Yes but there is still a big difference. An adversary can’t just do a spectre and meltdown attack at you whenever they want to. They have to be able to run code on your machine to do the attack. If you don’t use wifi, then for the most part I think the only way they can do the attack is if you browse to a malicious website with javascript enabled, that gives them the opportunity to run code on your machine to do the spectre and meltdown attack.
But if you have Wifi then the adversary can do spectre and meltdown attack anytime they want as long as they are within wifi range with their antenna and they know how to hack the wifi. I don’t know how difficult it is to hack the wifi, I’m not so good at networking but I see a lot of content about it online all over the place so it seems relatively trivial.
Personally I wouldn’t worry about xen vulnerability to escape the qubes which is what you were talking about with side channel attacks but spectre and meltdown vulnerabilities exist and most people are vulnerabile against those attacks which give the attackers access to all your systems memory, not just your qube but all qubes and dom0.
I don’t want to be vulnerable to spectre and meltdown every time sys-net is running with wifi. I prefer to have ethernet so I can choose to only be vulnerable when I browse an untrusted website with javascript enabled. It makes a huge difference.
Me too, that’s part of the reason why I started the topic to learn more about wifi vs ethernet security in qubes.
Maybe it’s actually not possible to do such an attack. The only way they might be able to do it is by hacking the LAN which means hacking the router. After they hacked the router and are inside the LAN they can try to penetrate sys-net. I am not a hacker / pen tester etc so I don’t know all the way it’s done but I guess it’s done by scanning open ports like openssh had recently a vulnerability so it would have been important to disable openssh on sys-net. You also need a strong user password and fail2ban could be a bonus.
Wifi still makes it easier to be hacked when there is a known vulnerability like the recent openssh vulnerability. But first they would need to hack the router before they can look for vulnerabilities into sys-net. That cycles us back to my first post where I said:
An addition I thought of is that you would also need to check the router frequently for tampering. Not sure if glitter nail polish works as good on a router as it does on a laptop.
First, define your threat model to figure what you want to protect against. Then, decide what is acceptable as a mitigation and what risks are acceptable.
Security can go a long way down the rabbit hole, but it is useless if this does not match your security needs.
It’s possible to reveal some information through recording a video of a computer LED, network response time or electricity by the way.
Spectre and Meltdown are “patched” : there is mitigation code running in all up-to-date kernel.
There’s little to no difference between escaping hypervisor and being able to read all system memory using a CPU vulnerability : your system would be compromised in its entirety. So I don’t really understand the point you’re trying to make about that.
Regardless of if your using WiFi or not, being able to exploit a CPU or Xen vulnerability will be easier, much more quicker and cheaper to do it using browsing, email, or any connected software, as you don’t have to be in the vicinity when you launch this attack.
Hacking a network to gain access is different than being able of RCE on a system, and is very often not a requirement.
Sys-net, as other Qubes, has its ports closed by default.
Again, nothing stop you from using some RJ45 → USB Adapter to avoid letting your WiFi on when you can just plug your computer, but making sure that you don’t leak data and keeping your system up-to-date would do a better job of avoiding getting your system compromised.
I hope it is effective.
What about Rowhamer? and other side-channel attacks?
Not trying to spread FUD, but since @capsizebacklog genuinely seems curious about side-channel attacks - think to ask. Is hardware using ECC memory or equiv?
As always confused (PSP/ME OK? UEFI OK? ECC-less memory OK? Spectre/Meltdown and other CPU vulns "mitigation"s OK? OPSEC ignored or not discussed. Wow… but let us worry about wired Ethernet versus ethernet over wireless). Yes I am confused.
Please just ignore me. Just having one of those days.
Best to the Qubes community and all those trying to help (i.e. qubes_user_95639).
I have no counter arguments against your great points. You explained very good.
I had misunderstood spectre and meltdown vulnerabilities because I thought it only gives access to all memory and all the articles I read about this threat said it doesn’t compromise the system. They all said if you use use disposable qube then the threat is gone when you shut down the qube. So all those articles I read were misinformation.
So if these vulnerabilities are all gone now then I think a lot of people still need to catch up because there is still a lot of people talking about memory opsec. For example 1 compromised qube can read the memory from another qube. (side note: even if they are right somehow, maybe a different vulnerability unrelated to spectre and meltdown, then I guess the Intel TME security feature should solve that threat because if they get access to memory it would in that case be encrypted anyway)
If you are right then I guess there really isn’t much of a difference between ethernet and wifi for qubes security. That is great news if you’re right because like I explained in my first post, I just can’t find any laptops that come with that RJ45 port for ethernet.
Even the thing I said about needing to make sure the router isn’t tampered with, that’s something we should make sure regardless if we use wifi or ethernet. But I guess it wouldn’t be the end of of the world if the router was tampered with because they still wouldn’t be able to penetrate into sys-net from the LAN if the system is up to date.
All the current certified laptops (with exception of an ultra-portable) provide physical Gigabit Ethernet ports.
Many new laptops without a physical Ethernet feature USB-C Thunderbolt alt Mode, providing 4x PCI Express 3 lanes over the connector. There are interfaces and docking stations utilizing this feature to provide Ethernet via PCIe rather than USB lanes. Pure Thunderbolt Ethernet interfaces are usually 10G, expensive and mostly bulky (requiring SFP+ modules). But they exist and they are becoming affordable.
Yeah, 100%. Thread title is misleading/bombastic/“click bait”. No clear end to “Ethernet”, be it through RJ45, USB-C, HDMI, Wi-Fi … there exist some awesome solutions for Ethernet over coax/power lines/phone lines that don’t require CAT5e cabling which will keep Ethernet relevant into the XXI-st century.