Consistently compromised Qubes

No matter what steps I try to take I can’t seem to suss out malicious and entitled hackers from consistently compromising my networked devices. Not sure if they keep regaining access to Qubes from the router, usb keyboard or both and I’m not very technically inclined or learned in IT so I’m not sure what steps to take. Are there any log files I can send out to potentially help benefit this community? Running iftop on net/firewall seems to indicate that something is bypassing the internal 10...* IP routing from whonix <-> firewall <-> net. Reinstalling fedora 35 template appears to help fix the internal network bypassing until I restart the sys-usb cube.

A couple questions if my usb keyboard has malicious code on it will adding “sys-usb allow dom0” to the qubes.InputKeyboard file be able to compromise dom0 even after LUKS login? Connecting the keyboard attaches multiple qubes.InputKeyboard events and tries to connect multiple InputMouse events, is there anyway to restrict this to only initializing the first InputKeyboard event? Is their a way to monitor what code is being run from USB devices? The only way to fix something like a compromised keyboard is with newer firmware? Does running a USB keyboard through a PS/2 adapter block malicious code?

For networking, is there any strategy to better isolate sys-net cube? The moment the ethernet is active on a new install it gets outside IP requests (from my router?) that then seem to install files and compromise fedora-34/35 and debian-11 templates. Would it behoove of me to only run minimal templates for net/firewall/usb cubes? I haven’t tried getting any minimal templates to work so this is my next plan!

Any recommendations on an affordable security focused router and switch? This seems to be the major vulnerability and culprit. I would love to make the router I have more secure but I don’t think that is realistic for such a noob like myself.

Apologies for all the questions unpacked here, I’ve spent a lot of time trying to figure this out on my own and can’t seem to find a stable solution. I appreciate any advice and guidance!

I think I fundamentally don’t understand how any of these processes and exchanges work but a minimal template seems to help so far with net & firewall qubes. Still wondering why my keyboard tries to allow mouse inputs and if that is indicative of malicious code?

Most of these questions have already been answered on this forum. Try to search for more, but this is what I found:

See here: What's the best way to check if qubes is hacked?I

Probably related: Is sys-net the weak link in our systems' security?

This does not seem plausible. For that the attacker must have an escape exploit of Xen, which is extremely rare. Last time it happened with the Qubes hardware virtualization was in 2006, by the Qubes founder: Blue Pill (software) - Wikipedia.

Perhaps an evil maid attack is a possibility? (I’m not sure what a minimal attack on the BIOS would be, if it would just be inserting an malicious USD drive or if the system would have to be rebooted with this drive?) Obviously the breach is persistent to reinstalling Qubes.

The happened to me. My belief is that is was at a border crossing where my computers where confiscated for about 2 hours. Later I was running tails on one of those computers and the “attacker” was altering files on my tails persistent storage.

I’m not sure if the computer can be restored by reflashing the BIOS, but I guess that should be asked in a different posting.

I think you should NOT try to reflash your computer. Better try to preserve any evidence and contact experts who can handle the situation. We have NEVER seen a single case of specifically targeting Qubes and it would be a shame to waste it.

3 Likes

Which tools with which output lead you to believe that your templates get compromised?

2 Likes

Good suggestion. I’m not sure if I can afford it at the moment, but are there any particular experts you recommend I contact?

However, in my case I was not running Qubes: The evil-maid incident happened in 2018, before I had even heard of Qubes. I’m happy to give more details here if appropriate.

Suspicious things happened from time to time since 2018, on one of the two computers that was confiscated by border control, but it wasn’t obvious I’d been “hacked” until the end of 2021. So I started using Tails OS for security, not Qubes OS, with one of those systems when I saw it compromised, with files in Tails persistent storage being modified. That was when I made the connection with the 2018 incident.

Perhaps I should report the incident to Tails?

I bought another computer after that and installed Qubes on it, but I suspect it is also being surveilled, though I have not noticed any “unauthorized” file modifications on this one.

I would appreciate any referrals to a security expert.

As far as reflashing, which as I understand refers to the BIOS, even if I did I’m not sure if it would help. My thinking is that an attack though sys-net may be possible without altering the BIOS. Though I don’t understand whether the network card has its own firmware which could also be “reflashed”.

https://citizenlab.ca ← I think those guys would be happy to help if it is provable that things are that serious.

Speaking on border control hacks, it is indeed quite possible that it was UEFI as an attack vector (I know a guy who suffered from a literal “evil maid” attack in a Chinese hotel a few years ago! He spotted it immediately and every security expert out there was truly excited to lay hands on the laptop) . Not that sophisticated but effective. But I really doubt they have a ready-made toolkit for Qubes. Most likely an adversary would attempt to compromise it as a regular Linux and give up after the implant fails to “phone home”. But if you are a truly interesting target, they make something fine tailored for you.

1 Like