Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

imo, my thread is not under user support, or bug fix category, that requires closing,
but under discussion category, which is in my opinion, as a discussion,
it can pause or continue at any time,

i saw freedom-roadmap in purism website that inspires me,
which make me think that, we all are on the same path,
Qubes, Purism, Insurgo, Heads, Coreboot, AOSP, FOSS, etc
all are on the struggle to freedom, privacy, & security.

In my opinion, maybe in this struggle, at least, we need 5 types of activist:

  • security expert, to do research & development,
  • educator / influencer, to educate people,
  • law activist, to fight for data privacy & protection law,
    & prevent any law that are against human right.
  • supportive user; ie use, feedback, donate, etc
  • whistleblower to blow up, ie Snowden, or maybe, newbie like me, to speak up,
  • etc

so maybe, although i can only speak up,
but at least, i can share information to other activist,
ie. for expert to develop solution, or for educator as reference,
or for user to be aware about how important the security is.

Besides, my adversary has provoked, a lot of people, to watch my privacy,
which means, maybe they can see too, I’m writing this thread,
therefore, maybe can help to promote Qubes.

Also, by helping solving problem,
maybe also can improve the knowledge, information, & the solution itself.

I read in diagonal the content of this thread and wanted to clarify a couple of simple things, following some random risk assessment, costs of exploits to target random users and some normal paranoia when someone feels targeted, loosing sometimes common sense (not attacking anyone here).

  • The easiest attack to see remote content of screen is binoculars, where having chain of exploits to obtain persistence to dom0 and grasp screen content and exfiltrate would make a user really targeted.
  • random mouse movements is normally consequence of Bluetooth mouse battery dying, precise movement with point and clicks are a total different story, and filming those would be an interesting proof of anything. Most of the time, those proof lacking raise cynicism, for a reason. There is no way someone could not film those in 2022. And when that happens, cutting network and having the behavior stop at the same time could be considered proof.
  • Qubes should not be able to write to system BIOS nowadays. Simply because writing to BIOS requires IO access that Qubes doesn’t have from qubes (the qubes have really limited access to real hardware) and where dom0 being compromised would also need to have access to SPI IO (that would be iomem=relaxed at the very least) or physical access, which would be more probable otherwise again talking about chain of exploits to gain persistence.
  • People mix a lot of concepts, including open source firmware and absence of binary BLOBS. On that I will be really succint here, but there is no such thing with recent hardware that is Open source firmware without blobs AND compatible with Qubes OS. Qubes OS is compatible with x86, and x86 requires ME/CSME+FSP on Intel side or AGESA+PSP on AMD, without talking of blobs on SSD drives and Graphical cards. I hear you being positive about freedom-roadmap, but it is important to differenciate marketing speech from reality and this is difficult to digest. There is user-ownable hardware (kgpe-d16 being the only one I know that can boot Qubes OS without any binary blobs in firmware nor co-processor nor AGESA) where other open firmware enabled hardware are not supported by Qubes (Talos II is such platform, but has yet no Xen support). There is G505s, but without TPM nor enough SPI available flash space available and to be honest, that laptop is rare to get any hands on. Outside that there is older hardware with open source firmware (everything natively initialized, like the thinkpad X200 and similar) but those don’t meet Qubes Requirements (no hardware isolation : vt-d2). So the point here, at least to me, is to raise consciousness on the state of the actual hardware being produced and sold, so that people can be angry (and take action) about that and start to realize that without a clear stance and demands, that will not happen out of the blue and new hardware will be less and less user-ownable, controllable, repairable and most importantly, auditable.

So basically, there is multiple ways to deal with this. Some have been covered here and in so many other threads of this forum. I will retaliate some:

  • Your vault’s qube’s KeepassXC don’t have to show on screen passphrases that were generated. You could generate them and copy paste them without any visual of them ever being displayed. That is if your only threat is binoculars/shoulder surfing/recording and replay.
  • You could move around, hide yourself from plain sights and see if the threat is still present. Confirm that it is linked to a physical place or if it is linked to network access.
  • You should get a machine that permits you to own it yourself, learn how to flash that hardware and then externally verify the state of your own firmware and externalize proof of persistence.
  • Fresh install Qubes. Enable dom0 root volume snapshot on shutdown. Even multiple ones to keep multiple states you will be able to compare against from a filesystem content level. And report about them, and the content of scripts/binaries that were deployed without your consent.
  • Tightly monitor network traffic externally. “PCAP or it never existed” is still a valid saying even today. Having network traffic, even encrypted, while having only your vault vm open should be a real concern (that requires a bit of analysis and is not so easy to accomplish, but should be more then enough to show proof, outside of NTP traffic and repository related traffic from dom0 getting available updates from its defined updatevm).

Other than that, the only other path is to believe.
Believe you were hacked but not being able to prove it.
Or believing that by buying a new laptop you will be safer, for which UEFI proprietary firmware is the worst mess that ever existed in my opinion, and will protect you from your threat model.

Nowadays, firmware security is shifting toward attesting integrity of non-auditable blobs. Not really into open sourcing them anymore. Some open source EC controllers as part of their freedom-roadmap. Some continue to claim unattainable goals keeping their old roadmaps. But no-one can neuter ME/CSME, open source FSP/AGESA but AMD/Intel themselves, and they won’t.
I find this alarming, but to answer your OP question: Qubes should help protect users from backdoors that resides in BIOS and device firmware, yes. Even if Qubes can protect users against themselves, if you pass along untrusted content between computers, and execute/read such content in trusted environments, there is always a risk that some passed content exploited vulnerabilities in those trusted qubes can one day land where it shouldn’t. If you leave your computer unattended without having any security mechanisms in place to protect /boot and you are targeted, the lowest cost for an attacker is the evil-maid scenario. It is totally possible and quick to accomplish to replace /boot’s kernel xen and initrd files, as easy as it is to modify grub.cfg configuration to break Qubes offered security defaults, and even have something there that would get persistence on first run to compromise dom0. That would be, to me, the easiest way to compromise a target’s system and bypass Qubes security mechanisms: compromise Qubes boot process through physical access of unencrypted /boot content. Low cost, effective to gain persistence on next successful boot, compromising even qubes root volume (dom0) even after Qubes dom0 updates that would eventually remove tampered binaries, if not measured/verified prior of being executed.

2 Likes

@Insurgo thanks so much for your advice & information

if new hardware become less & less user-ownable, controllable, repairable, & auditable,
then what will be the future for Insurgo, Purism, Coreboot, Heads ?
what a pity if all the hard work become useless.

i use my laptop alone in my room, facing windows,
other sides are wall and cupboard,
checked many times, & could not find any binocular devices.

how about supply chain attack ?
in your opinion, is it possible that, compromised supply chain,
is able to give us, compromised version of Heads & Qubes,
while we download them, from correct source in the internet ?

But i had authenticated & verified, Heads & Qubes, before flashing / installing.
Although i read in Qubes documentation, saying that compromised device,
can give us correct authentication & verification, even if it is compromised.

if we have used Heads, can we be confident that,
there are no firmware backdoor anymore in the motherboard ?

last time i read in Coreboot mailing list,
saying that firmware can establish ad hoc connection,
with other firmware in other devices,
until it can find device with internet connection,
which is connected to other network,
then send data to internet via covert channel,
in your opinion, should i consider this vector since i have use Heads ?

I use network monitoring apps, such as net analyzer, network scanner, fing, etc,
to monitor modem, so i can see all devices currently connected,
then, when i disconnect my Heads Qubes laptop,
i can see that my device naturally disappear from the modem.

then i put all other devices inside signal blocking bag,
so now only my Heads Qubes Laptop & router modem,
then i disconnect laptop from wifi, & use vault VM, with no net VM,
to type several things,

but still they can see everything,
so i really cannot figure out where is the gap / backdoor,
do you have opinion, what can be the gap / backdoor ?

thanks a lot

@Brainhack @unman thanks a lot for your suggestion

if i understand it correctly, maybe, in short,
you suggest me to hide from supply chain attack / man in the middle attack ?

but in my opinion, we should be able, to find a way,
to protect ourselves, from supply chain attack, without hiding,

because, if we have to hide, from supply chain attack,
then how Purism, Insurgo, & Qubes developer, etc, also its server / repository,
protect itself from supply chain attack, in their development process ?
Assuming that everyone involved, in the development,
are working remotely, or maybe not at the same location,

in example,
Librem & Insurgo also need supply chain, to download Qubes & Coreboot / Heads,
Qubes developer also need supply chain, to download / deliver their work to server / repository,

Maybe by using authentication & verification,
we can protect system from supply chain attack,

but i read in the Qubes documentation,
saying that the compromised devices,
also can give us correct authentication & verification,
regardless the fact that it has been compromised.

Also, many famous people (ie. artist & politician), who cannot hide,
since everyone involved in the supply chain, also know them, wherever they go,
how do they protect themselves from supply chain attack.

before, i had tried to keep it simple, similar to what u suggested,
but then people naturally asked me, “how ”, “elaborate”, etc.
Therefore, since it has happened several times,
so now, i elaborate first, before being asked,

because, big possibility, that new computer,
will not be compatible yet, with coreboot / heads & qubes,
2 main solution for privacy & security,

also, the price of new computer is much higher,
& there is no guarantee, that it can survive from targeted attack.
So, i cannot waste, a lot of money, for something that is uncertain.

Besides, my income is not in a good shape,
because, i cannot allocate, all free time, energy, & focus,
on anything related to my job,
since, they have flood me with problem & trouble,
for almost 5 years, since 2018,
& the digital privacy invasion itself, since 2020.

yes, anyone know the name for this kind of attack ?

sometimes, i have the same assumption too,
but not sure how to describe it,
since maybe it cannot be categorized as,
side channel attack, covert channel attack, nor supply chain attack.

i know there is term “near field communication”,
but not sure, whether there are attack using NFC,
also, maybe not all devices can do NFC.

i read too, that it is technically possible, for firmware, in one device,
to establish ad hoc connection, with firmware in other devices,
until it can find device, with internet connection,
then use it, to send data to internet, via covert channel.
So maybe, it is a combination,
between secret adhoc network & covert channel attack.

But, since i have used heads,
then maybe we can eliminate this vector,
but, Heads still require ME,
also, there are other firmware in motherboard,

yes, correctly. in my opinion, nobody have time for revenge.
either me or my adversary, have wasted a lot of time, for not sure what reason.
rather i give them chance to fix mistakes, if they are okay, i just want:

  • give me back my privacy, to all of my electronic devices, which is basically my right, but definitely they have to tell me what backdoor they use to invade, so that i can apply solution. they can easily use any anonymous name & share in this thread for example.
  • stop stalking me either digitally or real life.
  • complete explanation what, when, how, who, why they do this to me
  • compensation for all disadvantages they do for almost this 5 years

but apparently they don’t want to, it looks like will be very hard for them,
if they can give me the 1st one only, actually good enough already,
although the rest are also make sense, in my opinion

@newbie why you say this? Think this on-topic but :confused:

You misunderstand.
I was giving you suggestions for small experiments to identify what vectors
of attack might be in play.

the question of protecting the supply chain from component to end user is
a different question,not relevant in this thread.

1 Like

The reason I said this, is that I don’t think it does anyone any good to use this thread as a ‘journal’ of sorts for various suspected indications of compromise that isn’t accompanied by anything else. I think the baseline of what the extent of believed compromise is has been established, and to keep a running tally & commentary of these instances actually serves to lessen your credibility.

I am aware that exactly what you have described happens, and I tend to believe you, but you have to spend more time considering the gap between what you have experienced and how another will perceive it. One of your biggest battles is in communicating and not losing people, and I don’t think you have considered this enough. Your communication also influences how people in the future will be perceived with similar complaints, so you aren’t just speaking for yourself in a sense.

Great response @Insurgo what is the most robust way to monitor traffic that is resistant to tampering? What should we be looking up to learn how to analyze this information and not self-report false positives.

Really the foremost point is, unless you have some highly sensitive activity you need to conduct online, you should remove your attachment to needing a digital vault, if your reports are accurate you are far behind the technical power curve in terms of resisting, and it might be more expense to you than gain to try and play cat and mouse in this way, where simply accepting your devices are compromised (which is a reality anyway on a certain level) and that in all reality it isn’t actually costing you much is a better place to land.

In the modern world you can’t really be invisible, you are just getting a direct experience of this, where most will live in a ‘blissful ignorance’.

2 Likes

Edited: contained part of a reply to another post. Deleted unrelevant part, sorry about that.

What I would do there is install tcpdump in the netvm that is receiving the traffic prior of encrypting it (there is no point really into capturing network traffic that is going upstream encrypted). It would not make sense either to capture traffic into vault since that machine is not having netvm normally.

So running tcpdump into sys-firewall or sys-net directly, recording file locally would be a start. Then qvm-move that file to a disposable vm where you install wireshark and then inspect the packet trace from it. The only assumption we can do here is that the traffic is going out of sys-net, but it would most probably be encrypted, and if many other connections are happening at the same time, it won’t be so easy to isolate either. It requires some kind of flattening of what is normal to find what is abnormal here… There might be covert channels at play. If “lucky” there would be a stream that is continuous when data is exfiltrating. But that might also be screenshots, everything is possible here, really… Down to data being exfiltrated by speakers…

As said previously, my way of dealing with this is by comparing states. Ideally having a point in time where things were good and compare what state we are in now to isolate source of compromise.

This thread is convoluted. The assumptions are that something is grabbing vault’s screen content somehow, and that content is somewhat exfiltrated by network. If we consider that vault has no netvm associated to it (as it should) then its screen content needs to have greater system compromise to exfiltrate content, so we imply dom0 compromise as well.
But to go on simpler possibilities again, there is nothing under Qubes that would prevent, as in any other monolithic OS, to capture vault’s “desktop” and sends its screen content online if vault has a netvm associated. First thing first, we take for granted that its not the case here. Then, if vault’s screen content is to be exfiltrated somehow, then dom0/sys-gui needs to be compromised somehow. And for that content to be exfiltrated, it needs a way to exfiltrate it. If its on the network, then in the present case, we also know that Heads is at play, and if Heads maximized builds were flashed, there is no ME at play (but a 98kb BringUP+RUMP payload that keeps the laptop functionning without AMT etc). So AMT binaries cannot be used to exfiltrate content on the network either. So there needs to be either network traffic happening when the exfiltration happen, or the laptop screen itself is filmed somehow. the other replies in this thread are going into isolating if the behavior is localized to the house (house compromised), or if the laptop is compromised. This is an important step into isolating what is happening here.

Anyway. Without other AppVM running, we expect a minimal of sys-net, sys-firewall to be running. In such circumstances with sys-whonix being shutdown (qvm-shutdown --force --wait sys-whonix from dom0 terminal), we expect the network traffic going through sys-net to be pretty low and limited. We expect sys-net to do some NTP traffic to sync time, appvms to check for updates after 5 minutes of uptime, after which nothing should really happen on the network. Making sure vault has no netvm should be verified first.

sys-net assuming we are under Fedora based sys-net

sudo dnf install tcpdump
sudo ip addr #Get the name of your upstream interface, mine is wls7)
sudo tcpdump -nneti wls7 -w ~/packettrace.pcap #Ctrl-C when done
qvm-move ~/packettrace.pcap #send to a dispvm or trusted appvm

If using a disposable sys-net, I have nothing against installing wireshark there temporarily instead of tcpdump above, and running wireshark directly on the uplink interface instead, this will show the traffic as it happens which might be of interest to understand visually what is happening. Note that installing applications on appvms will only be available through that session and will vanish when the vm is shutdown.

In disposable vm/trustable appvm, install wireshark and open the file
sudo dnf install whireshark
wireshark
Open the pcap from ~/QubesIncoming/sys-net/packettrace.pcap

Hope this helps a little into investigating network traces.

I documented elsewhere how to get dom0 multiple snapshots, but that is useful only to compare prior/after compromise. It is also to note that it is totally possible to clone qubes/templates and compare states through volumes snapshots, where Qubes keeps 2 states by default (lvm snapshots named *-back where * is epoch time (number of seconds since 1970), which can be passed to disposable VMs in read only to be compared through basic tools like meld.

Edit: dom0 snapshots also discussed under Dom0 backup/snapshot?

3 Likes

This was tackled in other forums posts and I won’t reiterate here once more. We collectively need to take a stance on what we accept and don’t, what we need outside the lesser evil of what is available. Search the forum for FSP(Intel)/AGESA(Amd), PSP(Amd)/ME/CSME(Intel) and blobs presence in firmware that exists nowadays and look for UEFI vulnerabilities or look at Low Level PC/Server Attack & Defense Timeline — By @XenoKovah of @DarkMentorLLC

This is another tricky question where nothing is totally perfect unless one is totally in control of the supply chain, which is something that doesn’t exist today, unless we go back in time and accept a regression into our user experience and go back to design board and apply concepts like what is brought by projects like precursor. On highly complex systems we daily use like a computer or a smartphone, supply chain attacks can happen at each layer of each component if they are not locked in and tamper evident seals are not apposed/similar idea is not apposed directly at the assembly line, and yet again, who can prevent someone on the assembly line to not swap one component with another without being noticed.

But if you talk about integrity of software, which firmware also is (software is everywhere, even in hardware) then Heads tackles the issue for the hardware it supports in the sense that it can be externally backuped for inspection and parts can be individually reflashed from within as well (A firmware image is an assembly of components, where the BIOS itself is just one region of it, ME is another etc). A little more can be found here on Heads matter: Upgrading Heads - Heads - Wiki

On Qubes+Heads, the recommended installation method is verified detached signed ISO.
To have been misled into downloading a wrong ISO, this would mean interception of HTTPS connection, or compromise of rsynced ISOs across mirrors of Qubes OS, and then having your own Heads installation compromised so that Qubes distribution signing key (which validates integrity+authenticity of ISO.asc/ISO.sig against downloaded ISO just like Qubes documents how to verify signatures. Heads simply automates the process and permits to boot directly from a downloaded iso, only if the iso is accompanied with a proper detached pgp signature (current iso file, current detached signature). Short version: to have Heads install a wrong iso (ISO supply chain issue alone here. Otherwise look into git commit signature for your other question on how to make sure developers working remotely are not having heir work intercepted on untrusted infrastructure, for which github is not trusted), Heads,downloaded iso and downloaded iso.asc would have needed to be compromised for it to be possible. Highly improbable.

But to go back to this thread once more. Can Qubes protect from backdoor in BIOS/devices?

Is my only relevant answer to this thread outside of how Qubes prevents compromise, permits auditability of compromise and recovery. That is on top of a firmware that can be audited and auditable. On top of a reasonably secure computer, that is. You computer has EC controller firmware, which Heads cannot reprogram (Lenovo BIOS updater can), SSD drive firmware. Of course, there is firmware as well into other peripherals in your computer, one of which is recommended to be replaced, which is your wifi card.

I would also second opening other threads then having this one being a mixed pot of everything FUD related, not truly addressing the numerous points you raised.

Qubes implements proper compartmentalization mechanisms for prevention, implements proper auditability base mechanisms and proper recovery bases through the technologies that it relies on. Each of those sub-sub-sub-subjects would deserve individual threads, otherwise this thread is becoming everything and nothing all at once and its pertinence is tending to none.

It goes to mouses moving alone, to housing compromise doubts to network monitoring, now leads to disk forensic, hardware choices, supply chain reality, desires for better, Heads, UEFI, alternatives, past/current/future hardware offering, coreboot terrain losses, Open firmware reality, ME/CSME neutering/deactivation etc. I am interested into those discussions, but I doubt this thread is the place to do so while many others are already existing and more specific to discuss those individually and the ones not existing would be the place to discuss those subjects instead of this thread.

1 Like

I would invite the OP (@newbie) to open other threads, pointing to the parts of discussions that were unaddressed/partly addressed. I would also invite the whole community, as Qubes OS forum participant, to open as many individual threads as needed and to try to stay on topic as much as possible to them. (Learning myself to stay on topic here, and I get it is not always easy.)

Otherwise, everyone wanting to help actually doesn’t and if the discussions slide to the point where it is absolutely impossible from a moderation perspective to efficiently split those discussions into relevant sub-topics for others to find relevant information easily, which is ultimately the goal of a forum like this one.

It might serve original posters alone, but doesn’t help the community as a whole and forces repetition from participants in other threads. It requires additional work from people who want to serve the forums goals to eventually quote themselves in other thread, more relevant being in topic, which unfortunately doesn’t happen often enough and pertinent information is lost since that actual work requires additional energy, some reply only by email (should be possible for all as a goal), etc.

Aho!

4 Likes

okay guys, deeply apologize for the mixed topics.
for next discussion, i will open new thread, or continue at related existing thread.

@KarlinQubes @Insurgo thanks for advice
@Insurgo thanks for all information, i need some time to digest.

So, basically we could’ve concluded the topic with such a subject in post #2 containing: No, it can’t.

@enmus maybe temporary, can’t

Hey Newbie,

Veteran investigator, researcher, and survivor with over a decade experience.
Questions for you, do you live in an apartment with close neighbors? Also, on the screenshots that they post of your screen you mentioned before, are they black and white or in color?
I would suggest you also take a look at tempest sdr as a threat vector just in case. Best way to describe it here would be as a wireless hdmi grabber but for any screen with emissions with some limitations but it does work on laptops and smartphones to some degree depending on their equipment.
In majority of cases social engineering with the goal of physical access to compromise your devices is also used in conjunction. Lock your devices up when sleeping or away.
The low hanging fruit thing is definitely a thing here however the caveat is you seem to be live streamed to many other random criminals and random people that may have stumbled upon a persons live stream hacked link as i have personally seen. Hence why some of them seem really slow in how they communicate with you while the attacks seems sophisticated, because its not one person… And some of those people may be inclined to join in and find their own low hanging fruits using the provided stream or join in with other objectives. Never was there a better way to empower criminals.

If you need more assistance you may get simplex chat and we can use that to communicate more anonymously just in case they can still see. You can send me your invite code when ready and i will confirm back on here its me.

And for those i briefly passed over skim reading this thread thinking who would bother just to do this to a random or “but they would just do the five dollar wrench”, know that this is organized crime utilizing random people for free labor that tries to present itself as anything else but. I recommend you watch some “fictional” movies like Welcome Home, Ratter, and Devils Due to familiarize yourselves although even these still don’t show the entire story. I have some victims that they were told its a serious hacker gang like Anonymous or a three letter agency doing good after framing their target however this not the case in the many times i have seen victims. Most cases ended up being corrupt private investigators or criminals that make a living framing people to further their careers or something on the side like black mailing, selling streams or revenge for hire on easy targets. They then use the general public as human shields to hide themselves so their crimes cannot be easily linked back to them while the random general public ignorantly join in. They may even have a connection to a corrupt cop or two in some cases.
You the victim, are the product. And they are not there to do anyone any favors or to protect anybody in any community. Always keep that in mind.

hi @Devils_Due0
it’s your 1st post, welcome to the community, thanks for your post.

do you know, how to protect from TempestSDR / wireless hdmi grabber ?

imo, they don’t prefer “five dollar wrench”, because,
their primary aim, is not my data, maybe that’s secondary,
but the primary aim is, to put me under surveillance, gang stalking, trolling, bullying, etc.

Hey Newbie,
yes i am agreeing with you that they dont need to do that as your stream and malicious surveillance is what their goal is because it facilitates the enabling of all manner of crimes through it. Their only exception is they cannot leave any evidence and if they accidentally do (i have seen them to do this to many) they will either break into your home to retrieve said evidence and plant something or do something to seriously frame you or just delete it off your devices as well. You have heard of the gateway drugs term, well i would call this a gateway crime. If they beat you up to manipulate you then they cannot guarantee use of the you are crazy defense because the event can possibly be used as evidence.

Yes there are ways to mitigate tempest but first i was hoping you would answer my questions to see if it can be ruled out. If you live in a home with no neighbors nearby it most likely can be ruled out but if in an apartment with a thin wall or two between you and your neighbors then there is a chance.
Easiest way would be to just wrap the device shells in copper or aluminum foil or a faraday fabric and use ethernet. Wrap the cable connecting to your monitor as well.
However this is absolutely not your only threat vector as i mentioned they layer tools used because it not one person. In fact another big one used is pegasus but not through just your sim card. It can actually be used through apps as well such as popular messaging apps that start with W. Also there is even the Fog Reveal program that does not even require a warrant and if you are being framed up and slandered I’m sure a PI can even make use of it. Consider familiarizing your with forged legal requests as well. So the take away here is try not to use apps and just use your vanadium browser when possible and if you must have apps then use a separate device you can compromise for them.
Preferably one without a microphone id say.

i prefer solution, that can be applied anywhere, either home or apartment,
but actually, both are the same, either home or apartment,
everyone have neighbors, & are separated by wall.

then, how do this TempestSDR work ?
how it can target specific devices, while there are many devices around ?

if it is the easiest way, then do you mean there are other way / solution ?

do u mean burner phone / cellular phone ?
means, not a smart phone, but cellular phone only, i.e. Nokia 105

yes, I use it for my sim card, so i can separate sim card, from my smart phone,
since, I refer from some sources, that sim card, also can be used, as an attack vector,
for example: 1, 2, 3, etc

but, in my experience, the “coincidences” also happen,
between my activity, on my burner phone, with short videos app, that i often use,

if u read the previous post, in this thread, then u know that,
too many coincidences, has happened, between some offline Qube / VM / device,
with displayed 1-5 videos, in short video app, that i often use.

i rarely use my burner phone, except for SMS and alarm clock,
& i also rarely use SMS & alarm clock.
My burner phone can set 5 different time for alarm.

related to my burner phone / cellular phone, then this “coincidence” happen,
each time i set time for alarm, on my burner phone,

  • then the short videos app, will display video, about setting alarm on phone,
  • even once, it displayed video, about alarm setup, with 5 different time,
    which is exactly the same, as my burner phone,
  • the alarm short video “coincidence”, always happen,
    after i setup alarm, on my burner phone only.

If this indeed happens, I’d go to the police immediately!

A few things to note. Reporting to police was shockingly indifferent. Those who did not feel too far framed up or did not care if they looked crazy to report it were responded back with “we do not have the resources at this time to pursue this matter” or focusing on murders and crimes with more substantial evidence. Victims that keep persisting and even reported this to three letter agencies then had that government department push it down to the local police who replied the same yet again. Then, even when the victim pushes a government agency to be involved with it without local police and they agree after persistence, they are still waiting years later for something, anything.

I would still recommend making a report as soon as you can even if nothing will come out of it. Just in case you are framed later on or you suddenly stumble upon some evidence you can use against them and they take unforeseen actions against you.

I do not know which stage of this you are in however it is important to know the right question to ask to arrive at the right answer. So regardless of which stage you are dealing with the most important thing is to secure your main environment that you sleep in first. Countering a threat vector thats like a back door does nothing if your front door is wide open and will just cause you and any one helping you confusion on its remedy.

Social engineering to gain physical access will always remain one of the most effective means and one of the first avenues of attack to your devices. If you have not already always check every night that all your doors are fully locked without fail. You can even place cheap door sensors that alarm if opened and i would recommend door sensors that send a notification to your phone as well mixed in with it for when you are out. Secure your windows and any other possible points of entry. If you think someone may have a copy of your keys then add an additional lock like deadbolts and wifi lock entry in addition to what you already have for when you are out. Get a secure safe to store items while you sleep or are out. And be mindful of everyone you bring into your home. You would be completely shocked at how easily a landlord can be manipulated into being given entry to your place. In one of many cases the land lord just wanted to hook up with a victims woman and that was enough to get them to join in. They are not there to help anyone, trust me. Always consider them a possible threat.

Now that you secured your environment, you can begin working towards other mitigations. If you permanently live in an apartment then there is a chance for Tempest. Tempest works on both keyboards and screens. It does make a very big difference whether you are at an apartment or not because they may not even be using tempest if you live in a home. Then you would be doing all this for nothing.

A home has less chance of usage because the walls it must go through are very different than a single thin wall between interior units. Furthermore there is all the interference on the outside between the homes. Even sunlight can be interference. In addition, the higher floor you live in will have different and should be lower interference than a floor level.

The three variables you want to focus on to protect you are distance, emission shielding, and interference. I will not focus on how to deploy Tempest for usage. Below i will list randomly what comes to mind to help mitigate.

I already mentioned the easy copper foil tape, aluminum tape before, it takes multiple layers. Use black tape on your final layers if you don’t want it so shiny and standing out. Move where you usually use your devices often. There is also something called Filtered Fonts you can install that make the software harder to lock on to readable characters in your screen. I would also recommend cutting cardboard to fill in your windows and putting copper tape over the cardboard. If you dont want to look that crazy with that then just buy those strong window sunlight UV blocker films that have some silver in them. Direct line of sight helps them get better signal as well so try to mitigate anything with direct line of sight this way even though it can work through certain walls. Switching screen resolutions and hertz once a while can also make them work a little for it. Metal is your friend, focusing on metal furniture doesn’t hurt. Magnets can also help with emissions. Put ferrites on your video cables. Water from a fish tank doesn’t hurt either. Don’t want to bother with fish, then just get fake fish and work in front of a fish tank with just water in it. Radio and EMF jammers also work but can be illegal so i wont recommend it.

One i would recommend on the interference level is running some heavy device with high power usage like fans or crypto mining and having multiple of the same devices although i know these can be cost prohibitive. You can then cycle between keyboards and devices every few days or so so it takes them time to lock into it.

Sim is definitely an attack vector and its a good idea to keep your main phone sim free and use signal or some voip on it. Pull out the microphones and cameras on your second phone you use sim on and you can put the compromising apps on it too. Treat apps as an attack surface.

One other thing i will mention different from this that i have seen utilized is using your homes telephone/DSL line compromised to use it as a microphone. It is called an infinity bug and widely used even if you do not have a home phone or use DSL, they will. Especially if you are framed.