Skill: probably

Interest: Probably not

Source: Around the turn of the millennium, I enjoyed remote snooping on other people’s PCs for a short while. It was short because the contents of the PC of the average person turned out to be mindnumbingly boring.

One rule of thumb for cybersecurity is that if an attacker has physical control over your device for any period of time you should treat that device as if it is already compromised, because that is how generally easy it is to compromise something you have physical access to.

However, do you actually have reason to suspect your roommate of being an attacker? Just because they have a degree, a job, and maybe some level of skill doesn’t mean they have the motivation, lack of integrity, and criminal intent to actually carry out such an attack.

If you’re concerned about something like that, there are things you can do to mitigate risk, like setting start up passwords, using disk encryption, powering off devices you’re not actively using, and physically securing unattended devices. However, basically nothing you can reasonably do will stop a determined attacker if they live with you and thus have or can easily gain physical access to your devices.

Unlikely because computer science is not about cracking or security. It’s mostly maths and some programming.

You can buy a hardware keystroke recorder for a few bucks. Just plug it between keyboard and computer and it logs all inputs. Once they have the boot password (and maybe a bunch of others), installing malware and exfiltrating data is pretty straightforward. Doesn’t require a lick of IT knowledge either.

Bit more challenging on a laptop without external keyboard, but there are hardware solutions as well, though they’d require tinkering with your device.

Phones are harder to gain access to. Honestly if I wanted to get into your phone, I’d probably try to set up hidden cameras in spots where you are likely to enter your PIN (bed, toilet) somewhere under the ceiling and angled straight down. I’d probably try to switch the phone off as well any chance I got (long press the start button) so that you’d be forced to boot up and enter the PIN at any given opportunity to max my chances.

Actually hacking secure boot / accessing data from encrypted drives is beyond casual hackers, unless you don’t regularly update your devices and there are some active exploits published.

But seriously, low effort password sniffing is still the biggest vulnerability out there.

You shouldn’t live with someone you don’t trust.

Given it’s illegal, it’s very unlikely. Why go through all the effort of getting a degree (and presumably a job in the relevant field) to risk losing it all and a criminal conviction to snoop on your roommate? If you’re that paranoid put BIOS passwords on your device and get a smart plug that’ll log whenever the device draws power.

It’s a gross approximation, but…

Your desktop or laptop computer is probably toast, your phone probably isn’t.

I place little value on someone’s educational experience anymore since a lot of this can and is usually learned from nearly any place on the web or dark web.

It seems that for an evil maid attack to occur, someone would need to leave the device unattended, specifically with their admin/sudo account logged in so they can create the access they want later. That is, unless they discovered an exploit in the system that enabled them to gain that access by some other means.

The three best ways someone would be proactive against this attack are:

• never leave your device logged in and unattended without some sort of passcode system being necessary to get in and execute commands/programs.
• never leave “guest” accounts active on your device, even if they don’t have admin permissions. This can make it easier for someone to find other exploits to gain admin access.
• always separate your accounts. Have a dedicated account for admin level escalations and use it only for that purpose and nothing else. If an attacker is to somehow get your attention away and leave your device unattended, at least this leaves them with no admin access on your main account

If you suspect your device has been compromised, the best thing to do is to shut down and disconnect from the network (unplug Ethernet cable and consider removing the WiFi card; even with the device powered off) and have a professional inspect it. I say that because even if you reinstall the OS or even get another OS, there’s no way to tell if something hardware was added to allow intrusion if we’re worried about physical access being compromised to the device.

Removed by mod

Desktop computer: Installing a keylogger, for example, is cheap and require skills like “can purchase a cheap and simple technical part” and “can plug in a USB”, which are skills you can assume a CS student will possess.

Laptop: Same, but have to open the laptop and install a less standard straightforward loggrr on the internal cable. This require more effort and patience.

Phone: I have no idea, and I am a computer scientist who spends time thinking about this. I mean, all phones can be opened with corresponding equipment, and the touch screen is connected to the internal computer with a cable, but they differ in details per model and the space to work with is tiny. The research investment is significant and model dependent. Meaning, the effort cost is quite high and they’d need extremely strong motivation.

Depends how well encrypted your computer is. Your phone is probably fine, those are usually encrypted to hell by default.

Everybody has had some ideas for “Evil maid” attacks during their youth… so yes, it it super likely.

Honestly, regardless of their education and experience, if you have this concern about a person, you should get a new roommate, assuming there’s more to your question than just a hypothetical.

All the time, there are shitty significant others who install a keylogger or screen recorder to monitor their spouse, because they’re fucked up. A lot of the time, they don’t have any technical background, and are the equivalent of script kiddies. They do this because they’re shitty people, not because they have a degree in computer science.

I installed ophcrack to a usb flash drive and cracked my ex-gf’s windows password. No special knowledge except I googled how to crack a windows password. This was about 13 years ago though, no idea if that’s still a thing.

I’d be more worried about phishing the lab PCs