Is this setup security issue?

I have a printer with USB, WiFi and LAN ports/connections.

Let’s say I connect the printer with Qubes machine with LAN cable, and the other, Windows machine via USB cable, and the third machine via WiFi. Is that a security issue? Can my Qubes machine be compromised? How? I couldn’t find more info on this setup.

Compartmentalize … as long as you configure some separate printing qube/VM it’s all the same.

It depends on your threat model.

I’m trying to realize what and how can be done from compromised Windows machine via printer to a qube to which the same printer is connected at the same time.

I can’t find such an info. Any info on can the second machine potentially be compromised, regardless of an OS.

If you have a default Qubes install - where only outgoing packets are allowed towards the LAN interface - then no, your Qubes is kind of ‘safe’ from that printer.

If you just send printing jobs to that printer, then you are still safe.

However, if you visit the web interface - and that interface is compromised by any means - then a theoretical exploit would reach your browser, so your VM that runs that browser might be a victim of such. - however this must be a very specific and targeted attack.
(also your printer must be hacked/modified by those ‘others’ who connect to them to prepare such attack against your Qubes. Where a malicious windows machine connected via USB is surely able to prepare such)

Thanks. What about firmware hacks? Can they be performed without accessing web interface?

In a normal (and default) Qubes setup, the LAN adapter is separated via PCI Passtrough in sys-net. So any ‘attack’ coming from the LAN, would only affect the sys-net - whcih should be considered non-trusted anyway.

But in general ‘firmaware hacks’ assuming the attacker already has access to your machine. That’s why it is more of an issue if you dual boot.

Interesting thoughts. So, basically, my internet traffic could be captured when connecting both printer and Qubes machine to the router/switch, while the printer is connected to compromised second computer via USB cable?

It can only happen if:

• your printer is also already hacked/compromised/modified
• you using a hub, not a proper switch to connect these devices
• and/or your printer acting as a Man In The Middle between your Qubes and your Router

But (if you ask me) this is very unlikely scenario in practice.

Thanks. Can you elaborate a bit more on this, please?

well, that’s the very basics of networking… what I’m surely can’t cover here, but the important parts are:

• HUB is a device that ‘broadcast’ all the network packets to all it’s ports.
  In this case the ‘capturing’ all the traffic is trivial, as you just have to be part of the network.

• SWITCH however only delivering packets to it’s destination port, based on the MAC addresses.
  In this case you really need to ‘do something’ to be able to capture traffic not originating to your MAC address.

up until it’s MAC address table is not filled - at that point it is silently start acting as a hub

So even if only switches are used ~everywhere today, the small/cheap/dumb ones can be easily ‘downgraded’ (by any device on your network) to a hub. Which can have severe security consequences…

Of course it’s basics, but here’s what I can’t find as secure as enough to use the switch rather/and/or the hub. So Windows machine compromised. I connect printer to it via USB. Printer (firmware) compromised/hacked too connected to the switch via LAN. So, what is preventing poisoning of firmware both of the switch and my Qubes laptop’s LAN controller via switch in this scenario?

I’m not really understand the scenario you trying to set…
As there are some ‘hard rules’ you just can’t dodge:

• physical access = root access.
  Plugging in something non-trusted = limited physical access to that ‘port’. Even the ‘Power cable’ can be malicious - especially if it’s a USB.

• If a device is known to be hacked, then the entire network (L2 segment) should be handled as compromised too. The only option you have is to remove/isolate the compromised device ASAP.

• once a device is compromised, there is no way to credibly ‘clean’ it.

So if you keep those in mind, you should never ever connect to a non-trusted network (via Ethernet) for example. Let alone if you know/assume it is malicious and/or hacked.

So for me, any scenario that assumes/requires that other devices are already compromised but you still want to keep secure your ‘special device’ in this very hostile environment - let’s say Quebs… it is just unrealistic and pointless. In such scenario you already lost the ‘game’.

Your only option in such case is to:

• detect the compromise/attack as soon as possible → SOC, EDR, etc.
• mitigate the damage.

So if I go back to your original question:
yes, there is a security issue.

But that’s not automatically means you can’t ‘accept the risk’

• do a risk analysis, by defining your threat model. Without such the whole discussion is pointless, as there is no ‘ultimate security’
• focus on detection and prevention. Once you find any sign of compromise in your home network, do the neccessary steps: isolate the comromised device(s) and try to find the root cause.
• IT security heavily depends on the weakest link. If you have ‘mixed’ devices, best you can do is to mitigate the risk by: to separate them to different network segments, keeping them up to date, having backup, etc

@tempmail, it would help you if you didn’t think of the printer as “a printer”, and more like “another computer”.

All 4 devices:

• Can forward messages onto one another
• Can be programmed (in a sense) to follow someone else’s instructions
• Can be tricked/duped into doing something they wouldn’t normally do

So, imagine, for example, the following scenario:

• Device A can talk directly to Device C, but not Device B or D
• Device B can only talk to Devices D and C
• Devices A and B are the only ones with an internet connection
• Device C will blindly forward anything you send it, without checking what it is
• Device B will redirect any “unexpected” messages to Device C, regardless of the original intended recipient
• Device A will always say its messages are from itself, regardless of upstream senders (masquerade)
• Device C will not masquerade sender identities

…something like this

So, given these parameters, can you figure out a way to get Device D to talk to the internet?

This is why they call it HACKING

Hope this explanation helps

Nope. Actually, that’s not my goal at all, but thanks anyway.

Not exactly, but thanks anyway for your time.

I’d like to print from my private Qubes laptop to my office printer that is attached to my office Windows computer via USB. So, my idea was to attach my laptop to a printer via LAN port in parallel. Office computer is part of a heavily regulated domain.

@tempmail, I never actually said it was

Let’s try again…

printing qube can talk directly to sys-firewall, but not sys-net or your Windows machine

Your Windows machine can only talk to sys-net and the printer

sys-net and your Windows machine are the only ones with an internet (or network) connection.

Your Windows Machine will blindly forward anything you send it, without checking it.

sys-net will redirect any “unexpected” messages to sys-firewall, regardless of the intended recipient
(Not entirely accurate, but the principal remains the same)

sys-net will always say its messages are from itself, regardless of which qube initiates the traffic

The Windows machine will not masquerade sender identities.

Well, maybe read it again, eventually you’ll see it.

Still don’t get it? Ok, here’s what you want to know:

This question is far too vague in its current form.

It’s reliant on so many secondary (and even tertiary) dependencies about the scenario being defined, that without them, it’s impossible to be able to give you any kind of answer that is of any meaningful use to you.

That’s why instead of saying “Yes”, “No”, or “It depends”; I chose to attempt to have the scenario better established in your head, in the hopes that by doing that, you’d likely end up getting the answers yourself, and end up getting what you want faster.

Same as the first question.

Windows Machine ↔ USB Cable ↔ Printer ↔ Ethernet ↔ sys-net ↔ sys-firewall ↔ AppVM

This entire chain of communication is reliant on the printer actually doing what the Windows machine asks it to do, whatever that may be.

For simplification, let’s assume that the Windows machine can make the printer tell the Windows machine that it’s a “USB Ethernet adapter” (yes, the USB protocol allows for this to happen).

From there, the Windows machine thinks it has a new network adapter, and then tries to send packets to your Qubes machine.

On a vanilla Qubes OS machine, these packets go into sys-net, followed by a number of other qubes, where they undergo various checks and stripping (for the purposes of this explanation, this is called “sanitisation”).

Eventually, if the data packets are deemed to be “correct”, they will then go into the qube that you, the end user, are interacting directly with.

“Correct”, in this case means “the qube is actually expecting to receive them”.

Again. This question is way too vague to be able to give you an answer that if of any use to you, both to your specific situation, and even in general, for that matter.

Short answer:

• Anything that:
  • Takes something (INPUT)
  • “Does something to it” (FUNCTION)
  • Passes the end result onto something/someone else (OUTPUT)

…has the potential to be given specially-crafted input that capitalises on what the function does to it, to be able to engineer a certain output. And sometimes, that function can be manipulated to do things that it wasn’t designed to do.

The internet is basically the equivalent of the postal service, but delivery happens at the speed of light.

• Your data packets almost never go straight to the recipient, even on your home LAN, they almost always go through another device that acts as a forwarding agent.
• You almost always have ZERO control over how many entities are involved in the delivery of your data packets
  • And every single intermediary that handles your data packets can pretty much do whatever they want to your data packets before forwarding them
    • Copy them
    • Alter them
    • Redirect them
    • Throw them straight in the trash

Well, think of your Qubes OS machine as your mailbox at your house.

• People can put whatever mail they want into it
  • Bills, legal documents, packages, food, explosives, etc.
• Only you can decide what to do with each piece of mail once you open the mailbox and check the mail
  • Some mail might get opened while you’re at the mailbox
  • Other mail might get taken into the house and opened there
  • Some mail might get given to another member of the household still sealed

So:

Great!

You can always unplug the printer USB cable from your Windows machine, and plug it into your Qubes OS machine.

If you’re concerned that the printer might try and do some shenanigans to whatever it gets connected up to, you can, of course, pass it (and the file you want to print) through to a disposable VM, limiting what the printer can actually touch in your Qubes OS machine (aka “Attack Surface”).

But you want to be able to print via LAN, so let’s explore that more.

That’ll work, too. You should be able to print directly from your qube containing the file you want to print. In this scenario, the printer is “just another network device”, and anything sent by it to your Qubes OS machine is subject to the same ingress rules as any other network traffic.

Now does it make more sense in your head?

I can always explain it using more IT jargon if you’d prefer…

Yes, that’s makes sense.
Now, the most important question: what are you afraid of in such situation?

Well, hardly it can get sense anywhere out of the head, anyway
I appreciate your further elaboration, though. And somehow, I still am not finding the answer on my question (or I’m missing it):

… or without a switch, while directly connecting both laptop’s and printer’s LAN ports to each other.

I am not afraid of anything when Qubes. It gave me so much confidence actually. I just tried to get the answer to a question above. Broadly speaking, I’m always afraid only of God, not only in this, but in any situation.

You are most welcome

Well we have that, now can we…

Communication between devices has certain rules. These rules describe things like:

• Who talks first
• What a message structure should look like
• How one party knows when the other party has shut up (finished their message), so they can then start their message
• If a received message doesn’t make sense or is missing information, how to let the other party know this
• Many other scenarios that could occur while two parties are trying to exchange messages

These rules are called a “protocol”. There are HUNDREDS (if not, thousands) of “standard” protocols in existence,

Remember that these devices are effectively communicating with 0s and 1s. Over USB and Ethernet (assuming copper wires ), they represent these by turning the electrical wires in the USB/Ethernet cables on and off at an agreed tempo (often called a “baudrate”).

More or less like morse code over the Telegraph

Just like the telegraph operator might accidentally misinterpret the beeps as a different message (what 0s and 1s mean what is called the “encoding”), USB and network devices might also misunderstand something, or be told to just accept whatever is given to them, without worrying about what it actually is.

Usually, nowadays, when a device receives a message it didn’t expect (or understand), it’ll either ignore it, or ask for the other party to send the message again.

But occasionally, due to sloppy programming, it is sometimes possible to send over deliberately malformed messages that just might be misinterpreted as “delete all files”, or “I’m now your root user”.

The concept of firmware getting “infected” or “poisoned” is a bit misleading. They’re tricked into doing things they weren’t designed to do…

Does that make sense?