Definition
An evil maid attack is a physical-access attack in which an adversary tampers with a device left briefly unattended, then waits for the owner to use it and unwittingly surrender their secrets. The name comes from the canonical scenario: a traveler leaves an encrypted laptop in a hotel room, and a malicious housekeeper — or anyone with a few minutes of access — modifies it. The owner returns, sees nothing amiss, and types their passphrase, which the tampered device captures. The attack matters because it breaks the comfortable assumption that encryption makes a stolen glance harmless: encryption protects data at rest, not a device you keep using after someone else has touched it.
How the attack works
The classic technique targets full-disk encryption. Because most encrypted systems cannot authenticate themselves to the user, an attacker can swap in a malicious bootloader that displays a normal-looking password prompt. The victim enters their disk-encryption passphrase, the malware records it (or exfiltrates it later), then chains to the real boot process so nothing seems wrong. On a second visit, or via a network beacon, the attacker collects the captured secret. Variants tamper with firmware or BIOS/UEFI, plant a hardware keylogger between keyboard and board, or swap peripherals — anything that intercepts input before the legitimate software sees it. The defining features are brief physical access, a device that still appears normal, and a victim who keeps trusting it.
Defending against it
The core defense is making tampering either impossible to boot or impossible to miss. Secure Boot refuses to run an unsigned, modified bootloader; a Trusted Platform Module with measured boot goes further, detecting that the boot state changed and refusing to release the disk key. Physical measures fill the gaps digital ones cannot: tamper-evident seals over screws and ports, glitter nail polish photographed before travel, and above all keeping the device on your person. Some operators prefer statelessness to sealing — booting from a verified Tails stick means there is no resident bootloader to poison. The habits are covered under TPM and broader OPSEC discipline, but the rule compresses to one line: never enter a passphrase into a device that has been out of your sight and control.
The Bitcoin angle
For Bitcoiners, the evil maid scenario is not hypothetical — a device that touches keys is a device worth tampering with. This is precisely the threat class that hardware wallets and secure elements exist to blunt: the seed never enters the laptop at all, so a poisoned laptop can lie about addresses but cannot exfiltrate keys, and verifying addresses on the signer's own screen closes most of what remains. A seed phrase should never be typed into any general-purpose computer, tampered or not, and long-term holdings belong in cold storage whose signing devices rarely travel.
Thinking it through
Like every physical attack, evil maid should be weighed with honest threat modeling: a home miner's laptop faces it mainly at borders, conferences, and repair shops, not on the kitchen table. Calibrate accordingly — boot integrity and a hardware signer for everyone; seals, stateless boots, and travel devices for those whose model genuinely includes hostile hands.
In Simple Terms
An evil maid attack is a physical-access attack in which an adversary tampers with a device left briefly unattended, then waits for the owner to…
