Evil Maid Attack: What it is, why it beats sleep mode, and how to prevent it

Evil Maid Attack

What it is

An evil maid attack targets an unattended device - think laptop in a hotel room or office desk. An attacker with brief physical access can steal data or plant stealthy changes (even firmware tweaks) that later fake a login prompt to capture your password and unlock everything.

Why it matters

Full-disk encryption protects files only when the device is off and the key is locked. If someone tampers with boot code or firmware, they can trick you into handing over that key the next time you power on.

How it happens 

  • Boots from a USB to alter bootloader/firmware

  • Installs a tiny implant that records your password at next startup

  • Reboots - nothing looks different until you type the password

Prevent it

  • Shut down (not sleep) and require pre-boot PIN/password

  • Enable Secure Boot, BIOS/UEFI passwords, and TPM-based encryption

  • Disable USB boot / set boot order, and seal the chassis with tamper-evident tape for travel

  • Keep firmware up to date; don’t leave devices unattended

If you suspect tampering

  1. Do not boot normally.

  2. Boot from known-good media to collect logs and verify boot/firmware integrity.

  3. Rotate disk passwords/keys and consider a clean reinstall or firmware reflashing.

  4. Change account passwords from a separate clean device.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Security Software

        What it is Security software is a set of apps and services that protect your devices and data from hackers, malware, and mistakes. It covers tools like antivirus/anti-malware, firewalls, VPNs, email and web filters, intrusion detection/prevention, ...

      • Watering Hole Attack

        What it is A watering hole attack is when hackers booby-trap websites that a specific group visits a lot (staff pages, industry forums, local news). When someone from the target group opens the site, hidden code tries to infect their device or steal ...

      • Attack Signature

        What it is An attack signature is a fingerprint for known bad behavior. It’s a rule (or pattern) security tools use to spot specific threats—like a malware family, exploit, or command sequence—by matching code, traffic, or behavior seen in past ...