Should you consider a system compromised if someone could have physically accessed it, but you have no evidence they did?

An old adage is that if an adversary physically accessed your system, you should consider it compromised. My question is, what if they could have, but you have no evidence they did?

For example, let us say that you were walking into your computer room, and when you open the door, a hacker rushes out and escapes. You check your phone, and it says that nothing suspicious happened to your computer while you were gone. Should you assume the computer is compromised?

We can assume the computer has the following security features:

  • The computer sends signed and time-stamped messages over the internet to your phone logging various events described below. The phone also timestamps when it received the message. The phone notifies you if the timestamp of the message is significantly different from the time it was received.
  • Every second, it sends a message “still connected to the internet”. It also attaches a photo taken by the laptops webcam. The webcam is pointed toward the door. If this message is not sent, or there is a significant change in the photo, the phone notifies you.
  • The computer contains an accelerometer. The computer will log any (coordinate) accelerations, vibrations, or orientation changes detected by the accelerometer. The phone will notify you when any of these are sent, unless disabled on your phone (although it will still be logged).
  • The computer logs all key presses made using its physically built-in keyboard, as well as the physical attachment or detachment of any peripherals (including the power plug). The phone will notify you when any of these are sent, unless disabled on your phone (although it will still be logged).
  • The hacker of course knows all of this, via Kerckhoffs’s principle.

Here are some attacks that would be detected.

Software Attacks

Assuming the hacker knows a software vulnerability, we will probably be able to detect it. If the hacker tries to hack the computer using the keyboard, the logs will show it:

19:00:00 Still connected to the internet. [photo of empty room] 19:00:01 Still connected to the internet. [photo of hacker wearing gloves coming in room] User notified. 19:00:02 Still connected to the internet. [photo of hacker hacking] User notified. 19:00:03 Keypressed "password'); hack();" detected. User notified. 19:00:04 Mouse moved to "sign in" button. User notified. 19:00:05 Disregard previous messages. Everything is fine. 

Likewise with the USB

19:00:00 Still connected to the internet. [photo of empty room] 19:00:01 Still connected to the internet. [photo of hacker with rubber ducky coming in room] User notified. 19:00:02 Still connected to the internet. [photo of hacker hacking] User notified. 19:00:03 Something inserted into USB slot. User notified. 19:00:04 Disregard previous messages. Everything is fine. 

If hacked over the internet, the above security features would not protect it. That is true of any computer though, and has nothing to do with physical access.

Evil Maid Attack

The real threat when physical access is involved is a network evil maid attack. This too would be detected though.

19:00:00 Still connected to the internet. [photo of empty room] 19:00:01 Still connected to the internet. [photo of hacker with laptop coming in room] User notified. 19:00:02 Still connected to the internet. [photo of hacker putting hands toward laptop] User notified. 19:00:03 Acceleration and rotation detected. User notified. 19:00:04 Still connected to the internet. [photo of hacker room upside down] User notified. 

A similar thing would happen with a classic evil maid attack.

Faraday Cage

Perhaps the hacker put the laptop in a faraday cage before hacking it (either with a software, hardware, or evil maid attack). This too will be detected.

19:00:00 Still connected to the internet. [photo of empty room] 19:00:01 Still connected to the internet. [photo of hacker with Faraday cage coming in room] User notified. (Phone notifies user because the laptop has not reported that it is still connected to the internet at 19:00:02.) 19:00:05 Connection restored. 19:00:05 Still connected to the internet. [photo of empty room] 

The last two logs were made after the computer is hacked. Note that without the camera, the user may have thought that the computer just disconnected from the internet. Even without the photo though, the user should assume the system is compromised (since the hacker could dig a tunnel to get into the room without getting detected by the camera, or place a faraday cage around the room, or the building the room is in, itself).