I have a printer with USB, WiFi and LAN ports/connections.
Let’s say I connect the printer with Qubes machine with LAN cable, and the other, Windows machine via USB cable, and the third machine via WiFi. Is that a security issue? Can my Qubes machine be compromised? How? I couldn’t find more info on this setup.
Compartmentalize … as long as you configure some separate printing qube/VM it’s all the same.
It depends on your threat model.
I’m trying to realize what and how can be done from compromised Windows machine via printer to a qube to which the same printer is connected at the same time.
I can’t find such an info. Any info on can the second machine potentially be compromised, regardless of an OS.
If you have a default Qubes install - where only outgoing packets are allowed towards the LAN interface - then no, your Qubes is kind of ‘safe’ from that printer.
If you just send printing jobs to that printer, then you are still safe.
However, if you visit the web interface - and that interface is compromised by any means - then a theoretical exploit would reach your browser, so your VM that runs that browser might be a victim of such. - however this must be a very specific and targeted attack.
(also your printer must be hacked/modified by those ‘others’ who connect to them to prepare such attack against your Qubes. Where a malicious windows machine connected via USB is surely able to prepare such)
Thanks. What about firmware hacks? Can they be performed without accessing web interface?
In a normal (and default) Qubes setup, the LAN adapter is separated via PCI Passtrough in sys-net. So any ‘attack’ coming from the LAN, would only affect the sys-net - whcih should be considered non-trusted anyway.
But in general ‘firmaware hacks’ assuming the attacker already has access to your machine. That’s why it is more of an issue if you dual boot.
Interesting thoughts. So, basically, my internet traffic could be captured when connecting both printer and Qubes machine to the router/switch, while the printer is connected to compromised second computer via USB cable?
It can only happen if:
But (if you ask me) this is very unlikely scenario in practice.
Thanks. Can you elaborate a bit more on this, please?
well, that’s the very basics of networking… what I’m surely can’t cover here, but the important parts are:
HUB is a device that ‘broadcast’ all the network packets to all it’s ports.
In this case the ‘capturing’ all the traffic is trivial, as you just have to be part of the network.
SWITCH however only delivering packets to it’s destination port, based on the MAC addresses.
In this case you really need to ‘do something’ to be able to capture traffic not originating to your MAC address.
up until it’s MAC address table is not filled - at that point it is silently start acting as a hub 
So even if only switches are used ~everywhere today, the small/cheap/dumb ones can be easily ‘downgraded’ (by any device on your network) to a hub. Which can have severe security consequences…
Of course it’s basics, but here’s what I can’t find as secure as enough to use the switch rather/and/or the hub. So Windows machine compromised. I connect printer to it via USB. Printer (firmware) compromised/hacked too connected to the switch via LAN. So, what is preventing poisoning of firmware both of the switch and my Qubes laptop’s LAN controller via switch in this scenario?