Mac owners worried about anyone, from rogue hotel staff to prying partners, taking data from an unattended computers can now install an app that makes it harder to pull off a so-called “evil maid” attack.
The app, dubbed Do Not Disturb, monitors for certain macOS system events that could suggest a high likelihood that someone with physical access to the computer is about to steal data from the machine.
The alert system is built around the idea that a closed MacBook automatically goes into Sleep Mode and will be woken when the lid has been opened, which triggers a “lid-open” event in macOS log systems. If the owner isn’t present at the time the lid is opened, there’s a good chance an evil maid attack is underway.
The app was developed by former NSA hacker Patrick Wardle, who told Wired the idea for Do Not Disturb occurred on a business trip to Moscow during a Tinder date with a woman who revealed she was a former employee of Russia's Ministry of Foreign Affairs. Wardle wondered whether he’d been lured away from his hotel room so that someone else could physically access his computer.
Attackers with physical access have several options at hand to extract data from a MacBook, including a recently patched macOS blank password bug, generic attacks such as credentials captured from a hidden camera, or by targeting weaknesses available when devices connect through USB or Thunderbolt ports.
Do Not Disturb (DND) will log all lid-open events on the machine, which can be sent to a companion iOS app available on the App Store. The iOS app isn’t required for Do Not Disturb on macOS to work but could be helpful in the event a MacBook owner with an iPhone is absent when someone else has opened their unattended computer.
“Quite simply, when the laptop lid is opened DND macOS creates a local notification to alert you to potential unauthorized physical access,” Wardle notes.
Users will need to go through a process to pair iOS and macOS devices and, according to Wardle, it may require some effort to set up. However, it is possible to pair multiple iOS devices with the macOS device that needs protection.
The iOS companion app comes with a free seven-day trial and after that it will be available as a subscription through the App Store.
The iOS app includes an active-defense feature that instructs a macOS laptop with Do Not Disturb installed to take a snap using its web cam. The picture is encrypted and sent back to the iOS app, which decrypts the picture.
Users can dismiss local event alerts or tell the macOS app to shutdown the computer in the same way holding down the power button would as well as trigger FileVault disk encryption if it’s enabled.
The macOS app can be tailored so that an attacker would not see the app’s icons in the status menu bar. Users can also disable remote actions from the iOS app.
Within the “actions” section of the macOS app, there is a choice to monitor for events after someone opens the lid, such as a USB and Thunderbolt device being inserted.