All smartphones use ARM and USB and Android, and _even then_ the evil USB charging port is targeted -- you still have to tailor it to the target's screen ratio, Android version, Android UI/skin, even launcher if they have one, etc.
> it'd just be a matter of replacing a binary with a iffy'd version that runs before any decryption happens, e.g. replacing plymouth.
You'd at least need to imitate the UI your target is using for unlocking the disk (e.g. plymouth theme). Then, after the user types something, either virtualize the rest of the boot process (which is already extremely implausible), or otherwise reboot in a way that does not immediately cause the user to be suspicious. All of this is as targeted as it gets. A generic version would get as far as your average phishing email.
But... how do you plan to replace my bootloader in the first place? You'd need root access for that. At that point, it is already game over for the target! Why would you need to tamper with the bootloader at that point?
Or are you thinking about breaking into my house and do that in my offline computers ? How is that not a "targeted attack" ?
adding `store password somewhere` doesn't get in the way of plymouth's theming (which is separate), it doesn't change the rest of the boot process, etc etc etc etc etc, its taking an open source project, adding some lines to it, compiling, and swapping a binary out. Why would it need to any of this other stuff?
> You'd need root access for that. At that point, it is already game over for the target! Why would you need to tamper with the bootloader at that point?
Yes that is the crux of the Evil Maid attack, a drive-by install of software. e.g. at a coffeeshop while one is on the toilet, at an office, at a hotel by an evil maid, etc etc. AEM is about detecting changes in trust: if the loading sequence is changed, then the verifier (another device like a usb dongle) can't verify (since the TPM can no longer unlock the prior secret due to the chain changing).
You might want to look into the article I linked in my earlier comment to get the full idea of what is meant by evil maid
> Yes that is the crux of the Evil Maid attack, a drive-by install of software. e.g. at a coffeeshop while one is on the toilet, at an office, at a hotel by an evil maid, etc etc.
If the laptop was left online and unlocked: What do you expect to gain by installing a patched plymouth versus installing a traditional remote control software and/or keylogger ? You don't even need root for the latter!
If the laptop was left locked: do you plan to open the laptop, remove the disk, transfer some files to it (matching the same distro & version of all components your target was using, otherwise the entire thing may just crash or look different and reveal the attack), hope the target doesn't notice his laptop was literally taken apart (most laptops just can't be opened at all, for the ones which can, even mine has a simple open-circuit tamper detector...), then come back in the future _and do the same_ again to recover the captured password? And how is this not a ridiculously targeted attack?
Besides, at that point, you could simply install a wiretap on they keyboard, an attack which unlike the evil maid crap I have seen _millions_ of times in the wild (e.g. at public pinpads, card readers at gas stations, etc. ).
it'd just be a matter of replacing a binary with a iffy'd version that runs before any decryption happens, e.g. replacing plymouth.
This isn't hard to do in the slightest? I think even you or I could do it.
But with secureboot, replacing a binary in the loading chain isn't an option.
I don't think I could convince intel to install a bug for me.
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.h... is a good descriptor of how it all comes together