to bring only a “burner” PC on his trip, carefully stripped of any sensitive information. But when his date told him she was a former employee of Russia’s Ministry of Foreign Affairs, the question became real for him: Had he been lured out of his room so that someone could lay hands on that computer? And if so, would he ever know for sure?
Wardle never found evidence of tampering or malware on that burner machine. But he did keep thinking about so-called “evil maid” attacks, the classic security problem that computers are far more vulnerable to hacking when the attacker can get physical access to them. Like, say, in a hotel room, while the computer’s owner is ordering appetizers on the other side of the Moskva River.
Now Wardle’s making his own best effort to grapple with that evil maid problem—if not to solve it, at least to make the job much more difficult. This week at the RSA security conference, he’s releasing Do Not Disturb, an app for Mac laptops that tries to detect physical access attacks with a dead-simple safeguard: If someone opens the lid of a MacBook running the tool, the app sends a notification to the owner’s phone.
“The majority of ‘evil maid’ attacks require an active, awake computer,” Wardle says. “So Do Not Disturb runs on your Mac and monitors for lid-open events, which are kind of a generic precursor for a lot of physical-access attacks. If someone tries to break into your device, it alerts you.”
Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with the laptop’s webcam to catch the perpetrator in the act, or they can shut down the computer remotely. The app can also be configured to take more custom actions like sending an email, recording screen activity, and keeping logs of commands executed on the machine.
Owners of modern MacBooks with TouchID can disable Do Not Disturb with their fingerprint within a time window of a few seconds after opening the lid, to avoid setting off an alert every time they open their laptop. Wardle is releasing the Mac app for free, though his company Digita plans to charge a $9.99 annual subscription for the accompanying iOS app once it’s approved for the App Store. Those who don’t want to pay that can just use the email notification feature instead.
‘If evil maids know there’s an app that might be monitoring this laptop, they’ll think twice.’
Do Not Disturb Creator Patrick Wardle
The Do Not Disturb lid-opening trigger, a suggestion Wardle credits to the pseudonymous security researcher known as the Grugq, certainly isn’t a panacea for a computer falling into enemy hands. In fact, computer security professionals usually warn that if an attacker gains physical access to a computer, you should considered the device compromised. It’s often possible, after all, to simply flip a closed MacBook over, unscrew the bottom of its case, and start messing with its hardware, even connecting its hard drive to a different computer to analyze its data.
But those sorts of intrusion methods are far less common, Wardle argues, than someone simply opening up a laptop and booting it from a USB drive to bypass its password protection, or even simply typing in a password captured from someone’s keystrokes by a hidden camera in a hotel room.
“The typical physical access attack does require opening up the laptop,” says Thomas Reed, a Mac-focused researcher for security firm MalwareBytes. “Any kind of an evil maid attack that doesn’t will be pretty rare and would probably require opening the case and tampering with the electronics inside.” Reed points out that anyone who’s worried about physical access attacks should also enable FileVault disk encryption on their MacBook, and set a firmware password, too.
Wardle acknowledges that Do Not Disturb’s notifications could also be blocked by disabling the Wi-Fi connection to the computer, or jamming them with a Faraday cage—though in those cases the tool could still gather evidence of the attack and store it on the laptop itself. But he argues that even if Do Not Disturb isn’t a cure-all for evil maids, it still vastly raises the bar for anyone who wants to perform them undetected. “Any security tool has limitations and weaknesses, and anyone who says otherwise is trying to sell you snake oil,” Wardle says.
More importantly, Wardle’s app, like another Android-based evil maid sousveillance tool released by the Freedom of the Press Foundation last year, creates serious problems for any stealthy physical access intruder that can’t afford to be detected. By creating a risk that even a small fraction of computers will be running even basic evil maid detection software, Do Not Disturb forces any interloper to either risk detection or take the far more difficult and paranoid approach of breaking into a computer without ever opening its lid.
“Anything we can do to raise the bar helps. If evil maids know there’s an app that might be monitoring this laptop, they’ll think twice,” Wardle says. “If it makes these attacks more difficult in any way, I think that’s a win.”