Evil Maid Attack
A physical security attack where an adversary gains brief unsupervised access to a target's unattended device and tampers with it to enable later compromise.
Also known as: physical access attack, hotel room attack, bootkit attack
Last reviewed: 1 June 2026
The evil maid attack takes its name from the hotel scenario: a guest leaves their laptop in a room, and an attacker posing as a cleaner — or simply an adversary with brief physical access — accesses and tampers with the device. The goal is to install hardware keyloggers, bootkit malware, or firmware implants that will later capture passwords, encryption keys, or sensitive data when the legitimate user returns and operates the device normally.
The attack is particularly concerning against full-disk encrypted devices, because the encryption only protects data when the device is fully powered off. If an attacker modifies the bootloader to record the decryption passphrase as it is entered, they can later retrieve the key and decrypt the drive. This undermines the common assumption that a powered-off encrypted laptop is completely safe when left unattended.
Evil maid attacks require physical proximity and time, making them targeted rather than mass-market threats — typically used against high-value targets such as journalists, executives, or diplomats in high-risk locations. Mitigations include never leaving devices unattended in untrusted environments, using Secure Boot and TPM-based attestation, checking devices for hardware tampering after any uncontrolled access, and using tamper-evident seals on ports and screws.
Examples
- A journalist attending a conference leaves their encrypted laptop in a hotel room; an adversary installs a modified bootloader that records the full-disk encryption passphrase on next login.