Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

General Discussion
15

How did you exactly find out that the targeter could see everything on your system?

a short answer is, they will let me know,
kind of sending hidden message, telling me,
that i’m being stalked & watched.

one of examples is,
sometimes i write, kind of diary in the vault VM,
fresh from my mind, into the vault VM,
so not a copy paste from internet.

then the targeter will write, the same thing,
sometimes exactly the same (comma and dot),
in their social media, or chat app,
and it happen many times.

also happen to other vault VM docs,
sometimes also related to my internet browsing.

16

@Sven sorry, in case my question too ignorance

17

@newbie do you really think I meant you? I don’t.

18

If an attacker would control the management engine (ME), which runs on a
separate CPU executing it’s own Minix-based OS, they would be able to
intercept all input/output without the proper OS or CPU even being aware
of it.

Actually in it’s intended use it is very close to “screen shared” as it
allows a technician to completely remote administer a machine even if no
OS is installed yet. That’s kind of the entire point of ME.

1 Like
19

@Sven oh, okay, thanks, because I don’t want to annoy people, who have worked really hard, for privacy & security to be exist in this planet

20

Maybe not (yet).

This makes me think about the entire iPhone/iOS NSO Group mess. In one
article they where aptly described as the “SpaceX of surveillance”. In
other words: they have brought economy of scale to something that was
previously only possible for very resourceful nation states. Now every
potbelly dictator can buy their services.

Maybe exploiting ME is possible? Maybe right now only a nation like the
US or China is able to pull it off? I have no idea.

What I do know:

  • there is another computer in my computer
  • it has access to all peripherals
  • it can run even when the computer is powered off
  • it runs proprietary code that was written by imperfect humans working
    for an for-profit enterprise and likely under deadline
  • my government insists on having an off-switch for it

If a nation state wants to spy on me they will. They don’t need the ME
for that. I am worried about the enterprising Cyber-criminal gaining or
having this capability while we all tell each other that it’s not really
a factor.

:slight_smile:

6 Likes
26

This makes me think about the entire iPhone/iOS NSO Group mess. In one
article they where aptly described as the “SpaceX of surveillance”.

i think that’s correct.
because my Macbook and Android phone, also being targeted.
the same symptom as my Laptop.
but i’m not sure whether it is OS or NSA-tier.
i didn’t mention before, because maybe off-topic.

If a nation state wants to spy on me they will. They don’t need the ME
for that.

that another computer in computer, is ME ? or something else we know ?
or something else we don’t know ?

28

@newbie wrote:

that another computer in computer, is ME

Yes

29

just additional information from wiki

ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.

30

@sven Exploiting ME is not limited to nation states. Multiple exploits have been and are constantly discovered by various researchers. I know of 1 currently used in the wild atm.

@newbie, if you do not have iME neutralized simply use Nighthawk or something similar to check your system integrity. Also, if you are not involved in anything an APT group may consider problematic, then it’s unlikely you are being targeted. Who is this person posting social media post identical to your dairy in your VaultVM? Someone you know? Unlikely someone, who has the resources to compromise all your systems, would simply do it just to troll you.

I have been compromised several times using QubesOS, but i am also designated as an aggravated activist. Although, i always assume my daily systems are compromised, without system integrity checks i would feel a bit butt hurt.
Everyone who thinks high value targets can’t easily be compromised if they use QubesOS as their daily driver, needs to check themselves, before they wreck themselves.

1 Like
31

Like how? Is it remote exploit? I’d like to have some evidence

How exactly?

2 Likes
32

The one used in the wild atm is a local exploit (not to be confused with physical) of the AMT, so unless you have not neutralized ME and have AMT enabled (Which you actively have to do), I would not worry about that one.
If you are simply just looking for evidence for various remote, local or physical ME vulnerabilities just look at Intel’s security center advisories for known vulnerabilities. There are several ME vulnerabilities made public every year.

As to how i have been compromised, it would be bad opsec to reveal, given that i am still ‘dancing with the devil’.

33

Oh come on. If you want, you can describe the attack vector without revealing yourself. At lest vaguely, to give us some idea.

If my systems get compromised, I promise to publish absolutely every bit of it.

3 Likes
34

While I can understand your point here, if there is genuine evidence of this I would urge you to raise a security issue.

2 Likes
35

But please do not send anything to the official Qubes Security Team unless you can demonstrate an actual security vulnerability in Qubes OS. That email address is intended for responsible disclosure by security researchers and anyone else who finds a legitimate security vulnerability. It is not for anyone who suspects they’ve been hacked.

2 Likes
36

wild atm

what do you mean by wild atm ?

the accurate reason, why i’m being targeted ? i don’t know
since i think i could not answer, on behalf of my targeter.
i know assumption and opinion only, why they target me.

37

as for myself, i think the attack vector is NSA-tier.

i remember, one day i created new appVM + firefox + gmail + evernote
evernote is a simple cloud storage for notes.

because i forget my evernote password, so i need to reset, and get the temporary password from gmail.
i use a combination, of human readable words, to create no meaning sentence, for password.
then the targeter troll me, by posting my password, exactly the same, somewhere they sure I can see.

it happened 2 times, but the second time, i reset microsoft password, on my macbook.
Macbook + chrome + gmail + microsoft. Then they troll me the same way.

I read somewhere, that actually a website, can read password, we input, on another website, on next tab of our browser.

So, maybe the gap is also the next tab website.
Or also, since I have experienced NSA-tier backdoor many times, also I can assume it is NSA-tier.

My suggestion, the secure login, would be:

  • disable ME
  • vpn
  • always create new app VM, before login
  • always strong password + 2 factor authentication
  • don’t open another website at the same login VM

also, maybe another suggestion, i think that, most people, who decide to use Qubes, mostly are being targeted, or also stalking victim, since he is being targeted digitally, it means, the targeter also can see, whatever he posts in Qubes forum, so the targeter maybe dislike, and polluting the thread, but i worry, they also dislike and target the expert here. so if I can suggest, really we should focus on blocking the NSA-tier backdoor.

38

@Sven if not mistaken, your system is X230 + CoreBoot + Qubes ,
which is the same as Insurgo X230 privacy beast , isn’t it ?
so, can we consider yours as Insurgo ?

if you have disabled and neutralized ME,
then why did you say, a nation state still can spy on you ?

actually, it is a new term for me, “nation state”.
I search about nation state actor,
Nation state actor is a hacker, who works for government, and being tacitly supported by Government.
Is this what you mean by Nation State ?

1 Like
39

Seriously?

How about installing surveillance equipment in your home? What OS does your phone run? What other internet connected devices are in your environment? Do you live in an apartment? Who are your neighbors?

Got any new friends recently? Do you ever get drunk? Do you always have eyes on your computer?

If a guy an the street pulls you in a corner and starts beating your stomach… how long until you tell him whatever he wants to know?

Basically: xkcd: Security

But also: xkcd: Authorization

5 Likes
40

If you’re just wondering about the term “nation state”:

In a more general sense, a nation state is simply a large, politically sovereign country or administrative territory.

In the context of cybersecurity, it basically means an adversary with big-government-level power and resources. Some people hold the view that if such an adversary is determined to get to you, there’s practically nothing you can do.