BIOS & HDD Passwords: Stopping Evil Maid Attacks

G5 Cyber Security

2 months ago

TL;DR

Using both a BIOS (UEFI) password and a full-disk encryption (HDD/SSD) password significantly improves protection against evil maid attacks, but isn’t foolproof. The BIOS password prevents boot from untrusted media, while disk encryption protects data if the drive is stolen or tampered with. Regular security checks are vital.

What is an Evil Maid Attack?

An evil maid attack involves someone physically accessing your computer (while it’s off) to install malicious software or alter boot settings, allowing them to compromise your system when you next turn it on. They might replace the operating system with a compromised version, add backdoors, or steal data.

How BIOS and HDD Passwords Help

These passwords create layers of security that make an evil maid attack much harder. Here’s how:

1. Set a Strong BIOS (UEFI) Password

Access the BIOS/UEFI Setup: Restart your computer and press the key shown on the startup screen (usually Delete, F2, F10, or Esc). The exact key varies by manufacturer.
Find the Password Setting: Look for options like “Supervisor Password”, “Setup Password”, or similar under Security settings.
Create a Strong Password: Use a long, complex password that isn’t used anywhere else. Avoid easily guessable words or personal information.
Save and Exit: Save the changes in the BIOS/UEFI setup before exiting.

What it does: This prevents someone from booting your computer from a USB drive, CD/DVD, or network without knowing the password. They can’t easily replace your operating system.

2. Enable Full-Disk Encryption

Windows (BitLocker):

Search for “BitLocker” in the Start menu and open “Manage BitLocker”.
Select the drive you want to encrypt (usually your system drive).
Turn on BitLocker. You’ll be prompted to choose how to unlock the drive (password, USB key, etc.). Choose a strong password!
Back up your recovery key – this is essential if you forget your password.

macOS (FileVault):

Go to System Preferences > Security & Privacy > FileVault.
Turn on FileVault. You’ll be prompted for an administrator account and password.
Choose how to store the recovery key (iCloud or a local recovery key). Keep this key safe!

Linux (LUKS/dm-crypt): The process varies depending on your distribution. Use tools like cryptsetup during installation or after with distributions such as Ubuntu.

sudo cryptsetup luksFormat /dev/sdX  # Replace sdX with your drive identifier

What it does: This encrypts the entire contents of your hard drive. Even if someone steals your drive, they can’t read the data without the password.

3. Combining BIOS and HDD Passwords

Using both passwords together creates a stronger defense:

The BIOS password stops unauthorized booting.
The HDD password protects your data if the drive is removed and accessed elsewhere.

4. Regular Security Checks

Check Boot Order: Regularly verify that your boot order in the BIOS/UEFI setup hasn’t been changed. It should prioritize your trusted operating system drive.
Inspect for Tampering: Visually inspect your computer for any physical signs of tampering (e.g., opened cases, loose screws).
Verify System Integrity: Use tools to check the integrity of your operating system files. For example:
- Windows: sfc /scannow in an elevated command prompt.
- macOS: Disk Utility’s First Aid feature.
- Linux: Use package managers to verify file integrity (e.g., apt update && apt upgrade --reinstall $(dpkg -l | grep ^ii | awk '{print $2}') on Debian/Ubuntu).

Limitations

Sophisticated Attacks: A determined attacker with enough time and resources could potentially bypass these protections (e.g., using hardware hacking techniques).
Password Security: If your passwords are weak or compromised, the security is broken.
Firmware Vulnerabilities: Vulnerabilities in BIOS/UEFI firmware can be exploited. Keep your firmware updated.