Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

Still relate to my story above, anyone know how to explain ?

Finally, i have been using Heads, Qubes, & Vpn, for around several weeks, maybe 1 month.
Also i have Tiktok app in my Android phone, and many other apps.
Tiktok is app supplying us with unlimited amount of short videos, can keep scrolling.
What short videos displayed are random, and based on Tiktok algorithm.
My Laptop and Android phone are connected to the same wifi, but has never connected to each other.
Then, within these several weeks, of Heads Qubes Vpn,
and these are what happen:

My new self create Qubes VM name, were being displayed in Tiktok.
Sometimes, it was mentioned in the caption, username, or also in the content.
And it always happened in between the 1st to 5th short videos, or sometimes 1st to 10th.
And also the timing, for ex, after busy with 1 VM, then touching Tiktok,
then that VM name that will be displayed in the Tiktok.
I’m sure that the name i choose for Qubes VM, will not easily appear somewhere else.
It has happened 5 times, to 5 different VM name.

Also, word that i type in the vault vm, appear as content in the tiktok, at the same timing.
it happened 1 time.

File that i delete in another VM, the filename appear as content in the tiktok, at the same timing.
Happened 1 time.

I have whonix VM, just for Telegram app messaging.
then, I remove one Telegram group, because the group are discussing a topic, that i think i don’t need at the moment.
Then that topic appear in Tiktok.
Happened 1 time. At the same timing.

There is outstanding, or eye catching word i read in the Telegram, also appear in the Tiktok.
Happened 1 time. At the same timing.

I use whonix and Tor browser, also using anonymous search engine,
such as startpage, searx, metager, and always open page anonymously,
then what i search also appear in Tiktok.
Happened 1 time. At the same timing.

and all happen at the same timing, always after laptop, then touching tiktok.
and all always appear in between 1st - 5th short videos, or sometimes 1st - 10th.
within this several weeks of Heads Qubes VPN, or maybe 1 month.

anyone know how to explain what has happened, and where is the leak ?
could it be VPN app ? but i don’t use VPN for whonix and vault vm.
any idea how to strengthen the security ?

it just a few example that happen in my Heads Qubes Vpn laptop,
the same thing also happen in other laptop and phone device,
also in my GrapheneOS phone,
with similar story.

That’s creepy, indeed.

Check your monitor for a HDMI-grabber. Do you live alone? Does someone have access to your hardware? What OS version of android is running on your phone?

And keep in mind… a stalker is actually a very pitiful person. Doesn’t have an own life. Probably no life at all.

And this is actually not your problem.

And something I hope to cheer you up with… in the tv-show Mr. Robot the main character quickly understood that his sister put a HDMI-grabber between his monitor and his HDMI-cable:

Every good hacker has been hacked at least one time. Unfortunatly I can’t find on youtube what Elliot does next, but in a disposable VM without uplink that wouldn’t have been a problem.

within these 3 days, since the last time i write,
creepy things continuously happened again:

• after using a Qube VM, in my laptop,
  then touching short video app, in my android phone,
  then the Qube VM name was displayed, in the short video, happened once.
• connecting a Qube VM, in my laptop, to VPN server, in a random country A,
  then a short video, related to country A, was displayed in my android phone,
  happened once.
• Using Whonix VM Tor browser to search something,
  then my telcom company, send me sms, with the 1st word, exactly the same, as my search keyword, in the Tor browser. Happened once.
• chat about a topic, with my friend, in a chat app, in Whonix VM,
  then a short video, related to that topic, was displayed, in my android phone.
  happened once.
• Writing a doc in the vault VM,
  then the doc filename, was displayed, in the short video app in android phone,
  at the same timing, after laptop then touching phone. happened once.
• Using Intellij IDE in a VM to develop something,
  then the method name i created, was displayed in the short video app, in my android phone. Happened once.

i think the adversary, the stalking ghost,
they can see “live” all activity, in all of my electronic device,
then they took some keywords from the activity,
and triggered into the algorithm of those short videos app,
just to haunt, troll, and force me to give them attention.

yes, i think so. they judge & punish me, without i know what my mistake is.
i have written a long clarification message, about what maybe the mistake,
but seems nobody care, and the judgment and punishment keep going on.

what bother me is, actually my adversaries are not expert at all in these IT stuff,
but what attack / target me, imo are at the skill level of nation state.
so imo, they got help from nation state level hacker,
if it’s true, then i don’t know, why the nation state is willing to abuse their power,
and wasting their time to attack me,
i just an ordinary random person from a random country,
who is being judged & punished, for mistake that nobody know what is,
& definitely not law based.

i don’t find any HDMI grabber attached anywhere. can it be a hidden device ?
but nobody have access to my hardware.
i live alone in a room, but with family in the house.

All devices are targeted:

• 1 laptop: heads + qubes
• 1 Mac & 1 Laptop (qubes, no heads)
• 1 air gaped old laptop
• several android phones,
• 1 Graphene OS phone,
• 1 raspberry pi,
• 2nd hand old blackberry, never connected to the internet,
• also my parents android phone

Anybody here being accessed by my adversary ?
Please kindly tell me, so i also can tell my version of the story,
so you can have both sides of the story.
Considering that, there are 3 versions of the story, my version, their version, & the truth.
U can tell me anonymously in this thread, also okay i think, so u can protect your identity.

i have spent almost 3 years, since 2020 January, the 1st time i know i was being hacked & targeted, struggle with these IT privacy & security, so sad that until now still not succeed.

Don’t jump to early conclusions. Most attackers go for low hanging fruits. That’s why I asked for the HDMI-grabber and your Android OS Version.

Now, that could very well be a coincidence, couldn’t it? I wouldn’t attach too much meaning to it.

You could try the following:
switch from a smartphone to an plain old mobile phone (there are 30-50 USD Nokia phones around) or at least uninstall all apps on your smartphone except the one most essential messenger (Facebook, Whatsapp, Threema, whatever) you use. We spend far too much time with our smartphones anyway and that might not be very healthy after all. All those Apps trigger our dopamine-system and keep us hooked. There are better things to hook your dopamine-system to, i.e. 4 years of college with a major and minor you really like. Anyway, switching off your smartphone eliminates one backchannel.

In case I haven’t written that before: it’s not your fault. No need for apologies.

burp

my adversaries, use coincidences as alibi,
to inform me about their privacy invasion,
too many codes / signal, packaged as coincidence,
being sent to me, via sms, email, videos app algorithm, also people around me,
so if we perceive it as coincidence, then they are,
but made-up / fake coincidence, not natural,

the coincidence has happened for too many times,
too many until make me lazy to note anymore,
last time i noted one by one,

it sounds like, “covering our eyes so that we don’t see the ghost”,
but, covering our eyes, will not remove the ghost,
the same as, stop watching the news so that we don’t see bad news,
it doesn’t remove the fact that the bad news has happened.

in my case, imagining what happen in the background, then 2 things happen,
1st is privacy invasion,
2nd is, adversary use the information from privacy invasion, to troll me via those apps.
so, removing those apps, will only solve 2nd issue, but doesn’t solve the 1st issue.

compared to my productive time, it is not much,

i have used Heads, Qubes, VPN, and whonix,
so far i know, there are no other solution that can go more secure than these.
but still they can invade the security,

so, imo, if we don’t solve this issue,
then does it mean that, all the work, effort, time, energy, and contribution,
of all developers behind these security system, become useless ?

I think what you experience cannot be reproduced so that’s impossible to fix it.
You probably need some live support, which would examine your hardware at the spot.
From what I can tell, you won’t find help here for the reasons above and what you are saying doesn’t confirm anything of the said is not secure…
Can we see some screenshots, any kind of evidences except your words?

@newbie please read @sven’s post again.

It is much more likely that an adversary targets low hanging fruits.

Anyway, if you ask for technical help, please provide wiresharked network traffic which you believe is exfiltrating data. This could be interesting but as long as this stays at the level of guessing in the wild it is not.

these 2 days also happened, creepy things:

• yesterday, on my heads Qubes laptop, i scanned vault VM with Linux anti virus,
  vault VM with no net VM, also, the laptop was disconnected from wifi,
  while waiting for the scan to finish, i used Macbook to check email inbox,
  then there was email from another anti virus software offering anti virus,
  the email came at almost the same minute i scan the vault VM
• today i use vault VM to type short doc, on my heads Qubes laptop,
  vault VM with no Net VM, also laptop was disconnected from wifi,
  after typing short doc, i play around with 2 short videos app on my android phone,
  then the doc name was displayed in those 2 short videos app.

yes, i think we cannot reproduce it, maybe only the adversary know how to produce it,

if i screenshot my activity on heads Qubes laptop,
then screenshot the “coincidence” that happen on short video apps, in android phone,
or “coincidence” in email inbox, or sms,
then it also explain nothing but “coincidence”,
besides, if adversary know that i screenshot,
then maybe they will not give me the “coincidence”.

maybe nice idea, but i don’t know one that expert enough to examine around me,
i can dissasamble assemble laptop only, but not sure how to examine,
do you know how to examine the hardware ? may give me some tips ?

yes, i have tried hard to find hidden surveillance equipment in my room & house,
but i couldn’t find one, other than these laptop and smartphone themselves,
seem you know a lot about surveillance equipment, ie hdmi grabber,
may tell me what sort of low hanging fruits that maybe you know ?

some “coincidences” has happened, between vault VM on heads Qubes laptop,
& short video apps, email, sms on other devices, at the same timing,
the vault VM has no Net VM, and the laptop was disconnected from wifi,
so installing wireshark in sys-net VM, probably will not capture any traffic,

in your opinion, which part is compromised ?
the OS or template ?
or maybe me cleaner doesn’t really clean Intel me ?
or maybe other firmware in the hardware ?

Can your router run wireshark?

Just a guess: your android phone.

I am not sure, but I use another way to monitor modem,
via some Android apps, such as net analyzer, network scanner, fing, etc

while I disconnect my Heads Qubes Laptop from Wifi,
i can see my device, naturally disappear / disconnected from Wifi,
via those Network Scanning Android App,

so if I run wireshark in router,
I think it will not capture any suspicious traffic from my Heads Qubes Laptop,
because the adversary know what I did,
in Vault VM, without Net VM, while it is not even connected to the Wifi.

So my assumption is, maybe the attack is using covert adhoc network,
via not sure what firmware backdoor in the hardware,
assuming that we trust Heads & Qubes.

if mobile phone, i have come into conclusion that,
no mobile phone, is secure from active surveillance,
i made the conclusion, when i know my Graphene OS Pixel is compromised.
Hearsay, Graphene OS is the most secure Android Open Source.

First thing I did, after installing Graphene OS on pixel,
was installing VPN, auto connect and kill switch setup,
so it will always connected via VPN,

Then creating multiple user in 1 Graphene OS,
each user for different purpose / app,
although i know, if not mistaken,
in Graphene OS, each app is sandboxed,
also I use VPN for all user.

each user settings, I use the most secure possible for setting,
then I only use FOSS app, with no tracker & no anti features.

I don’t use sim card in my pixel,
since some security expert say that,
sim card & Baseband modem contain security threat,
so i connect to Wifi only.

Then, still it is compromised, how do i know ?

• i use 1 user, to install use note app, which is FOSS with no tracker & anti feature, also I choose note app which doesn’t require internet connection, also in another user, I use Telegram client to join many Telegram group, for discussion purpose.
• Then the doc name / note name i created in the note app, is being used as anonymous name by someone in the Telegram group, the group that I often visit that time, and he / she show up at the same timing, after i created saved the doc / note.
• I typed in English in the note app, also using English as note name / doc name, but the Telegram group is using another language, not English, then this anonymous user, that using my doc name as anonymous name, mimicking my English style in the doc / note, to type English in the Telegram group, while the group itself is not using English.
• one day i used 1 user to download Nitter, which is anonymous Twitter client, but FOSS, then searched browsed around in Nitter Twitter, then i switch into another user, and accessed Telegram group, then I saw the 3 person name I searched in Twitter, being used as anonymous name in the Telegram group, for trolling around.
• All happen at the continuous same timing.
• etc

So my assumption is, maybe the attack is not using anything in the Graphene OS,
but maybe, it is using the blob in the system on chip,
which some expert say that the SOC blob maybe contain backdoor.

if not mistaken, Snowden has said this,
also in some intelligence movie, I saw that the police / intelligence agency,
has surveillance capability into all smartphone.

so at the moment, phone is not my concern,
because i have used Graphene OS, and still fail.

my concern is this Heads Qubes Laptop,
not sure which part is compromised,
what do you think, which part of this Heads Qubes Laptop is compromised ?

How did you acquire your hardware? Maybe there is a hardware backdoor added in.

It’s an interesting question to investigate the root of compromise, but I think at a sufficiently high threat level attempts to create a hardened system is relatively futile unless you are technically advanced yourself, most of the off the shelf things like heads and kicksecure don’t do it, and there are certainly compromises in that Qubes devs are not yet aware of.

Either get offline or just be fine with not having a completely secure computer.

@TarzanSwinging

Before Heads Flashing & Qubes Installation,
I did dban the hard disk around more than 10 times.

Also disassembled, assembled, & compared, all the component inside,
with the Hardware manual, and also some other websites,
and found what’s inside is exactly the same as all the references I read,

such as motherboard, harddisk, wifi card, bluetooth card, cmos battery, speaker, lcd, keyboard, touch pad, also new memory card.
Even the black plastic tape that cover the motherboard still so sticky.

Anyway guys, I feel that, a need to clarify & apologize,
in case that, anyone feel that I am whining, about my situation above,
because actually, my motive / purpose is not to whining, but rather to speak up,

so, if anyone have idea or solution, then please kindly share & thank you,
but if no idea or solution, then please kindly don’t feel stress, or pressure,
by reading all the situation above,

because, in my opinion,
sometimes we can benefit, not only from the technical solution,
but also from one’s “being hacked / targeted” experience story,

some more, by referring to the case,
maybe we can get new idea,
or maybe improve / develop technical solution, to solve the issue.

in example, so far I know, if not mistaken,
Snowden also has not developed / provided any solution,
regarding all the issue he mentioned before,

but maybe, the only thing he did, is to speak up,
or maybe in his case, blowing up,
so that we all, everyone, can benefit from his experience story,
imagine if he stay silence, then we all never know the truth.

okay, wishing all the best for everyone, thanks

I completely understand what you’re describing and have been experiencing this myself for years. Rather than go into detail and get labeled as crazy we have to keep it simple and factual “they can see everything” — makes complete sense to me. I see you’ve done your research, as have I… way too much of it at this point.

Maybe you stated this above (I apologize if so as I was only quickly scanning) but rather than wiping your current device, have you tried purchasing a new computer and then installing Qubes? This is what I plan to do soon.

Seeing you have an Android perhaps this would be useful to you? How to Stop the Menace of Android Rooting Malware Attacks with RASP | OneSpan Have you tried it?

It sounds to me like you and I may be infected with similar spyware. I believe my stalkers are using Pegasus or something similar. My experience has been (and I have read that this is indeed possible) that if your phone is infected, they can access any camera on any device in your immediate vicinity regardless of whether you connect to the other device, it doesn’t even have to be a device you own. To give an example of what I experienced: I was once at a hotel and I had not connected to anything and I took a bubble bath with my phone in a different room and door closed, but there was a smart television above the tub. At the time I had no idea this was possible. Sure enough they had to soon after make me aware that they could see me. I do not know if this means any device in your vicinity can be infected even if you’re not connected or if only access the camera only.

So sorry this happened to you. It is truly maddening and no one should have to endure it. I’m still searching for an OS that isn’t vulnerable to the zero day / root / bios exploits. Was hopeful that qubes was the solution but I’m glad I stumbled upon your post.

Also, after reading that you’ve taken your hardware apart have you by chance run across this? Thunderstrike at 31C3 - Trammell Hudson's Projects

If this is actually happening it certainly sounds like a high capability actor or someone so close that they actually use cameras to follow every keystroke…

An online actor only would be able to do almost anything, especially if they can command ISPs, intercept packages and instruct anyone who sell you devices ++

I would certainly not rest before I knew more about these things, so I’d do the following:

• Leave at a time that is out of the norm, and yes, literally dodging anyone following you, moving offline only
• Find a second hand store or such where you might enter unseen & buy an old device
• Go online with that device from a café or such
• Slowly start doing/handling the sensitive things you might be targeted for from that device, ideally doing this as a process across weeks or longer

If you’re hacked also this time early on with completely innocent activity you know things are very real & serious

Should the hack happen after a while when doing whatever might have attracted them to you then you could run through everything that has happened for cues as to what might be going on.

That device might be a newish smartphone, an old laptop (cash only!), or even a laptop going back to well before the known hardware backdoors. (Those might have been along almost forever, in the nineties yellow dots were added in patterns to printers so as to identify users…)

And then of course if that device is never hacked I’d say you’re monitored using online tools only, no team on the ground (yet)

Then there is another possibility that I’ll mention only because I’ve seen it myself, please do not take this personally, its just a real world thing that has not been mentioned yet.

I have a friend who has split personalities, one of which actively sabotages her in ways that are very hard to imagine unless you see it yourself. Not saying this is you, just that it is a possibility in general, that is all!

I completely agree.
It’s important to keep it simple and factual, and to focus on testing
that will isolate the cause of your problems.
What you can do will depend on your resources, the importance of what you do,
availability of alternative hardware, and whether you have trusted associates.

I don’t get any feel for where you might be living, but you obviously
have access to hardware and some facility in hardware hacking.

If you can, take some time off.
Leave your phone behind.
Book in to a large cheap hotel off the street. Have a friend book in to the same hotel,
and swap rooms, after you have moved in.
Go online with your usual activities.

Walk in to an outlet you haven’t visited before.
Buy a second hand laptop for cash.
Take it home, without letting it out of your site.
Go online with your usual activities.

Do the same but with the hotel swap arrangement.

Consider swapping your Qubes disk in to a (new to you) laptop, and doing
these things.

Change your “usual activities” - stop using some forums, or Facebook, or
some possible vector. See what effect that has.

Before doing any of this I would sit down with someone you trust, but
who does not necessarily share your world view. This may be difficult.
Do this somewhere private.
Go through all the evidence that you have of what you think you are
experiencing.
Their reaction may vary from “Something is wrong with you, you need help”
to “Something is wrong, you need help”.
Listen to what they say, and act upon it.
You must avoid selective perception and confirmation bias.
It’s likely that at this stage you are subject to both.

If what you do is important, you will find ways of working.
Osama bin Laden ran his terror network by email for years, and the
“might” of Western “intelligence” could not find him.
He did it by working offline, passing messages by usb stick to trusted
couriers who would visit cheap internet cafes to paste the messages in
to email, and download any replies.