Preboot Authenticator Blocks "Evil Maid" Attacks

Security token based on the certgate micro Smartcard now also protects full fixed disk encryption programs against bootkits

February 24, 2011

3 Min Read


The new version of the Preboot Authenticator makes full fixed disk encryption even safer

Nuremberg / Barcelona, 14.02.2011 – certgate, the Nuremberg-based IT security experts, will be presenting their latest, further developed version of the Preboot Authenticator for the first time during the Mobile World Congress in Barcelona. The security token based on the certgate micro Smartcard now also reliably protects full fixed disk encryption programs against bootkits, thereby preventing the well-known "Evil Maid" attacks.

After the weakness known by the name of "Evil Maid Attack" demonstrated the vulnerability of classic fixed disk encryption systems, many providers of encryption software declared that in the event of – even multiple - physical computer attacks the protection of the encrypted data could not be guaranteed or only at great expense. "We were not satisfied to leave it at that and with our Preboot Authenticator now offer a simple and favourably priced supplement to the most popular full fixed disk encryption programs," explains Axel Stett, COO of certgate GmbH. "Our token makes the programs not only resistant to bootkits but also simplifies the handling of fixed disk encryption software enormously for the user." certgate has registered the underlying procedure for patent protection.

The "Evil Maid" attack made headline news when it emerged that even encrypting fixed disks offers no great protection from data theft if an attacker in this case the room maid has access to a switched-off computer or notebook for only a few minutes. In the first attack a compromised boot loader is transferred from a USB stick to the computer. A key logger then logs the encryption password the next time the user starts the computer and saves it for access by the attacker. Returning the next day the "room maid" finds the password and can then freely access the data on the fixed disk.

The Preboot Authenticator from certgate replaces a long, difficult-to-remember password (ideally a string of random alphanumerical characters at least 32-digits long) by a real 2-factor authentication with simple 4 to 6 digit PIN, without weakening the cryptographic security of the system. The certgate microSD SmartCard is used to authenticate the computer both via a commercially available USB adapter and via a smartphone with which the crypto card can be connected.

In the current version certgate has extended the Preboot Authenticator to include a defence function against bootkits. The Preboot Authenticator compares the boot sector on every computer with an image saved on the crypto card every time the computer is switched on and prevents the operating system starting if changes are discovered.

About certgate GmbH

The IT security company based in Nuremberg develops and markets products and solutions which together add higher levels of security and ease-of-use to mobile communication devices. certgate has developed the world’s first microSD card with smartcard functionality and has patent protected it alongside other developments in mobile IT security.

The certgate micro SmartCard is the world’s first series product that integrates a smartcard on a microSD card. It has both a high performance crypto processor and an independent flash memory.

The objective of the certgate products is to close gaps in the security and practicability of mobile applications. At the same time it is forging ahead with the mobilisation of business processes in the financial sector, the exchange of confidential information in public administration and the securing of the flexible access to corporate data. The certgate products supplement mobile applications in an economical and ergonomic manner to include the security of smartcard-based authentication and encryption.

In addition to standard products for encrypted data storage, secure mobile banking with TAN, generation of certificated and personal signatures as well as the development of secure VPN links to mobile terminal devices, certgate also develops customer-specific security solutions for smartphones, PDA and other mobile devices based on its certgate micro SmartCard.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights