Evil Maid Attack – Hardware-Based Attacks


By Jessica Amado

We are no strangers to hacking. The term has been around for decades and pretty much everyone knows the basics of cybersecurity (or, at least they should) – make sure your password has letters, numbers, and characters; do not share your password with anyone; do not click on suspicious links, and so on. There is also a range of security software tools to enhance protection and mitigate attacks. But what happens when malicious actors circumvent all the security measures in place by using a vacuum cleaner?

It is no surprise that as security tools become more sophisticated, so do attackers’ techniques. It all comes down to hardware…


Bad actors have found great success when using Rogue Devices, i.e., hardware attack tools, which are malicious by nature. Why? Because of the lack of complete visibility on the Physical Layer. Without visibility on Layer 1, Network Implants, which sit on this layer, go under the radar of existing security software solutions, carrying out attacks without being detected. Spoofed Peripherals, being manipulated on the Physical Layer, impersonate legitimate HIDs by spoofing their MAC addresses and are therefore not recognized as malicious. This blind spot allows Rogue Devices to infiltrate a target’s environment for long periods without raising any alarms.

A lack of hardware asset visibility means that organizations cannot be sure that they are fully protected due to a lack of accurate information regarding the devices across the infrastructure, whether on the peripheral or network interfaces.

A slice of Pi

One such tool is known as a Raspberry Pi. While designed with good intentions, bad actors have deployed the Raspberry Pi to act with malicious intent. Initially created to teach the basics of computer science, the Raspberry Pi can provide cyber attackers with the means necessary to attack their targets without being detected. As a wireless device, the Raspberry Pi impersonates a legitimate HID and can execute payloads that cause significant damage to the victim. Through its GPIO (general purpose input/output) pins, the device can exfiltrate data, inject malware, perform espionage, and more. Essentially, the Raspberry Pi allows the user to control electrical components of physical computing, as well as explore the Internet of Things (IoT), the latter of which expands the attack surface as the number of IoT devices increase. What makes the Raspberry Pi even more threatening is its ease of access. The device can be purchased online for less than USD$30, meaning that anyone can get their hands on this dangerous tool.

Vacuum or vessel?

A drawback of hardware attacks is that the perpetrator must gain physical access to the target. This can be a challenge for external malicious actors, and hence they rely heavily on social engineering techniques to gain such access. In fact, 56% of social engineering techniques carried out are by malicious outsiders. In hardware-based attacks, it is the device that must be physically inside the target’s premises. As a result, attackers seek covert ways to implant the device inside the target’s location. One such way is to use a vacuum cleaner because who suspects a cleaning tool to pose a risk to security, right? It is proven possible to hide a Raspberry Pi inside a vacuum cleaner and, through its wireless capabilities, provide the attacker with control over the target endpoint. Yes, that is right – the vacuum cleaning your office might just be the source of a possible cyberattack. Such an attack scenario also highlights the risks that insiders pose to organizations – you can never really be sure who is inside the premises. This situation specifically addresses the risks associated with third party workers. Cleaning staff are often outsourced, and the nature of their job is unlikely to raise security alarms, hence being the perfect disguise to infiltrate a target. Insider threats are very real and, according to Fortinet, nearly 70% of organizations think insider attacks are becoming more frequent. So, we ask the question: can one really trust thy neighbour?

Concluding thoughts

Unfortunately, the human eye and existing security solutions are not enough to protect an enterprise from these malicious devices. Physical Layer visibility should be a top priority for all organizations wishing to enhance their security. Layer 2 and upwards is not sufficient to protect against today’s threats. And, by hiding such devices in unsuspecting locations, it is almost impossible to know that they are there. So hopefully, by reading this article, you are now more aware of the risks of Rogue Devices. And, more importantly, aware of the covert ways in which they can infiltrate your organization. So next time you see a vacuum cleaner in the office, you might wonder whether it is just clearing dirt and dust or if it is clearing your data, too.