Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

before, i had tried to keep it simple, similar to what u suggested,
but then people naturally asked me, “how ”, “elaborate”, etc.
Therefore, since it has happened several times,
so now, i elaborate first, before being asked,

because, big possibility, that new computer,
will not be compatible yet, with coreboot / heads & qubes,
2 main solution for privacy & security,

also, the price of new computer is much higher,
& there is no guarantee, that it can survive from targeted attack.
So, i cannot waste, a lot of money, for something that is uncertain.

Besides, my income is not in a good shape,
because, i cannot allocate, all free time, energy, & focus,
on anything related to my job,
since, they have flood me with problem & trouble,
for almost 5 years, since 2018,
& the digital privacy invasion itself, since 2020.

yes, anyone know the name for this kind of attack ?

sometimes, i have the same assumption too,
but not sure how to describe it,
since maybe it cannot be categorized as,
side channel attack, covert channel attack, nor supply chain attack.

i know there is term “near field communication”,
but not sure, whether there are attack using NFC,
also, maybe not all devices can do NFC.

i read too, that it is technically possible, for firmware, in one device,
to establish ad hoc connection, with firmware in other devices,
until it can find device, with internet connection,
then use it, to send data to internet, via covert channel.
So maybe, it is a combination,
between secret adhoc network & covert channel attack.

But, since i have used heads,
then maybe we can eliminate this vector,
but, Heads still require ME,
also, there are other firmware in motherboard,

yes, correctly. in my opinion, nobody have time for revenge.
either me or my adversary, have wasted a lot of time, for not sure what reason.
rather i give them chance to fix mistakes, if they are okay, i just want:

  • give me back my privacy, to all of my electronic devices, which is basically my right, but definitely they have to tell me what backdoor they use to invade, so that i can apply solution. they can easily use any anonymous name & share in this thread for example.
  • stop stalking me either digitally or real life.
  • complete explanation what, when, how, who, why they do this to me
  • compensation for all disadvantages they do for almost this 5 years

but apparently they don’t want to, it looks like will be very hard for them,
if they can give me the 1st one only, actually good enough already,
although the rest are also make sense, in my opinion

@newbie why you say this? Think this on-topic but :confused:

You misunderstand.
I was giving you suggestions for small experiments to identify what vectors
of attack might be in play.

the question of protecting the supply chain from component to end user is
a different question,not relevant in this thread.

1 Like

The reason I said this, is that I don’t think it does anyone any good to use this thread as a ‘journal’ of sorts for various suspected indications of compromise that isn’t accompanied by anything else. I think the baseline of what the extent of believed compromise is has been established, and to keep a running tally & commentary of these instances actually serves to lessen your credibility.

I am aware that exactly what you have described happens, and I tend to believe you, but you have to spend more time considering the gap between what you have experienced and how another will perceive it. One of your biggest battles is in communicating and not losing people, and I don’t think you have considered this enough. Your communication also influences how people in the future will be perceived with similar complaints, so you aren’t just speaking for yourself in a sense.

Great response @Insurgo what is the most robust way to monitor traffic that is resistant to tampering? What should we be looking up to learn how to analyze this information and not self-report false positives.

Really the foremost point is, unless you have some highly sensitive activity you need to conduct online, you should remove your attachment to needing a digital vault, if your reports are accurate you are far behind the technical power curve in terms of resisting, and it might be more expense to you than gain to try and play cat and mouse in this way, where simply accepting your devices are compromised (which is a reality anyway on a certain level) and that in all reality it isn’t actually costing you much is a better place to land.

In the modern world you can’t really be invisible, you are just getting a direct experience of this, where most will live in a ‘blissful ignorance’.

2 Likes

Edited: contained part of a reply to another post. Deleted unrelevant part, sorry about that.

What I would do there is install tcpdump in the netvm that is receiving the traffic prior of encrypting it (there is no point really into capturing network traffic that is going upstream encrypted). It would not make sense either to capture traffic into vault since that machine is not having netvm normally.

So running tcpdump into sys-firewall or sys-net directly, recording file locally would be a start. Then qvm-move that file to a disposable vm where you install wireshark and then inspect the packet trace from it. The only assumption we can do here is that the traffic is going out of sys-net, but it would most probably be encrypted, and if many other connections are happening at the same time, it won’t be so easy to isolate either. It requires some kind of flattening of what is normal to find what is abnormal here… There might be covert channels at play. If “lucky” there would be a stream that is continuous when data is exfiltrating. But that might also be screenshots, everything is possible here, really… Down to data being exfiltrated by speakers…

As said previously, my way of dealing with this is by comparing states. Ideally having a point in time where things were good and compare what state we are in now to isolate source of compromise.

This thread is convoluted. The assumptions are that something is grabbing vault’s screen content somehow, and that content is somewhat exfiltrated by network. If we consider that vault has no netvm associated to it (as it should) then its screen content needs to have greater system compromise to exfiltrate content, so we imply dom0 compromise as well.
But to go on simpler possibilities again, there is nothing under Qubes that would prevent, as in any other monolithic OS, to capture vault’s “desktop” and sends its screen content online if vault has a netvm associated. First thing first, we take for granted that its not the case here. Then, if vault’s screen content is to be exfiltrated somehow, then dom0/sys-gui needs to be compromised somehow. And for that content to be exfiltrated, it needs a way to exfiltrate it. If its on the network, then in the present case, we also know that Heads is at play, and if Heads maximized builds were flashed, there is no ME at play (but a 98kb BringUP+RUMP payload that keeps the laptop functionning without AMT etc). So AMT binaries cannot be used to exfiltrate content on the network either. So there needs to be either network traffic happening when the exfiltration happen, or the laptop screen itself is filmed somehow. the other replies in this thread are going into isolating if the behavior is localized to the house (house compromised), or if the laptop is compromised. This is an important step into isolating what is happening here.

Anyway. Without other AppVM running, we expect a minimal of sys-net, sys-firewall to be running. In such circumstances with sys-whonix being shutdown (qvm-shutdown --force --wait sys-whonix from dom0 terminal), we expect the network traffic going through sys-net to be pretty low and limited. We expect sys-net to do some NTP traffic to sync time, appvms to check for updates after 5 minutes of uptime, after which nothing should really happen on the network. Making sure vault has no netvm should be verified first.

sys-net assuming we are under Fedora based sys-net

sudo dnf install tcpdump
sudo ip addr #Get the name of your upstream interface, mine is wls7)
sudo tcpdump -nneti wls7 -w ~/packettrace.pcap #Ctrl-C when done
qvm-move ~/packettrace.pcap #send to a dispvm or trusted appvm

If using a disposable sys-net, I have nothing against installing wireshark there temporarily instead of tcpdump above, and running wireshark directly on the uplink interface instead, this will show the traffic as it happens which might be of interest to understand visually what is happening. Note that installing applications on appvms will only be available through that session and will vanish when the vm is shutdown.

In disposable vm/trustable appvm, install wireshark and open the file
sudo dnf install whireshark
wireshark
Open the pcap from ~/QubesIncoming/sys-net/packettrace.pcap

Hope this helps a little into investigating network traces.

I documented elsewhere how to get dom0 multiple snapshots, but that is useful only to compare prior/after compromise. It is also to note that it is totally possible to clone qubes/templates and compare states through volumes snapshots, where Qubes keeps 2 states by default (lvm snapshots named *-back where * is epoch time (number of seconds since 1970), which can be passed to disposable VMs in read only to be compared through basic tools like meld.

Edit: dom0 snapshots also discussed under Dom0 backup/snapshot?

3 Likes

This was tackled in other forums posts and I won’t reiterate here once more. We collectively need to take a stance on what we accept and don’t, what we need outside the lesser evil of what is available. Search the forum for FSP(Intel)/AGESA(Amd), PSP(Amd)/ME/CSME(Intel) and blobs presence in firmware that exists nowadays and look for UEFI vulnerabilities or look at Low Level PC/Server Attack & Defense Timeline — By @XenoKovah of @DarkMentorLLC

This is another tricky question where nothing is totally perfect unless one is totally in control of the supply chain, which is something that doesn’t exist today, unless we go back in time and accept a regression into our user experience and go back to design board and apply concepts like what is brought by projects like precursor. On highly complex systems we daily use like a computer or a smartphone, supply chain attacks can happen at each layer of each component if they are not locked in and tamper evident seals are not apposed/similar idea is not apposed directly at the assembly line, and yet again, who can prevent someone on the assembly line to not swap one component with another without being noticed.

But if you talk about integrity of software, which firmware also is (software is everywhere, even in hardware) then Heads tackles the issue for the hardware it supports in the sense that it can be externally backuped for inspection and parts can be individually reflashed from within as well (A firmware image is an assembly of components, where the BIOS itself is just one region of it, ME is another etc). A little more can be found here on Heads matter: Upgrading Heads - Heads - Wiki

On Qubes+Heads, the recommended installation method is verified detached signed ISO.
To have been misled into downloading a wrong ISO, this would mean interception of HTTPS connection, or compromise of rsynced ISOs across mirrors of Qubes OS, and then having your own Heads installation compromised so that Qubes distribution signing key (which validates integrity+authenticity of ISO.asc/ISO.sig against downloaded ISO just like Qubes documents how to verify signatures. Heads simply automates the process and permits to boot directly from a downloaded iso, only if the iso is accompanied with a proper detached pgp signature (current iso file, current detached signature). Short version: to have Heads install a wrong iso (ISO supply chain issue alone here. Otherwise look into git commit signature for your other question on how to make sure developers working remotely are not having heir work intercepted on untrusted infrastructure, for which github is not trusted), Heads,downloaded iso and downloaded iso.asc would have needed to be compromised for it to be possible. Highly improbable.

But to go back to this thread once more. Can Qubes protect from backdoor in BIOS/devices?

Is my only relevant answer to this thread outside of how Qubes prevents compromise, permits auditability of compromise and recovery. That is on top of a firmware that can be audited and auditable. On top of a reasonably secure computer, that is. You computer has EC controller firmware, which Heads cannot reprogram (Lenovo BIOS updater can), SSD drive firmware. Of course, there is firmware as well into other peripherals in your computer, one of which is recommended to be replaced, which is your wifi card.

I would also second opening other threads then having this one being a mixed pot of everything FUD related, not truly addressing the numerous points you raised.

Qubes implements proper compartmentalization mechanisms for prevention, implements proper auditability base mechanisms and proper recovery bases through the technologies that it relies on. Each of those sub-sub-sub-subjects would deserve individual threads, otherwise this thread is becoming everything and nothing all at once and its pertinence is tending to none.

It goes to mouses moving alone, to housing compromise doubts to network monitoring, now leads to disk forensic, hardware choices, supply chain reality, desires for better, Heads, UEFI, alternatives, past/current/future hardware offering, coreboot terrain losses, Open firmware reality, ME/CSME neutering/deactivation etc. I am interested into those discussions, but I doubt this thread is the place to do so while many others are already existing and more specific to discuss those individually and the ones not existing would be the place to discuss those subjects instead of this thread.

1 Like

I would invite the OP (@newbie) to open other threads, pointing to the parts of discussions that were unaddressed/partly addressed. I would also invite the whole community, as Qubes OS forum participant, to open as many individual threads as needed and to try to stay on topic as much as possible to them. (Learning myself to stay on topic here, and I get it is not always easy.)

Otherwise, everyone wanting to help actually doesn’t and if the discussions slide to the point where it is absolutely impossible from a moderation perspective to efficiently split those discussions into relevant sub-topics for others to find relevant information easily, which is ultimately the goal of a forum like this one.

It might serve original posters alone, but doesn’t help the community as a whole and forces repetition from participants in other threads. It requires additional work from people who want to serve the forums goals to eventually quote themselves in other thread, more relevant being in topic, which unfortunately doesn’t happen often enough and pertinent information is lost since that actual work requires additional energy, some reply only by email (should be possible for all as a goal), etc.

Aho!

4 Likes

okay guys, deeply apologize for the mixed topics.
for next discussion, i will open new thread, or continue at related existing thread.

@KarlinQubes @Insurgo thanks for advice
@Insurgo thanks for all information, i need some time to digest.

So, basically we could’ve concluded the topic with such a subject in post #2 containing: No, it can’t.

@enmus maybe temporary, can’t

Hey Newbie,

Veteran investigator, researcher, and survivor with over a decade experience.
Questions for you, do you live in an apartment with close neighbors? Also, on the screenshots that they post of your screen you mentioned before, are they black and white or in color?
I would suggest you also take a look at tempest sdr as a threat vector just in case. Best way to describe it here would be as a wireless hdmi grabber but for any screen with emissions with some limitations but it does work on laptops and smartphones to some degree depending on their equipment.
In majority of cases social engineering with the goal of physical access to compromise your devices is also used in conjunction. Lock your devices up when sleeping or away.
The low hanging fruit thing is definitely a thing here however the caveat is you seem to be live streamed to many other random criminals and random people that may have stumbled upon a persons live stream hacked link as i have personally seen. Hence why some of them seem really slow in how they communicate with you while the attacks seems sophisticated, because its not one person… And some of those people may be inclined to join in and find their own low hanging fruits using the provided stream or join in with other objectives. Never was there a better way to empower criminals.

If you need more assistance you may get simplex chat and we can use that to communicate more anonymously just in case they can still see. You can send me your invite code when ready and i will confirm back on here its me.

And for those i briefly passed over skim reading this thread thinking who would bother just to do this to a random or “but they would just do the five dollar wrench”, know that this is organized crime utilizing random people for free labor that tries to present itself as anything else but. I recommend you watch some “fictional” movies like Welcome Home, Ratter, and Devils Due to familiarize yourselves although even these still don’t show the entire story. I have some victims that they were told its a serious hacker gang like Anonymous or a three letter agency doing good after framing their target however this not the case in the many times i have seen victims. Most cases ended up being corrupt private investigators or criminals that make a living framing people to further their careers or something on the side like black mailing, selling streams or revenge for hire on easy targets. They then use the general public as human shields to hide themselves so their crimes cannot be easily linked back to them while the random general public ignorantly join in. They may even have a connection to a corrupt cop or two in some cases.
You the victim, are the product. And they are not there to do anyone any favors or to protect anybody in any community. Always keep that in mind.

hi @Devils_Due0
it’s your 1st post, welcome to the community, thanks for your post.

do you know, how to protect from TempestSDR / wireless hdmi grabber ?

imo, they don’t prefer “five dollar wrench”, because,
their primary aim, is not my data, maybe that’s secondary,
but the primary aim is, to put me under surveillance, gang stalking, trolling, bullying, etc.

Hey Newbie,
yes i am agreeing with you that they dont need to do that as your stream and malicious surveillance is what their goal is because it facilitates the enabling of all manner of crimes through it. Their only exception is they cannot leave any evidence and if they accidentally do (i have seen them to do this to many) they will either break into your home to retrieve said evidence and plant something or do something to seriously frame you or just delete it off your devices as well. You have heard of the gateway drugs term, well i would call this a gateway crime. If they beat you up to manipulate you then they cannot guarantee use of the you are crazy defense because the event can possibly be used as evidence.

Yes there are ways to mitigate tempest but first i was hoping you would answer my questions to see if it can be ruled out. If you live in a home with no neighbors nearby it most likely can be ruled out but if in an apartment with a thin wall or two between you and your neighbors then there is a chance.
Easiest way would be to just wrap the device shells in copper or aluminum foil or a faraday fabric and use ethernet. Wrap the cable connecting to your monitor as well.
However this is absolutely not your only threat vector as i mentioned they layer tools used because it not one person. In fact another big one used is pegasus but not through just your sim card. It can actually be used through apps as well such as popular messaging apps that start with W. Also there is even the Fog Reveal program that does not even require a warrant and if you are being framed up and slandered I’m sure a PI can even make use of it. Consider familiarizing your with forged legal requests as well. So the take away here is try not to use apps and just use your vanadium browser when possible and if you must have apps then use a separate device you can compromise for them.
Preferably one without a microphone id say.

This post was flagged by the community and is temporarily hidden.

i prefer solution, that can be applied anywhere, either home or apartment,
but actually, both are the same, either home or apartment,
everyone have neighbors, & are separated by wall.

then, how do this TempestSDR work ?
how it can target specific devices, while there are many devices around ?

if it is the easiest way, then do you mean there are other way / solution ?

do u mean burner phone / cellular phone ?
means, not a smart phone, but cellular phone only, i.e. Nokia 105

yes, I use it for my sim card, so i can separate sim card, from my smart phone,
since, I refer from some sources, that sim card, also can be used, as an attack vector,
for example: 1, 2, 3, etc

but, in my experience, the “coincidences” also happen,
between my activity, on my burner phone, with short videos app, that i often use,

if u read the previous post, in this thread, then u know that,
too many coincidences, has happened, between some offline Qube / VM / device,
with displayed 1-5 videos, in short video app, that i often use.

i rarely use my burner phone, except for SMS and alarm clock,
& i also rarely use SMS & alarm clock.
My burner phone can set 5 different time for alarm.

related to my burner phone / cellular phone, then this “coincidence” happen,
each time i set time for alarm, on my burner phone,

  • then the short videos app, will display video, about setting alarm on phone,
  • even once, it displayed video, about alarm setup, with 5 different time,
    which is exactly the same, as my burner phone,
  • the alarm short video “coincidence”, always happen,
    after i setup alarm, on my burner phone only.

If this indeed happens, I’d go to the police immediately!

A few things to note. Reporting to police was shockingly indifferent. Those who did not feel too far framed up or did not care if they looked crazy to report it were responded back with “we do not have the resources at this time to pursue this matter” or focusing on murders and crimes with more substantial evidence. Victims that keep persisting and even reported this to three letter agencies then had that government department push it down to the local police who replied the same yet again. Then, even when the victim pushes a government agency to be involved with it without local police and they agree after persistence, they are still waiting years later for something, anything.

I would still recommend making a report as soon as you can even if nothing will come out of it. Just in case you are framed later on or you suddenly stumble upon some evidence you can use against them and they take unforeseen actions against you.

I do not know which stage of this you are in however it is important to know the right question to ask to arrive at the right answer. So regardless of which stage you are dealing with the most important thing is to secure your main environment that you sleep in first. Countering a threat vector thats like a back door does nothing if your front door is wide open and will just cause you and any one helping you confusion on its remedy.

Social engineering to gain physical access will always remain one of the most effective means and one of the first avenues of attack to your devices. If you have not already always check every night that all your doors are fully locked without fail. You can even place cheap door sensors that alarm if opened and i would recommend door sensors that send a notification to your phone as well mixed in with it for when you are out. Secure your windows and any other possible points of entry. If you think someone may have a copy of your keys then add an additional lock like deadbolts and wifi lock entry in addition to what you already have for when you are out. Get a secure safe to store items while you sleep or are out. And be mindful of everyone you bring into your home. You would be completely shocked at how easily a landlord can be manipulated into being given entry to your place. In one of many cases the land lord just wanted to hook up with a victims woman and that was enough to get them to join in. They are not there to help anyone, trust me. Always consider them a possible threat.

Now that you secured your environment, you can begin working towards other mitigations. If you permanently live in an apartment then there is a chance for Tempest. Tempest works on both keyboards and screens. It does make a very big difference whether you are at an apartment or not because they may not even be using tempest if you live in a home. Then you would be doing all this for nothing.

A home has less chance of usage because the walls it must go through are very different than a single thin wall between interior units. Furthermore there is all the interference on the outside between the homes. Even sunlight can be interference. In addition, the higher floor you live in will have different and should be lower interference than a floor level.

The three variables you want to focus on to protect you are distance, emission shielding, and interference. I will not focus on how to deploy Tempest for usage. Below i will list randomly what comes to mind to help mitigate.

I already mentioned the easy copper foil tape, aluminum tape before, it takes multiple layers. Use black tape on your final layers if you don’t want it so shiny and standing out. Move where you usually use your devices often. There is also something called Filtered Fonts you can install that make the software harder to lock on to readable characters in your screen. I would also recommend cutting cardboard to fill in your windows and putting copper tape over the cardboard. If you dont want to look that crazy with that then just buy those strong window sunlight UV blocker films that have some silver in them. Direct line of sight helps them get better signal as well so try to mitigate anything with direct line of sight this way even though it can work through certain walls. Switching screen resolutions and hertz once a while can also make them work a little for it. Metal is your friend, focusing on metal furniture doesn’t hurt. Magnets can also help with emissions. Put ferrites on your video cables. Water from a fish tank doesn’t hurt either. Don’t want to bother with fish, then just get fake fish and work in front of a fish tank with just water in it. Radio and EMF jammers also work but can be illegal so i wont recommend it.

One i would recommend on the interference level is running some heavy device with high power usage like fans or crypto mining and having multiple of the same devices although i know these can be cost prohibitive. You can then cycle between keyboards and devices every few days or so so it takes them time to lock into it.

Sim is definitely an attack vector and its a good idea to keep your main phone sim free and use signal or some voip on it. Pull out the microphones and cameras on your second phone you use sim on and you can put the compromising apps on it too. Treat apps as an attack surface.

One other thing i will mention different from this that i have seen utilized is using your homes telephone/DSL line compromised to use it as a microphone. It is called an infinity bug and widely used even if you do not have a home phone or use DSL, they will. Especially if you are framed.

if police related, then I’m not sure whether “coincidence”, can be considered as evidence.

Both burner phone & short video app, also other devices (laptop, smart phone, etc),
all are made by big tech, which are at other different countries,

so in my opinion, police doesn’t have enough capacity to do such investigation,
while at the same time, they also have a lot of cases on their hand,
which are within their capacity.

Besides, if indeed happens, then imo, the actor behind must be someone in power.

Also, we can refer to Snowden’s revealed information / leaks,
and after we know all the truth, then what the world can do, to solve the problem,
it seems not much, until there are solution, that really can solve the issue.

so, the best i can do is, to report my experience, to the community, that this thing happen,
either people believe or not, because unfortunately, i only have “coincidence” as evidence,
with expectation, to build awareness, so we may have stronger stand point,
& effort, to build solution, that respect user freedom.

but at least, so far, i have tried burner phone / cellular phone,
air-gaped Linux laptop, Heads Qubes Laptop, Graphene OS,
and all are fail, and the “coincidences” still happen.
or indirectly speaking, without my experience, we will never know,
that those solution are fail, to protect our freedom & privacy,
but only if the attack happen, at the same degree, as what i experience.

Between me and neighbors are separated by wall & distance.

It takes very specific and expensive equipment to attack someone from that range when they live in a separated isolated home at that distance. Try metal taping one of your phones to test and confirm for yourself. You should be able to tell or not very quickly with all their comments, but its not very likely in that type of environment but also not impossible.

I would look at who is handling all your mail to your front door literally in that case. This makes the most sense especially given you had an air gapped computer. They may very well have compromised the air gapped device before reaching your front door and its unknowingly sending out signals. Get a cheap CC308+ scanner and leave it next to your air gapped device. It should show no signals. Additionally you may as well metal tape layer that PC if it’s supposed to be air gapped anyways. Couldn’t hurt and if the scanner sees signals coming out of it when its supposed to be in basically airplane mode that’s a pretty big give away.

Get another mailing address or P.O. box and order a new device that way and test that. Also be mindful of anything you plug into your devices. A delivered USB, webcam, keyboard, accessory, you ordered could very well be a source of compromise as soon as you plug it in as well.

Keep in mind your main threat model is social engineering. Assume your credit card usage is being monitored and any out of the normal visits and interactions from any company they claim to be from may play a role. Depending on how far you have been framed will vary on the level of the social manipulation. The more they can frame you the more support they get from everyone else from all walks of life. This is how they ensure their control on you without you even understanding its extent.

And i know it should be a given with what i said about securing your home environment first to start properly testing but there can always be a chance someone you live with, even family may be part of it unfortunately. Hence why i say lock up your devices when they are not in front of you while conscious/awake.