Less than an hour into a Tinder date in a Moscow restaurant last year, Patrick Wardle began to wonder about the laptop he'd left in his hotel room. Wardle had come to the city for a security meeting; as a former NSA staffer who'd worked on the elite hacking division known as Tailored Access Operations, he was paranoid enough to bring only a “burner” PC on his trip-up, carefully stripped of any sensitive datum. But when his date told him she was a former employee of Russia's Ministry of Foreign Affairs, the issues to became real for him: Had he been seduced out of his room so that someone could lay hands on that computer? And if so, would he ever know for sure?

Wardle never found evidence of tampering or malware on that burner machine. But he did keep thinking about so-called “evil maid” attacks, the classic security problem that computers are far more vulnerable to hacking when the attacker can get physical access to them. Like, tell, in a hotel room, while the computer's owned is ordering appetizers on the other side of the Moskva River.

Now Wardle's making his own best effort to grapple with that evil maid problem–if not to solve it, at the least to stimulate the job much more difficult. This week at the RSA security conference, he's releasing Do Not Disturb, an app for Mac laptops that tries to detect physical access attacks with a dead-simple safeguard: If person opens the eyelid of a MacBook running the tool, the app sends a notification to the owner's phone.

“The majority of' evil maid' assaults require an active, awake computer, ” Wardle tells. “So Do Not Disturb operates on your Mac and monitors for lid-open events, which are kind of a generic precursor for a lot of physical-access attacks. If someone tries to break into your device, it alerts you.”

Do Not Disturb runs a step further than merely the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a image snapped with the laptop's webcam to catch the perpetrator in the purposes of the act, or they can shut down the computer remotely. The app can also be configured to take more custom actions like sending an email, recording screen activity, and maintaining logs of commands executed on the machine.

Owners of modern MacBooks with TouchID can incapacitate Do Not Disturb with their fingerprint within a time window of a few seconds after opening the eyelid, to avoid setting off an alerting every time they open their laptop. Wardle is releasing the Mac app for free, though his company Digita plans to charge a $9.99 annual subscription for the accompanying iOS app once it's approved for the App Store. Those who don't want to pay that can simply use the email notification feature instead.

‘If evil maids know there’s an app that might be monitoring this laptop, they’ll think twice.'

Do Not Disturb Creator Patrick Wardle

The Do Not Disturb lid-opening trigger, a suggestion Wardle credits to the pseudonymous security researcher known as the Grugq, certainly isn't a panacea for a computer falling into enemy hands. In fact, computer security professionals usually alert that if an attacker gains physical access to a computer, you should considered the device compromised. It's often possible, after all, to simply flip a closed MacBook over, unscrew the bottom of its case, and start messing with its hardware, even connecting its hard drive to a different computer to investigated its data.

But those sorts of intrusion methods are far less common, Wardle argues, than person simply opening up a laptop and booting it from a USB drive to bypass its password protection, or even simply typing in a password captured from someone's keystrokes by a hidden camera in a hotel room.

“The typical physical access attack does require opening up the laptop, ” says Thomas Reed, a Mac-focused researcher for security firm MalwareBytes. “Any kind of an evil maid attack that doesn’t is likely to be pretty rare and would probably require opening the example and tampering with the electronics inside.” Reed points out that anyone who's worried about physical access attacks should also enable FileVault disk encryption on their MacBook, and set a firmware password, too.

Wardle acknowledges that Do Not Disturb's notifications could also be blocked by incapacitating the Wi-Fi connection to the computer, or jamming them with a Faraday cage–though in those cases the tool could still gather evidence of the two attacks and store it on the laptop itself. But he highlights the fact that even if Do Not Disturb isn't a cure-all for evil maids, it still vastly raises the bar for anyone who wants to perform them undetected. “Any security tool has limitations and weaknesses, and anyone who tells otherwise is trying to sell you snake oil, ” Wardle says.

More importantly, Wardle's app, like another Android-based evil maid sousveillance tool released by the Freedom of the Press Foundation last year, creates serious problems for any stealthy physical access interloper that can't afford to be detected. By creating a risk that even a small fraction of computers will be running even basic evil maid detecting software, Do Not Disturb forces any interloper to either hazard detecting or take the far more difficult and paranoid approach of breaking into a computer without ever opening its lid.

“Anything we can do to raise the bar help. If evil maids know there’s an app that are likely to monitoring this laptop, they’ll think twice, ” Wardle says. “If it builds these attacks more difficult in any way, I think that’s a win.”

Access Denied

The Edward Snowden-backed' Haven' app also looks to thwart evil maids by turning Android telephones into security systems If you're extra paranoid about security, may we suggest these protective measures And even if you're not, you should still be using better passwords. Here's how