Show HN: Tripwire: A new anti evil maid defense

The author did an excellent job explaining what an evil maid attack is, but a very poor job of explaining how their proposal mitigates such attack.

I think the classic "Detecting unauthorized physical access with beans, lentils and colored rice" [0] approach is simpler to understand and simpler to implement. It doesn't rely on any hardware, such as a Raspberry Pi or otherwise technology which can be more easily subject to scrutiny via Ken Thompson's "Reflections on Trusting Trust".

[0] https://dys2p.com/en/2021-12-tamper-evident-protection.html

x187463 · 3 days ago

That's cool. I hadn't heard of that, before. I had a related idea for achieving plausible deniability of the key in full disk encryption or similar scenarios. The password would be derived from the position of sensitive, yet innocuous, elements on the device, ensuring that the seizure of the device would likely corrupt this relationship. For instance, a series of N-sided dice could be placed in specific positions on top of the device (in the case of a desktop computer, perhaps), and the password derived from their sequence. Consideration must also be given to the possibility of the device being photographed—likely from a single angle—before being moved. So, the dice would be positioned to include some amount of occlusion. Any dice-based algorithm would need to ensure the search space for the resulting key was sufficiently large.

DoctorFreeman · 2 days ago

Thanks for the feedback. My guess is that the part about destroying the random secrets is easier to understand, but the later part about a key pair and how its signing of the photo log can help with a persistent network outage is harder to understand? It does need a specific mental picture to see how it makes sense. I'll try to have more diagrams to explain.

But yeah the "random mosaic" with rice and beans is a great defense. My view is that these together can form a defense in-depth.

thenthenthen · 2 days ago

Thanks for sharing again, I saw this at some point but lost the reference, great technique, cheap, easy, fun. This is art

IncreasePosts · 2 days ago

With beans and colored rice, a smart evil maid will just wait until they next earthquake to compromise your devices.

alias_neo · 2 days ago

It's vacuum packed so movement such as that of an earthquake would have no effect.

Instead of deleting the secret on trip, and requiring a re-arm, it could instead derive a new secret on trip, by e.g. hashing the previous secret. That way you don't have to manually re-arm it, and you get a record of all trips.

Say e.g. a bug walks in front of the camera, tripping it. Then 1 hour a later an evil maid comes in and tampers with the system. In my design, you could look at the photo record, see that the 1st trip was a false alarm, then continue looking at the data, and see that the 2nd trip was something real.

Compared to with the current design, the bug would trip it, then you would get no record of the actual evil maid. You would see the photos of the bug tripping it, and think "oh, it's just a false alarm, I don't need to worry", and trust the computer, even though it's tampered with.

ahazred8ta · 8 hours ago

On the TV series The Starlost, security safes had a numeric access code that incremented by 1 after each use.

DoctorFreeman · 2 days ago

That is honestly a fantastic idea. Many thanks for it. And I don't see any problems to fit it into the design right now.

Thorrez · 2 days ago

3 problems I can think with my idea are: (1) it makes the tripping less noisy, so it increases the chance someone might ignore or miss the trip. I guess with the right UX that can be mostly sovled. (2) if a bug walks in front of the camera, is that 1 trip or multiple trips? The bug would be visible for multiple frames, so it might do a ton of secret rotations for a single incident, which could present an odd UX to the user. (3) in the original design, there's an asymmetric key that's deleted on trip, which isn't really possible in my design. That means in the original design, if the phone is hacked, that doesn't let the attacker forge security footage, because the phone only has a public key, whereas in my design, if the phone is hacked, that does let the attacker forge security footage, because security is based on a symmetric key/secret. (One thing I don't understand about the original design is why it has both a symmetric key/secret and an asymmetric key. If they're both deleted at the same time, and don't auto-rotate, I don't see what benefit the symmetric key/secret provides.)

One idea to improve the (2) problem is to instead of only rotating the secret on trip, rotate for every frame, regardless of whether a trip is ongoing or not. So if there are 10 photos/sec that would be 10 rotations/sec. And then there can be a boolean in the signed data with each frame (signed e.g. with a MAC using the secret) that indicates whether there's an ongoing trip or not (and also include a timestamp in the signed data). So that means regardless of whether it's tripping, an attacker can never backdate images prior to when the attacker got control of the system.

neuralkoi · 3 days ago

guerrilla · 3 days ago

Just so you know, this name is already taken by a famous security product for intrusion detection.

https://en.wikipedia.org/wiki/Tripwire_(company)

https://en.wikipedia.org/wiki/Open_Source_Tripwire

angry_octet · 2 days ago

Agreed, it's pointlessly confusing to call it tripwire.

Thanks for the note. Maybe I can rename it to Tripwire AEM where AEM stands for anti evil maid.

FuriouslyAdrift · 2 days ago

Yep... first big project I worked on (as a baby intern). Spaff is a legend.

Deleted Comment

QuadmasterXLII · 3 days ago

as well as https://en.wikipedia.org/wiki/Tripwire ;)

seanhunter · 2 days ago

This reminded me of the (real life) story of Oleg Gordievsky, the FSB officer who was a double agent for the west[1]. He was alerted to the fact that the FSB were on to him and had been in his apartment because there were three locks on his front door but he never locked one of them as he didn’t have the key. He came home one day to find all three were locked.

[1] read “The spy and the traitor” by Ben Mackintyre. It’s incredibly gripping and at times hard to believe the courage and perseverance of the people involved but it was real.

MrBuddyCasino · 2 days ago

And if that tickles your fancy, "Tinker Tailor Soldier Spy" [0] is an excellent miniseries from 1979 about a mole in MI6, perhaps the best spy series ever made. I didn't care about the movie much, so don't let this deter you, but Alec Guiness as George Smiley is a perfect match. John Le Carré thought so, too.

Oh and Patrick Steward plays "Karla" the soviet mastermind in this series and its successor "Smiley's People". Just a few seconds, but very memorable, its incredible really.

[0] https://www.imdb.com/title/tt0080297/

buredoranna · 2 days ago

"Smiley's People" remains one of my favorite shows.

If you track it down, I highly recommend watching it with headphones. The sound design is amazing.

The sound of an empty room being profoundly menacing.

Wholeheartedly second that. Both series are amazing.

Eduard · 3 days ago

I guess this is actually not an anti evil maid defense.

It's rather an anti evil maid tool, or an evil maid defense. :)

sorry for being pedantic, but with the arms race within cybersecurity, "anti something defense" sounds like double negation to me.

nine_k · 3 days ago

I would call it "a defense against evil maid attacks" to avoid any ambiguity.

mannykannot · 2 days ago

I like the way you made me think! It had not thought about it until now, but I take your point.

While thinking about it, this phrase occurred to me: “silver bullets are a defense against zombies.” It is not the same phrase structure as the original, but it also has the double-negative vibe, yet it feels more reasonable to me than “…are a defense for zombies”, which to me suggests that zombies would employ them against their enemies.

I think the resolution here is that defense is inherently against something, so these phrases are not unequivocally double negatives - though I also agree with nine_k’s point about a better way to say it.

EDIT: Duh! The fact that defense is inherently against something is precisely what makes these phrases look like double negatives! The resolution must be something else - maybe agreement in mood or sentiment…

voxadam · 3 days ago

For a second I thought Tripwire, Inc.[0] had risen from the dead with a new IDS.

[0] https://en.wikipedia.org/wiki/Tripwire_(company)

friend99 · 2 days ago

> NEVER PLUG/UNPLUG THE CAMERA MODULE, THE PIR SENSOR, OR WIRES WHEN THE RPi IS POWERED ON!!!

Why?! Will it will trigger W.O.P.R. and start attempting to brute force missile silo keys?

I don't know if it will cause problems. I'm just playing it safe :)

hulitu · 2 days ago

It will trigger SW bugs.

pyrolistical · 3 days ago

For high sec people, they should have an internal sec camera system. They are have come down in price over time

kotaKat · 3 days ago

I’ve slowly been working on building a Honeywell burglar alarm panel (a Vista15P/20P) into part of a Pelican case for travel. I can just stick up sensors where I need them temporarily (a PIR, a glassbreak, a couple motions), and then use an ECP bus decoder (like the old AlarmDecoder board[1]) to kick notifications and alerts out where they need to go with an LTE-connected miniPC/Pi.

When I need to secure an area (eg, vending at a convention at a hotel, locking up the room with stock), I can just pop down the Pelican, plug in the keypad (which doubles as the RF transceiver), stick up sensors, and I’m off to the races.

[1] http://www.alarmdecoder.com/