Pierluigi Paganini April 25, 2018

Former NSA expert and white hat hacker Patrick Wardle has released an app named Do Not Disturb app that can be used to detect attacks powered by attackers with physical access to the device (so-called “evil maid” attacks).

Patrick Wardle app Version 1.0.0 was built explicitly to protect unattended laptops continually monitors the system for events that may indicate a precursor of “evil maid” attack. According to Wardle, the Not Disturb app watches for ‘lid open’ events, the expert credited @thegrugq for the idea.

“If you’ve shut your laptop (and thus triggered sleep mode), the majority of physical access attacks may require the lid to be opened in order for the attack to succeed.”  wrote Wardle.

“Such attacks could include: 

• Logging in locally as root, by exploiting a bug such as ‘#iamroot’
• Locally logging in via credentials captured by a hidden camera
• Inserting a malicious device into a USB or Thunderbolt port.

 Again, most of these attacks require a closed laptop to be opened…either to awake it (i.e. to process a malicious device) or for the attacker to interact with the laptop!”

Once the Do Not Disturb app has detected a lid open event, it will take a series of actions. The app is able to display a local alert, send an alert to a remote Apple device (iPhone or iPad), log the attacker’s actions (creation of new processes, USB insertions, etc.), run custom scripts that could wipe sensitive data, disable the USB interfaces, or automatically re-lock the device every few seconds.

Wardle’s company Digita Security, has also released an iOS companion app for Do Not Disturb (available on the Apple Store) that allows users to associate their devices with the Do Not Disturb app, an operation that is necessary to receive alerts and notifications in case of attack.

“While the iOS companion application is free, after the first week of remote alerts/tasking, one will have to subscribe to a monthly ($0.99) or yearly ($9.99) to maintain this functionality. The Mac application, is and will always be 100% free 🙂 ” added Wardle.
“The iOS companion application is completely optional, and only required if one is interested in receiving remote DND alerts.”

Wardle plans to introduce new features in the future versions of the Do Not Disturb app that will include the management of more “lid open” events.

Pierluigi Paganini

(Security Affairs – Do Not Disturb App, evil maid attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]