BIOS Penetrated / Question about Qubes OS on penetrated system

Hello fellow Qubes OS wizards,

I find myself in a challenging situation and would greatly appreciate your insights and suggestions regarding protecting Qubes OS on a laptop with a compromised BIOS. Due to certain circumstances involving national security services, I am unable to replace or acquire a new laptop at this time.

It has come to my knowledge that the laptop’s BIOS has been penetrated. It seems that one of the BIOS updates was tampered with, leading to downloads from a compromised address that appeared legitimate. This has raised concerns about the privacy and security of my system. While I have been relatively indifferent to casual information being monitored for quite some time, the ongoing nature of this situation has become overwhelming.

Considering the circumstances, I am contemplating the use of Qubes OS as a potential solution. With its virtualization capabilities, I am curious to know if it can provide a defense against prying eyes, even with a compromised BIOS. Specifically, I am interested in implementing a dual-boot setup where I can utilize Qubes OS as a separate operating system for my own activities.

Another area of concern is email privacy. I have noticed that my ISP typically shows Budapest as the location. However, there are instances where they create tunnels to different cities within Hungary, constantly changing their apparent location. It appears that through these tunnels, they are able to monitor activities. The location is changing without VPNs for various cities of Hungary. The issue is persisting for years. As the police, prosecutor and other branch of the Hungarian goverment use the job’s of national security services to give jobs and softwares to each others and their relatives or give access to politicians or other decesion makers - so they can tap down each other - so they can benefit from this.

In light of these circumstances, I am considering utilizing Qubes OS on this compromised computer to enhance my privacy and security. My understanding is that Qubes OS leverages virtualization to isolate tasks and applications into separate virtual machines (VMs). By setting up a dual-boot configuration, where I can use the compromised BIOS on the primary boot for regular tasks, and Qubes OS on the secondary boot for sensitive activities, I hope to achieve a more secure environment.

Specifically, I would like to know if Qubes OS, with its virtualization capabilities, can effectively defend against potential surveillance by adversaries with access to the compromised BIOS. Would running Qubes OS in a separate VM on this same computer provide a sufficient level of isolation and protection for my sensitive activities? They are more like business activies other things they can see maybe the prosecutor start working but I do not give a shot to them once again.

Furthermore, I have concerns about my email communications. My ISP consistently shows Budapest as my location as I live here, and I suspect that they employ tunnels through various cities in Hungary, rapidly changing and virtualizing their origins. For instances, the FB shows first Budapest, then it shows Kiskunhalas then it shows an another city again over a 20 minutes period. I fear that this setup allows them to monitor my activities and potentially grant access to their associates but personally a pre-installed VPN punch out this activities - they are not hackers but a specific softwares. Can Qubes OS help mitigate these concerns, especially with respect to email privacy and protection from such surveillance techniques? So if the VPN tunnel is established then from them if they can not monitor the base system, can it be secure again?

I greatly appreciate any insights, suggestions, or experiences you can share regarding this complex situation. Your expertise and guidance will be invaluable in helping me navigate these privacy challenges within the limitations I currently face.

Thank you all for your time and support!

Greetings from Hungary!

If you cannot trust the firmware on a bit of computing hardware, you cannot trust the hardware. Period. This is what’s responsible for loading later stages of the boot loader and OS, and, on a modern UEFI system, providing a range of other services.

If the firmware is compromised, and you cannot confidently recover it (an external reader/writer is a far better option than onboard flash utilities), the hardware is not trustworthy. Period.

No. Now, it may have some advantages in that it’s a weird, complex system that’s harder to parse than a typical OS. But it cannot defend against a compromised BIOS.


Maybe. You can do a range of VPNs with it, but it’s on you how you use them and how trustworthy the endpoints are.

Sell your laptop, obtain a better one, and start from there, though. You cannot trust a machine with a known-compromised BIOS.

If you seriously think that your device was hit
with a tampered BIOS, contact Citizen Labs and see if they
are interested in your device.

You mentioned that this computer is compromised then it means that we can not trust in that. We have bought in new condition. How is it possible that they reached the BIOS throughout net? Or is it already there and Telekom has done something with it?

Regarding this question that I think that if they change the official path of the Windows validation when we upgrade system then it is possible that they slide into the BIOS? Is it right ? Or what should I pay attention to the next laptop to avoid this? I think they can find it on MAC number as they see it and throughout this they may apply something? Is it right?

Thank you your answer. They simple entertain themselves with zero tolerant to others. There is not even a bit of national security related or other kind of issue what left is simple political organization related.

Thank you, I will.

I know somebody from the UK government and CA too, so may I keep the laptop and send them.
Not their official profile but they are helping if they see it advantages towards democratic criterias.
Thanks the answer.

And good name! :slight_smile:

If one lives in a place where bringing in a completely laptop modified to run Qubes, “Certified Laptop”

used to be suggested to -buy a used laptop, and their are how to’s on how to bring a Lenovo X-230, or X430, up to standard.

The upside being these older laptops are nearly affordable, a great deal is known on how to upgrade them. At least to restore the BIOS to what the manufacturer had.

The downside being, some of these are nearly at a time when they will not receive Intel Updates.