VeraCrypt Portable Issues False Evil Maid Bootloader Attack
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi,
I was using VeraCrypt 1.23 for some time now and upgraded yesterday to 1.23 Hotfix 2, all without problems. The system drive is encrypted (two partitions C and D) and I did not update the VC bootloader since it supposedly should not be necessary. I also booted several times afterwards, all without issue.
Today I was verifying a bootable Win10PE stick with the portable VeraCrypt executable on it, and as soon as I run that exe from within the normal Win 10 installation (not the PE environment) the warning about the Evil Maid attack comes up. I only start the exe and do nothing else, and the warning comes. Each time reproducable. Also on another machine which I also upgraded yesterday to 1.23HF2.
I am quite sure that nobody tampered with the machines. I immediately changed the password which should also repair the bootloader, but again running the portable VC exe brings that message up again.
I am not sure if this is related to 1.23HF2 or the portable version. The message does not show when the portable is not executed.
Edit: can someone please correct the typo in the subject?
Last edit: svenk 2019-01-08
First of all, we only support official VeraCrypt binaries distributed by us and users should not trust other non official VeraCrypt installers like the one proposed by PortableApps website.
Moreover, we provider an official portable version of VeraCrypt and which allows extracting all binaries to external disks or any other location.
Concerning your issue, I can not reproduce it using VeraCrypt portable binaries created using the official way. Are you sure that the portable version is also 1.23-Hotfix-2?
Do you have the same issue if you use the officiel portable version?
You said that you did not update the bootloader. Can you please clarify this since the installer automatically updates the bootloader?
The binaries in the official portable version are the same as the installed version and they perform the EvilMaid attack check the same way, so either both display this message or none of them display it.
On the other hand, it is important to keep this check in the portable version since it provides an extra way to test the system without relaying on the binaries already present.
I cannot agree to this. I think that in my case I am facing an example where this is not useful at all. I created a bootable Win10XPE stick containing several tools, among them VeraCrypt portable, and an encrypted file container hosting several additional files.
Whenever I plug in the stick into one of my machines I mount the container using a special batch on the non-encrypted part of the stick, which runs portable VeraCrypt to mount the container. This works perfectly as long as the machine has the same VeraCrypt version installed, and brings the false warning as soon as the machine is upgraded and the stick not.
So what extra way to test the system should this provide? The potential attacker could not have tempered with the VeraCrypt installation on the encrypted machine, so as soon as it boots up, the installed VeraCrypt will bring up the (in this case correct) warning. No need for a portable version to check what should already have been checked, and even worse: raise a false warning.
Hi,
I'm sorry I did not see the portable version here. Portableapps.com is hosting version 1.23 only. I checked and the archive hosted there is identical to the 1.23 version hosted here, so this is OK.
I now checked with your portable version 1.23 HF2, and the error does not show. So this is also OK.
However, this means that the warning comes up as soon as someone runs an older portable version on a system encrypted machine. I do not find this very fortunate...
With "I did not update the bootloader" I meant that I did not re-encrypt the drive. The boatloader itself has been updated of course. Sorry for the confusion.