Physical access (or “evil maid”) attacks are some of the most insidious threats faced by those of us who travel with our Macs. Do Not Disturb (DND) is a free, open-source utility that aims to detect and alert you of such attacks!
One of the best ways to compromise a computer is with physical access. Many of us have likely left our laptops unattended (perhaps in a hotel room while traveling?). It’d be nice to know if somebody attempted to hack it! Do Not Disturb (DND) continually monitors your system for events that may indicate a precursor of “evil maid” attack. Specifically it watches for ‘lid open’ events.
If you’ve shut your laptop (and thus triggered sleep mode), the majority of physical access attacks may require the lid to be opened in order for the attack to succeed. Such attacks could include:
- Logging in locally as root, by exploiting a bug such as ‘#iamroot’
- Locally logging in via credentials captured by a hidden camera
- Inserting a malicious device into a USB or Thunderbolt port.
Again, most of these attacks require a closed laptop to be opened…either to awake it (i.e. to process a malicious device) or for the attacker to interact with the laptop! As with any security tool, direct or proactive attempts to specifically bypass DND’s protections will likely succeed. Also any attack that does not require opening the lid of closed laptop will remain undetected.
Future versions will expand DND’s monitoring and detection capabilities (perhaps alerting on power events, USB insertions, etc).
Do Not Disturb, can also detect unauthorized access by less evil adversaries…such as one’s mother.
When an unauthorized lid open event is detected DND will locally log this event. It can be configured to:
- Locally display an alert
- Remotely send an alert to a registered iDevice
- Execute a specified action (i.e. run a script, etc.)
- Monitor for interesting events, such as new processes, USB insertions, new logins, etc.
Do Not Disturb, by design, does not differentiate between authorized or unauthorized lid open events. That is to say, it will alert you any time your laptop’s lid is opened (unless configured, to ignore upon a successful touch ID authentication event).
Compatibility: OS X 10.12+