Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

From some sources, I read that Laptop hardware component, contains backdoor.
This backdoor resides in BIOS firmware, hardware component driver, chip, and processor.
Also there are telemetry and spy inside nvidia geforce.

If the backdoor resides in BIOS, chip, or Graphic Card,
does it mean, It can bypass all security layer, provided by Qubes,
and directly see, everything that happen inside VM, including vault VM ?

If so, then maybe typing password via on-screen keyboard, is more dangerous.

The solutions are, to install secure BIOS, such as, coreboot, libreboot, skulls,
but these secure BIOS doesn’t support all Laptop, and the installation itself is not easy.

Sorry for several questions, but it is important for Qubes and all user.

  • are there any way, for Qubes to protect us from this backdoor, without installing secure BIOS ?
  • can we capture the traffic, related to these firmware backdoor and driver telemetry, and block the IP ? and whether it can block the backdoor ?
  • how to see, what driver is being used, for the Graphic Card, in dom0 ? noveau ?
  • how to see, what driver is being used, for each hardware component ?

Below, are some statement from several references:

  • a hacker could trigger a feature of the chip that gives them full access to the operating system.
  • microscopic hardware backdoor wouldn’t be caught by practically any modern method of hardware security analysis.
  • microscopic hardware backdoor could be planted by a single employee of a chip factory.
  • backdoor is hidden in hardware rather than software.
  • Absolute’s Computrace agent resides in the firmware, or ROM BIOS, of millions of laptops and desktops from manufacturers including Dell, Fujitsu, HP, Lenovo, Samsung, and Toshiba.

Below some references (backdoor in BIOS firmware and chip):

https://libreboot.org/
https://www.flashedtech.com/post/coreboot-vs-libreboot
https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/
http://dwaves.de/2018/06/18/how-to-install-flash-libreboot-coreboot-on-lenovo-x60s-tutorial-from-2018/

Some references, also mention, that there are telemetry and spy inside Nvidia Geforce.

https://www.nvidia.com/en-us/geforce/forums/geforce-experience/14/243020/nvidia-spying-on-us-/
https://www.nvidia.com/en-us/geforce/forums/game-ready-drivers/13/258808/stop-the-spying-nvdia/
https://www.majorgeeks.com/news/story/nvidia_adds_telemetry_to_latest_drivers_heres_how_to_disable_it.html
https://www.nvidia.com/en-us/geforce/forums/game-ready-drivers/13/242954/seems-the-new-nvidia-telemetry-spying-policy-is-a/
https://www.nvidia.com/en-us/geforce/forums/geforce-experience/14/285175/why-does-nvidia-need-to-spy-on-me-35000-times-a-da/

Background story:

Before Qubes, I was using Windows, and I’m being targeted.

From the symptom, I assumed, that it is either RAT (remote access trojan), or keylogger.
Because the targeter can see everything I do in my system,
including on off-line software, such as notepad, or word.

I used several anti virus to scan my system, but it is clean.
Manually analyzing each file, also sending report for analysis, but it is clean.
Strengthen any security possible on Windows. But no effect.

After wasting months of time, effort, and energy, without any finding,
then I assumed maybe Windows got backdoor. Which then I use Qubes.

On Qubes, I have never attached anything to dom0, sys-net, or sys-firewall.
Even rarely accessing dom0, except copying screenshot to other VM.
Often use disposable VM, and delete recreate VM whenever needed.
Created vault VM, or VM with no internet, to store data. 3 password to login.
So, I don’t see any way, for Qubes, to be compromised / infected.

But still being targeted. And the targeter can see everything,
including any activity in vault VM, kind of screen shared.

Now, since Qubes is not being compromised, nor OS backdoor.
The possibility left are backdoor, related to BIOS, firmware, Nvidia Geforce, and driver.
So, what can we do to overcome this threat ?

Please kindly help, and thank you.

3 Likes

While I was using Qubes, my mouse cursor started moving on its own. I wasn’t touching anything. I figured no one would believe me so I reinstalled the whole OS. I believe what you are saying.

1 Like

IMO Qubes can protect the user mostly from typical network threats, and it does it very well. So I’m talking about things like exploit kit links, weaponized documents, and all kinds of bad input and executables from untrusted remote sources. Another class of threats are malicious software, so things like hacked software ecosystems (python, perl etc.). If the Qubes appvm’s are properly configured, user can be reasonably sure the malicious software cannot steal documents, install persistence etc.

So all these things are normal, every day threat scenarios that are proven to happen.

But what the Qubes cannot protect against are “NSA-tier” threats (zero-day Xen exploits, firmware worms etc). I’m not terrorist or high-profile political activist, or anything like that, so I don’t care about that.

2 Likes

Have you thought about closing the curtains?

Did you search for “cursor moves randomly” or “cursor jumps” online? There usually is a trivial explanation to these things.

I am feeling a little like when reading about people spotting Jesus in a frying pan. Miraculous for some, hilarious for most people.

Sorry, if you’re really being targeted by someone or living in an oppressive state, but random statements like “[they] can see everything” are as convincing as “I saw an UFO at night”.
(Of course, that is just my personal opinion, I don’t mean to offend anybody :wink: )

The very short answer to your question:
No.
No operating system can ever prevent BIOS backdoors.

And my personal opinion (with 20 years of IT security experience):
Targeted attacks can’t be prevented by any IT solutions ever.
IT security solutions can make the successful attacks harder to achieve, and cost more.
Because of these, the non targeted attacks may can be mitigated. That’s it, and no more.

And the reality is usually close to this joke:

For the best protection against firmware based vectors I would say look into heads firmware. But you specified you dont want to put in a custom BIOS. Without a chain of attestation from boot up, and a neutered ME, there is no real way to secure against firmware persistence (though one sort of workaround would be to install known good, factory firmware and then disable writes to the flash rom by shorting out the WP (write protect) pin and using Anti Evil Maid to protect your /boot using a TPM). Though ME would still be there …

At the very least I would say coreboot firmware is a requirement IMHO. it provides a decent firmware alternative and does have ME neuter and other features

It is difficult to know you are being targeted by very sophisticated adversaries. Like you say, one way of identifying a compromise is to use some kind of network inspection, where actual egress on the wire from your machine is monitored at the network/router level and you can alert on unusual things. security onion springs to mind, or if you just want something quick / plugnplay then there is a quick-n-easy, bargain basement free NTOPNG docker image which I put together using a free nProbe alternative. Coupled with softflowd on OPpenWRT/pfSense routers this will give you an idea of network flows and who is being talk to/from your suspected compromised machine.

for views on firmware vectors, this is good reading from Joanna … Im less inclined to see EC as a vector (see here for why) but its all good info!

2 Likes

Exactly. So I am puzzled by the fact that no one questions this: “[they] can see everything, including any activity in vault VM, kind of screen shared.” I am sorry, but to me this sounds made up. “Screen shared” in a vault VM. What does that even mean?

I don’t doubt that backdoors and sophisticated people could spy on people but if you’re that important/dangerous than I’d think that Zrubi’s joke is the cheaper and faster solution.

Lots of information is being obtained through phishing attacks, cloud hacks, trojan horses etc. (or a combination). I don’t know if backdoors like IntelME are relevant in attacks.

1 Like

Re-install Firmware to computer.

Reinstall Router Firmware, from a secured (ha, ha, like anything is ever really secured) computer. Review the Router you are using for security problems.

Download and Reinstall Qubes.

Carefully reset Passwords.

I eventually plan to install an outgoing - Like the Mac OS “Little Snitch.”

If you are financially able.

Use Tor to get onto Internet.

Look at Alternate computer.

Qubes OS website. Certified Hardware link at bottom of page.

System 76.

Purism Librem. Maybe

Write up a set of rules of ways to do online activity. Things never to do. As you indicated, not open vault while online
Some of us would be glad to read such a list of rules.

I am curious. How do you know they can see _____. Letting you know what they can see, sounds like ---- someone close? If they were truly evil, likely they would not you know what they are seeing.

I do not disbelieve you though. Certainly possible.

1 Like

I was just saying that there are a lot of other possibilities than being hacked.
If you’re convinced you have been hacked and you don’t even entertain the idea that it could have been something else, I’d call that prejudiced.

I find it ridiculous and tiresome, that every few days now someone is claiming to have been hacked without the tiniest piece of information. Was it a wireless mouse? Low batteries or other devices can lead to the cursor moving. It could be dirt messing with the sensor, it could be the surface and a thousand other things. But no, it can only be a hacker.

My example with the frying pan was just an analogy meaning that some people only see what they want to see. There is no point in trying to act logical.

I did write the opposite but …oh well. From what I am reading I guess you’re very young, so there is still hope. Good luck, I won’t try to argue with you any longer. Cheers!

People are so easily offended these days…

How did you exactly find out that the targeter could see everything on your system?

A wireless mouse could be intercepted and forced to move, but it does not (necessarily) mean that the whole system is compromised.

There are 2 people here who think their system was hacked. There is newbie, who thinks everything was hacked, and there is me, who isn’t sure they saw everything but now thinks the battery on my mouse was low.

@qubesn00b you are very welcome here and most of us are willing to help
and educate. Seventeen is very young. I remember being your age and I
too thought I had all the answers. I didn’t and still don’t. Not even
close. But I also hated being called young, so I get your reaction.
Maybe with some distance you can see how this little misunderstanding
happened.

@Raphael_Balthazar, myself and many others are annoyed by another user
posting every few weeks exposing nothing but their own enormous
ignorance. If they really get hacked every day they are doing
something very wrong. This is the place they could learn and improve but
instead they simply vomit incoherent non-sense and then move on until
next time.

That has nothing to do with you and it was probably not the best choice
to air that frustration in direct answer to you instead of the user who
really deserved that answer.

A rule of thumb:

If you see the cursor moving intentionally, clicking on menus, buttons
… then of course it is most likely you got hacked and powering off
immediately is a very good reaction. Also if something like this
happened to you everyone in this forum would want to know about it and
help you recover, protect and investigate. Very likely core team members
would give you their attention.

If however the cursor simply jumps around randomly or moves straight to
one corner or edge and then stays there… another explanation is more
likely.

In most cases an attacker will monitor and exfiltrate data without you
ever noticing anything. Your situation does very much sound like you
need Qubes OS and you should be very careful. Please continue to ask for
advise.

3 Likes

How did you exactly find out that the targeter could see everything on your system?

a short answer is, they will let me know,
kind of sending hidden message, telling me,
that i’m being stalked & watched.

one of examples is,
sometimes i write, kind of diary in the vault VM,
fresh from my mind, into the vault VM,
so not a copy paste from internet.

then the targeter will write, the same thing,
sometimes exactly the same (comma and dot),
in their social media, or chat app,
and it happen many times.

also happen to other vault VM docs,
sometimes also related to my internet browsing.

@Sven sorry, in case my question too ignorance

@newbie do you really think I meant you? I don’t.

If an attacker would control the management engine (ME), which runs on a
separate CPU executing it’s own Minix-based OS, they would be able to
intercept all input/output without the proper OS or CPU even being aware
of it.

Actually in it’s intended use it is very close to “screen shared” as it
allows a technician to completely remote administer a machine even if no
OS is installed yet. That’s kind of the entire point of ME.

1 Like

@Sven oh, okay, thanks, because I don’t want to annoy people, who have worked really hard, for privacy & security to be exist in this planet

Maybe not (yet).

This makes me think about the entire iPhone/iOS NSO Group mess. In one
article they where aptly described as the “SpaceX of surveillance”. In
other words: they have brought economy of scale to something that was
previously only possible for very resourceful nation states. Now every
potbelly dictator can buy their services.

Maybe exploiting ME is possible? Maybe right now only a nation like the
US or China is able to pull it off? I have no idea.

What I do know:

  • there is another computer in my computer
  • it has access to all peripherals
  • it can run even when the computer is powered off
  • it runs proprietary code that was written by imperfect humans working
    for an for-profit enterprise and likely under deadline
  • my government insists on having an off-switch for it

If a nation state wants to spy on me they will. They don’t need the ME
for that. I am worried about the enterprising Cyber-criminal gaining or
having this capability while we all tell each other that it’s not really
a factor.

:slight_smile:

6 Likes

This makes me think about the entire iPhone/iOS NSO Group mess. In one
article they where aptly described as the “SpaceX of surveillance”.

i think that’s correct.
because my Macbook and Android phone, also being targeted.
the same symptom as my Laptop.
but i’m not sure whether it is OS or NSA-tier.
i didn’t mention before, because maybe off-topic.

If a nation state wants to spy on me they will. They don’t need the ME
for that.

that another computer in computer, is ME ? or something else we know ?
or something else we don’t know ?

@newbie wrote:

that another computer in computer, is ME

Yes