Do Not Disturb : Detect Evil Maid Attacks

Among the most effective ways to undermine a computer is with physical access. A lot of people have probably left our notebooks unattended (possibly in a hotel room when traveling?). It would be nice to know if somebody attempted to hack on it! Don’t Disturb (DND) continually monitors your system for events which may indicate a precursor of”evil maid” assault. Specifically, it watches for’lid open’ occasions.

If you have shut your notebook (and consequently triggered sleep mode), nearly all physical access attacks may need the lid to be opened for the attack to succeed. Such attacks could include:

Again, the majority of these attacks require a closed laptop to be opened…either to awake it (i.e. to process a malicious device) or for the attacker to interact with the notebook! As with any security tool, proactive or direct attempts to especially bypass DND’s protections will likely succeed. Additionally, any attack that does not require opening the lid of a closed notebook will remain undetected.

Future versions will expand DND’s monitoring and detection capabilities (possibly alerting on electricity events, USB insertions, etc).

Don’t Disturb, may also discover unauthorized access by less wicked adversaries…like one’s mother.

As soon as an unauthorized lid available event is detected DND will locally log this function. It may be configured to:

  • Locally exhibit an alarm
  • Remotely send an alert to a documented iDevice
  • Execute a specified action (i.e. run a script, etc.. )
  • Monitor for interesting events, including new procedures, USB insertions, fresh logins, etc..

Do Not Disturb, by design, doesn’t distinguish between authorized or unauthorized lid open events. That’s to say, it is going to alert you any time your notebook’s lid has been opened (unless configured, to ignore upon a thriving touch ID authentication event).

Compatibility: OS X 10.12+

You May Also Like

About the Author: Alyssa Howard