Ethernet becoming extinct. How do you see this problem impacting qubes os laptop system security when you must use only wifi?

My search for a laptop to install qubes on has been a very bad experience.
I started by making a list of all potential laptops in my country. I’ve now completed going through the list and there are barely any laptops that have an ethernet port. The few sparse laptops that have it are on the other side of the country and those laptops have other downsides as well so no matter which laptop I look at there is always something that makes me frown but this topic is focused on the lack of ethernet in modern laptops.

All the potential laptops had to qualify the qubes os system requirement otherwise they wouldn’t be added to the list I went through.

What I would like to see a discussion about is giving up trying to find a laptop with ethernet support. Networking is something I’m not so good at but I know Wifi now days have equal security encryption as ethernet. The main problem with wifi is it’s easier for an adversary to attack but ethernet the adversary would need to use an ethernet cable which would be in my case impossible for them to do undetected.

I also know it’s popular in qubesos community to remove wifi from laptop.

What do you think about this situation? I know many of you are ok with buying second hand laptops or you trust the qubes-certified vendors and trust the anti-interdiction to be good enough tamper evidence, then you don’t have the problem of finding a laptop with ethernet but what if you only wanted to buy a new computer locally for cash and you discovered how rare it is to find a laptop with ethernet support?

What would you do then? Would you travel to another country and book a hotel and spend money on taxi to search for a laptop there and hope that country has laptops with ethernet? Or would you give up and accept having to use only wifi? I think if you give in to having to use only wifi then you would need to spend a lot of time to learn about networking and routers and have to buy a open source router and spend time learning how to make it as secure as possible. Maybe if you do that and you are the only person who will use the router then maybe it is not too far from being as secure as ethernet? what do you think? Like I said I know very little about networking that’s why I am starting this topic to see what those who know more about this will say.

It seems like ethernet support in laptops is becoming extinct. Everyone just uses wifi even if they are home and never travels with the laptop.

Buy an USB adapter to have an Ethernet port

I would continue searching until I find a laptop that fulfills my criteria, as anything less would be insufficient for my security needs.

But I think this would need some manual configuration as it is not a hardware that is directly integrated into the PC and it will be connected to a USB port which is managed by sys-usb, is it not?

Sorry to nit-pick, but WiFi is Ethernet.

Getting back to the real subject, this is how I approach this problem.

A network cable (RJ45) instead of WiFi (very likely) won’t change anything to your system’s integrity :

• Case 1 : you’re on a trusted network, you can monitor this network (or someone whose job it is and you can trust).
• Case 2 : you’re not on a trusted network, you should use a VPN or Tor to hide your clear-net traffic and avoid information leak (you probably should use a VPN or Tor most of the time anyway).

In both case, it doesn’t really matter what physical medium you use, as when an Attacker found a way to exploit something on your NIC (WiFi Adapter or RJ45 port), Qubes’ sys-* architecture make sure that a full system take over isn’t possible.

I do think it is better to have the choice between the two, and from a usability perspective, WiFi is the easiest in availability (no need for networking cable and port, often longer range), which is in alignment with laptop as a device in movement. On the other hand, on a desktop, a cable is better suited for better networking performance and stability.

To put it in another way : a cable might give you the impression of being safe from a network stack attack, which is against the assumption of QubesOS’ sys-net not being trusted.

But wouldn’t such an attack make all qubes connected to sys-firewall, sys-net, sys-whonix compromised?

But wouldn’t such an attack make all qubes connected to sys-firewall, sys-net, sys-whonix compromised?

When sys-net is infected, traffic could be intercepted if it is clear-net, or DOS in other cases. An attacker would need to find side-channels exploit/Xen escape to compromise others VM.

NOTE : if an attacker found some side-channel/Xen escape exploit, they wouldn’t need to target sys-net and could directly target any other Qubes.

NOTE2 : only sys-net is (should) be connected directly to your NIC, so only it could be compromised with such an attack.

Only?

Dom0?

Dom0 is not just “any other Qubes”.
Yes?

iiuc An attacker who could find side-channels exploit/Xen escape and could reach Dom0 means GAME OVER. No?

Opsec 101 no unencrypted traffic should pass thru sys-net most likely a HVM correct?

Yes! And it wouldn’t require targeting sys-net in particular, some malware on your web-browsing Qubes would be enough.

But it’s harder by several order of magnitude to find and exploit these in time.
And it is most of the time unnecessary : phishing, malware/spyware, etc are easier to implement.

I don’t think clear-net traffic is an issue as long as you know what it is and what it says about your browsing habits, if I understood you correctly.

What do you mean by if it is DOS? but the netvm for sys-firewall is sys-net and for sys-whonix is sys-firewall, so is it not just like a domino effect if sys-net is compromised then the others? if not please educate me more on they are put together and how the whole process works.

Denial Of Service, in short shutting down your internet connection.

Yes, but in the case of browsing using the whonix-* Qubes :
anon-whonix → sys-whonix → sys-firewall → sys-net
In this chain, only sys-net is “exposed” through its NIC.
All Qubes deny incoming request (except those who are from a previous outgoing request), and sys-whonix encapsulate network traffic to go through Tor (if it’s not the case directly in anon-whonix I’m not 100% sure), but the important part is that sys-firewall and sys-net only forward packet outgoing, so they can’t know what the content of the packet are.

This would also work with a sys-vpn, I think you could learn more about it here : Wireguard VPN setup - #2 by deeplow
It would look something like :
AppVM → sys-vpn-fw → sys-vpn → sys-firewall → sys-net

An attacker that would have gained access to sys-net, wouldn’t be able to send packets the other way (they would be denied by firewall rules from sys-firewall).
They could :

• Try to exploit some bug in Xen to escape the sys-net VM
• Disturb traffic (as reading encrypted/Tor packet wouldn’t be very useful)

How do you monitor this? tcpdump? But would not that miss UDP and ICMP traffic? It has been years since I sniffed my sys-net internally or externally. Can you recommend a clear-net traffic monitoring approach? Thanks again.

This is discussed in other topics, I don’t have the link but :

• strict firewall rules will help mitigating some leak
• using an external device to monitor the traffic between your laptop and AP

AFAIK, you could use something like tcpdump/wireshark to monitor/analyze traffic at different point in your system/network architecture.

I recommend a t480 or x series thinkpad, they are old and slow but they are battle tested and mostly support foss bios options as well as fulfilling your goal of having an ethernet port. On top of this they are very cheap (less than 250USD), and In my country at least, not hard to find.

I think your time would be better served making your system vm’s (sys-net, sys-usb, etc.) disposable and verifiying or just pulling a new template vm for those sys-vms if you are wary of their state/s. Sniffing your traffic can only tell you so much and an advanced attacker could likely circumvent detection; It is unlikely you have been infected to begin with especially if your VM is already ephemeral.

When you say side channel attack, you are talking about spectre and meltdown cpu vulnerability? These are real active threats everyone is facing.

But I think if we use disposable qubes like whonix workstation then you won’t have to worry about side channel attack until you browse to a malicious website with javascript enabled. That way you have a lot of control over when you should do memory opsec.

But if we use wifi and there is an adversary sitting in a van outside your home 24/7 and doing side channel attack on you immediately when your start sys-net every time. That would be terrible and you basically could never use internet then without having all your memory exposed to the adversary.

That’s why I think ethernet port still sounds very important. What do you think?

Done long ago (R4.0 IIRC) but thank you for good advice.

More appreciated good advice. Thanks!

Agree. Hope qubes_user_95639 reads this too.

By ephemeral do you mean merely disposable or Fully Ephemeral DispVM's ? I have yet to do the later (RAM constraints and laziness may be issues ).

I’m talking about VM escaping, or how to get control of the hypervisor or dom0.
CPU, hardware and hypervisor vulnerabilities, which are hard to found, quickly patched, and concern more than just QubesOS. Such vulnerabilities do not require WiFi to exploit them.

The whole point of having sys-net, sys-usb and sys-whonix or sys-vpn is that when an attacker gain access to your network or worse gain control of your WiFi Adapter (and even any physical port), they won’t be able to read non-clear-net traffic.

For me this similar of the argument of disabling passwordless sudo in your Qubes, more than increasing your security, it would bring a false sense of security regarding your system.

Again, I don’t say or think that you should drop cable and only use WiFi, but that you shouldn’t take just one into account and be mindful of the various way your system interact with its environment.

If you’re concerned about an attacker gaining access to your WiFi Adapter or sys-net, you should make sure that anything that go through it is unusable for them (the same way that you should make sure that your ISP can’t make much of your traffic IMHO).

If you’re concerned that an attacker would leverage your WiFi Adapter to gain access to your Xen or dom0, you should monitor, upgrade, and probably use dispVM for sys-net with some restart.

But keep in mind, as soon as an attacker has the means to escape sys-net (or more realistically any VM), they won’t have and probably will not try to gain access to sys-net as they are bigger attack vector in your other Qubes (browsing, email, and so on).

I was using the terms interchangeably assuming they mean roughly the same thing but to update my original wording I was speaking specifically about disposables.