Evil Maid Attack

An evil maid attack is a physical-access attack in which an adversary tampers with a device left briefly unattended, then waits for the owner to use it and unwittingly surrender their secrets. The name comes from the canonical scenario: a traveler leaves an encrypted laptop in a hotel room, and a malicious housekeeper, or anyone with a few minutes of access, modifies it. The owner returns, sees nothing amiss, and types their passphrase, which the tampered device captures.

How the Attack Works

The classic technique targets full-disk encryption. Because most encrypted systems cannot authenticate themselves to the user, an attacker can swap in a malicious bootloader that displays a normal-looking password prompt. The victim enters their disk-encryption passphrase, the malware records it (or exfiltrates it later), and then chains to the real boot process so nothing seems wrong. On a second visit, or via a network beacon, the attacker collects the captured secret. Variants tamper with firmware, BIOS, or peripherals rather than the bootloader.

Defending Against It

The core defense is making tampering detectable and the boot chain trustworthy. Secure Boot refuses to run an unsigned, modified bootloader; a Trusted Platform Module with measured boot can detect that the boot state changed and refuse to release the disk key. Physical tamper-evident seals, keeping the device on your person, and verifying firmware integrity all reduce exposure. For Bitcoiners, the lesson generalizes: never enter a passphrase into a device that has been out of your sight and control.

Related defenses include Secure Boot and the Trusted Platform Module; the threat is closely tied to broader physical-access discipline covered under OPSEC.