The benefits and drawbacks of an airgapped Qubes PC

if anyone read my threads, here and here ,
then you know that I’m being targeted, at the hardware level / root of trust.

But i don’t have any technical evidence, only common sense evidence,
since i’m not networking expert, not or cybersecurity expert, not or firmware expert.

this lead me to,
transforming my old laptop (intel pentium dual core), into an air-gapped laptop.

  1. installing old linux distro, that is not compatible with laptop wifi card. So since its installation, the laptop has never been connected to the internet (eliminate malware infection possibilities from internet). (i didn’t install Qubes, because old laptop specs cannot support).
  2. unplugging all NICs (wifi card, bluetooth module, adsl card)
  3. rarely plug in any usb storage device, maybe only 2-3 times, and the device also trust-able.
  4. using the air-gapped laptop in an empty room, without any other electronic devices. But still surrounded by many wifi signal, since nowadays wifi signal are everywhere, and also any other electromagnetic signal, such as radio, cellular, etc.

then i use the air-gapped laptop to type anything private.
but then, the leak still happen, and my adversary still know whatever I type in the air-gapped laptop.
so i really don’t know, how a laptop without NICs can still connect to the internet.

until then i read these several references: 1, 2, 3, 4

  • found out that without NICs, actually laptop component (memory, gpu, etc), still can emit radio signal, or weak wifi signal.
  • maybe then these signal can be captured by special software / hardware / tool ,
  • and what make it suspicious more is, several weeks ago, my ISP replaced my old modem and router, with a new bigger modem, and 2 big expensive router.

Now the questions are:

  • whether the firmware, by default, is commanding the air-gapped laptop component to emit signal ?
    if it is, then maybe flashing the firmware can solve the issue ?
  • but what if the laptop component, can naturally emit signal, without any command from firmware ?
    if it is, then maybe flashing the firmware cannot solve issue ?
  • any other possibilities ?

don’t use a old linux distro, just remove all the networking driver and done

what is your “trust-able” specification

AFAIK, “no”

you correct

it can’t solve that issue

electricity, etc

1 Like

@newbie assuming you are really being targeted, it might be time for you to face some uncomfortable (low-tech) questions:

  • are there any people in your life you are sharing these secret thoughts with?
  • knowing you as a person and your history: how hard is it to guess what you might be writing about?
  • those leaks … are they always 100% correct or is it more a hit and miss kind of thing?
  • are there any people in your life with access to this computer, who might be able to guess your password(s)?
  • why would anyone want to spy on you / leak your secrets? who would benefit from it?

… is it possible this is not a technical issue?

3 Likes

Have you considered the possibility of being surveilled via another compromised device or via an implant?

Also:

3 Likes

i mean trust-able, because i bought it new, around 5-10 years ago,
re-format & re-use it for years already without any issue, and single user,
so then I assume it is trust-able.

do you think the emitted signal by laptop component, can be transformed into data / information ?
or is it just a random electromagnetic signal that contain no information ?

i had disassembled the laptop twice, compared everything inside with several references from internet, and found nothing suspicious. Also i have used it in empty room without any other electronic devices.

Audio key-logging or ultrasonic beacon maybe the gap, do you think by unplugging the speaker can eliminate the audio key-logging ? if we use on-screen keyboard, what if the GPU / any component emit signal containing screen display ?

imo, people around me, are not even qualified to be a newbie, in networking, cybersecurity, firmware, etc, and maybe not even interested, so for sure no solution.

but sometimes, i still share them some info about cybersecurity, surveillance, linux, open source, and sometimes also encourage them to use qubes.

i think no, because i use strong password, even sometimes me myself forget.

imo, not possible to guess, because it is random.

do you consider kind of witchcraft that can read mind ?
hmm, i don’t think such thing exist, but assuming it exist, then still no,
because sometimes, i keep things to write in my mind for days, due to no time to write, and no leak happen, as long as it still in my mind, but leak happen after writing.

common sense evidence, but very obvious, in both the timing and words, so it give me 100% confident, although it has always been wrapped as coincidence. Flood of coincidences, in both the timing and words, that happen in too many uncountable times for years. Last time i still note each coincidence that happened one by one, but then since too much already, so then i’m lazy to note anymore.

it started in year 2018, they started covert smear campaign against me, it’s not an open campaign, but covert close campaign, so i cannot clarify anything, and no one ask my clarification either.

basically, what they did is, stalking my social life, stalking my activity, smear campaign, instigate, provoke, & manipulate everyone, to put me under surveillance, flood me with anger, bullying, trolling, roasting, doxing, gas-lighting, offensive & intrusive sarcasm, unethically interfering my business, unethical communication, purposely misunderstood and frame me, privacy invasion, information disclosure, active surveillance, and so on. Also creating secret hidden covert communication affair with everyone approached to plot something against me. Ostensibly asking help, from so many people, to flood me with advice, but actually the real intention are covert smear campaign, covert negative campaign, covert black campaign, framing accusation, unethical interference, control and surveillance.

it has happened since 2018 until now. but 2018-2019, it happened by secretly stalking & approaching everyone in my social media only. Starting in year 2020, there was additional surveillance, they started targeting my electronic devices, laptop, mac, smart phone, tablet, including mic and cam.

if software is doing something crazy (like moving data “randomly” in ram), it can

if it not intended, yes (actually it not totally random, but it weak if signal is not designed to broadcast signal, however if you use strong antenna and know how to decode this, ~25% chance you would able to find correct information in the list of attempt (the chance is low because electronic component is very properly shielded from electromagnetic from both outside and inside))

maybe no, this is from keyboard

not gpu, but display cable has more ideal condition to capture display data (preventing solution: warp the cable with aluminum fold)

i guess you don’t know about psychology (only apply for very resourceful adversary)

unless they can put a special hat that can read you mind (yes, such thing exist) without you know, it not possible

then you should

however you still in luck because they are not skilled adversary


about your thread model

image
it in 2nd or 3th column

1 Like

Thought this might be a good read for anyone in this thread.

Very cool methodology.

And I thought turning an HDMI port on a broken machine into an Ethernet port was an achievement… I have a lot to learn! :joy:

yes, and it need no trick because hdmi is designed to carry video, audio, usb and ethernet signal (i use dvi monitor)

Recently, I read many papers about cybersecurity attack, and none of these papers mention any harmful hardware, but most attacks require backdoor / malware, regardless it is covert channel attack, or side channel attack.

imo, the papers i read, can be categorized into 2 categories:

  • covert channel attack: attack that create capability to transfer information by piggybacking existing processes. References: 1, 2, 3, 4, 5, 6, 7, 8
  • side channel attack: attack based on information gained from the implementation of a computer system, rather than weaknesses in the algorithm itself. References: 1, 2, 3, 4, 5, 6, 7

Below are some interesting finding i found from the references above.

Papers related to side channel attack, mention that all attacks require malware infection. Please kindly inform if there is any side channel attack, that doesn’t require malware infection.

In papers related to covert channel attack, what is considered harmful,
is not hardware, but firmware-carrying architecture, because:

  • laptop components that carry firmware, is not read only, so it is write-able, so can be infected.
  • firmware carried by laptop components, are not open firmware, so maybe contain backdoor.
  • IIRC, also mention that the architecture is not open hardware.

what laptop components carry firmware ?

  • SPI flash chip, Embedded Controller (EC), discrete devices (wifi card, bluetooth module), hard disk
  • mic, speaker, cam, audio card, disk controller, gpu, usb controller, NICs
  • all maybe backdoor-ed / can be infected by malware
  • what can BIOS malware actually do ? everything

if firmware-carrying component, is not only SPI chip, and all firmware can be backdoor-ed / infected, then does it mean, flashing BIOS only is not enough ?

x86 firmware has many vulnerabilities, but little movement to patch. IIRC, the attached references above, were published around 2010 - 2015, but until now, so far i know, there is no any single stateless architecture being produced, then what should we do, to make those proposal come true ?

Security gap possibilities:

  • BIOS malware does exist. Snowden’s leaks of classified information, have shown that the NSA, had BIOS infection capabilities, since at least 2008.
  • Firmware attacks don’t require physical access, or hardware modification.
  • Malware can infect firmware via software that runs inside OS.
  • Malware can infect firmware over remote connection.
  • Malicious firmware due to backdoor-ed by vendor / during shipment.
  • Software can attack secure boot mechanism.
  • Conspiring vendor / during shipment can subvert the hardware.
  • Malware can use speaker to communicate with other devices, then exfiltrate low-bandwidth information.
  • if the mic, cam, speaker’s firmware is backdoor-ed / infected by malware, then adversary can use those for video / audio recording.
  • EC (embedded controller) is responsible for keyboard. Backdoor-ed / infected EC can sniff keystroke.
  • adversary can send packets over the network to the network adapter, then take full control of the adapter, add backdoor in the OS kernel by using DMA accesses, attack other peripherals, key-logging keyboard, eavesdrop data on the network card.
  • adversary can remotely execute code on the network card, then do everything they want, ie replacing the firmware, etc

however you still in luck because they are not skilled adversary

it is saddening, to know that, i don’t have enough power, capacity, and capability, to protect my right, and now, after spending so much time and hard work, maybe i still have to depend on luck. But bad things happen already, and now what important is, what i can learn from this.

Below are some things that i learn, maybe i can share,
but maybe it doesn’t apply for everyone, because maybe we have different reality.

  • build security before being targeted, because delaying until being targeted, then maybe is too late. Before, i have never thought, that one day i will be targeted, until then suddenly i’m being targeted.
  • help someone who’s being targeted, before we are being targeted, so that we can learn how to improve our security.
  • BIOS malware and backdoor do exist, so if anyone have budget, then buy and support secure hardware product, ie librem purism, system 76, nitrokey, insurgo, etc
  • choose best solution for security, ie Qubes OS, tails, whonix, etc
  • Be part of movement / activity / community, to protect human right, in technology area, so that it doesn’t produce system, or architecture, that violating human right, and indirectly we also protect our right.
  • use and support open source product, to protect ourselves from massive surveillance, because:
    • surveillance is about control and power, tolerating surveillance means tolerating our freedom / market freedom, slowly being taken, day by day.
    • try our best to avoid big tech product, to avoid control, monopoly, and massive surveillance by big tech.
    • massive surveillance can be switched into active surveillance at anytime.
    • massive surveillance will continuously collect our data, and it can be misused by adversary or anyone, to disadvantage us at anytime, either directly, or indirectly.
  • maybe we think, being targeted, at the root of trust, requires big problem, but in my experience, I don’t even know, what exactly the problem is. Kind of random excuse, after clarifying one, they will come with another random excuse.
  • maybe we think, being targeted, at the root of trust, requires high profile person, but i’m just a random low profile person.
  • maybe we think, being targeted, at the root of trust, requires high expert skilled adversary, or high rank in power adversary, but in my reality, it is not necessary, because they can seek help from expert, ISP, government people, someone in power, and even nation states.
  • maybe we think, being targeted, at the root of trust, requires benefit for adversary, but in my reality, what motivate adversary to target us, is not always benefit, but also anger, disappointment, hatred, control, intolerance, insecurity, false belief, misunderstanding, being manipulated by others, etc
4 Likes

i don’t understand, what is “that”

note: most type of firmware are read-only rom

it possible in theory, however in realty, it almost impossible, it require too much effort to create it

maybe i forgot to sad it small luck


i think you better than me when talking about “trust” and hypothetical-like thing

note: most type of firmware are read-only rom

but i read from the paper, it is write-able, ie the firmware in EC can be infected / backdoor-ed, so it can sniff keyboard keystroke, the firmware in network card can be infected, the firmware in mic, cam, speaker also can be infected, so then i assume as long as it can be infected, then it is write-able

if software is doing something crazy (like moving data “randomly” in ram), it can

if it not intended, yes (actually it not totally random, but it weak if signal is not designed to broadcast signal, however if you use strong antenna and know how to decode this, ~25% chance you would able to find correct information in the list of attempt (the chance is low because electronic component is very properly shielded from electromagnetic from both outside and inside))

it possible in theory, however in realty, it almost impossible, it require too much effort to create it

how do you know these things ?
assumption, opinion, self experience or do you read somewhere ?

maybe no, this is from keyboard

do you mean that audio key-logging from keyboard keystroke doesn’t need speaker, so it can produce audio without speaker ? IIRC, i also read about this, in one of the reference, related to side channel attack, so the malware can emit audio key-logging without speaker

this

1 Like

When the software is written shockingly poorly :joy:

I flash BIOS chips with an EEPROM and SOIC clip almost every day. Whether they are read-only is wholly dependant on whether their currently-running firmware allows write access to the chip.

But if the chip is off, of course you can write to them!

Think of it this way. If you are trying to access parts of a drive as a non-root user while the OS is running, the OS will deny you. But if you then take that drive and access it from another OS (where you have root privileges), you can access anything you want.

That is why we encrypt our hard drives :sunglasses:

RISC-V is the next best thing being procured at the moment.


Can all of these things be done?
With the right conditions, YES they can.

Are they a good return on investment?
It depends. Am I trying to steal from as many people as possible and take advantage of the less bright individuals, or am I going after ONE person, whom I will do some serious recon on, to ensure that I absolutely nail them…?

What countermeasures can be taken to mitigate these?

  • How do you change a cake when you don’t know the recipe…?
  • KNOW YOUR MACHINE as best you can (just like you can tell when your car is “not quite right”, you need to have the same level of sync with your machine…naming your machine like a captain names a ship “Betsy” is optional :stuck_out_tongue:)
  • Assume NOTHING - Assume it’s possible until PROVEN otherwise

“How do you emit sound without a speaker? It’s impossible…”
sounds very similar to
“How do you create office documents without Microsoft Office? It’s impossible…”

And I’d hope we all know the correct answer to the office document question :wink:

As long as the components required can fulfill the tasks, then it really doesn’t matter whether the components were designed to do them or not.


On another note, I will point out that there are some TV stations that will layer a loop of sound that’s above the audible frequency of the human ear on certain shows and commericals. It allows any internet-connected devices with microphones to pick up these sounds.

Think wifi signals, but just above the audible frequency range of the human ear.

In practice, it allows for data collection that someone was watching a certain channel/show/commercial, even if their TV screen is airgapped.

Similarly, since all electronic devices emit an electromagnetic field of some sort (unless, they’re OFF), if, by some creative manipulation of the device/component, that field can be manipulated; and that manipulation can be “heard” or “seen” by another component, then BOOM, you’ve got your communication! :upside_down_face:

okay, so you maybe at least a firmware expert

i mean rom from some controller, data are written at silicon level

i know this is tech forum, but wifi signal are electromagnetic signal while sound are vibration of a material

You can write to them too… That’s how the initial software gets onto them during the manufacturing process…

Correct. That was intended to entice people to think outside the box, hence the “scientific license”.

i found many project work on this, all failed

sound from keyboard when you press a key

how?!?

i think so, imo EM signal and audio signal are different,
if not, then we will emit EM signal when talking

imo, pressing most of keyboard key, produce the same typing sound

Unless the steps for the functioning of the device is hard-coded in the circuit design (the routing of the wires), you configure it exactly the same way you write to any electronic component that can be configured…

Yes. This can be done, but the requirements of this make it something that you wouldn’t do to simply anyone. It’s a lot of effort unless you were targeting a specific individual…

So yes. It IS possible :slight_smile: