The benefits and drawbacks of an airgapped Qubes PC

Speaking on update security, am I right that as of now, only dom0 has a properly isolated vm-based update mechanism, and regular “non-networked” templates actually can access internet via localhost:8002 proxy in a quite unrestricted way, making it more “security by obscurity” issue rather than actual protection?

you could clone the repo and host it in a qube, let the templates load updates from that internal qube.

qubes is a relatively more secure operating system, with or without networking it uses the hardware suppported virtualization for compartentalization. so even if its just a pgp sub key that gets extended from that offlne machine, i guess you’re not writing down a 4096Bit key on paper to transfere it to another machine, or a closed source smartcart/hardware-token… so compartmentalize your main-key in a qube that gets no network (obv…) and no hardware attached. and qvm-move the created subkey to a disposible VM where you connect your USB device to. - there it is the use case for qubes even offline :slight_smile:

2 Likes

Templates and standalones use a proxy to access the designated update qube (sys-firewall by default) which I think has its own protection mechanisms.

This is good.

What about localized (physical) security? Are there any OSes that are hardened especially against, say, evil maid attacks?

Qubes OS has a documentation page on Anti Evil Maid:

I know about AEM (I started the thread on verified boot) but I want to know if there are OSes that perform better on the physical-threat front

Several years ago, for a Journalist or Human Rights Worker, it was suggested to run two exactly alike computers, I think with Whonix. One is to be Air-Gapped, and the other is online. Online one receives encrypted message, which is moved over to the Air Gapped one (USB Problems not mentioned.) Encryption and Decryption of Messages is to be handled only on the Air Gapped Computer.

There was some mention of installing OS from Scratch frequently, routinely.

I say this to partially answer the original question, Benefits of Airgapped computer (Qubes PC was the specific question.)

When US based Security Expert Bruce Schneier was reviewing the information provided by Snowden. After he did it, he wrote about how he did it. He purchased a used, refurbished laptop from a randomly chosen computer store. (They used to exist.) He removed the physical hardware that allowed it to be online. He installed and review the entirety of the Snowden Files (I am guessing including the parts that have yet to be made public). After he took his notes. He Hard Erased all the information on the Drive. Then I think removed the drive and physically destroyed it.

Only after he destroyed his copy of the Snowden Information, did he write that, - for awhile - he had a copy.

Apparently, it was supposed to be, but as of now, it is a generic TCP proxy.

I wouldn’t assume that you can sidestep it simply by using a different type of external storage device. Why couldn’t there ever be a “BadMicroSD”? It might not work the same way as BadUSB, but it might have the same practical detrimental effect.

But why should we simply assume this? In a world where Qubes offline vaults exist, why does anyone have to have a PC with zero networking hardware?

It’s worth pointing out that any such method will involve you somehow transferring the same bits from the internet to your air-gapped PC, just with different and extra steps. Effectively, you’d be trying to implement a firewall through physical procedures rather than software.

Isn’t this SecureDrop? My understanding is that that’s the setup they used to have before they switched to Qubes.

1 Like

Good to mention SecureDrop in this discussion. What I was referring to was years before SecureDrop was available, I seem to recall. One might keep in mind, if one was say sending information on a Human Rights case to -say , the New York Times with Secure Drop. The eventual goal of the New York Times is to make very public what was once secret. Or is it the goal of SecureDrop is to keep the identity of the Whistle Blower, unknown?

In the earlier scheme, the goal was to keep all the texts of messages encrypted on the computer which was connected to the internet. Qubes, in effect, is several different computers connected on the same hardware.

Perhaps what would be more interesting to ask; "What is the threat which makes one want to do an Airgapped Qubes? In my case, it might be my writing the great novel, without it being stolen before I get it finished.

Perhaps OP is not aware of the Security which is inherent in a properly used Qubes. Which, once again, brings up the discussion of what one can accidentally do to compromise Security while using Qubes? What one needs to do to use Qubes without being compromised?

Security is not just in the hardware or Software. It is how one uses it.

The logical possibility certainly exists.

I did some digging around the issue in our previous discussion on this issue and remember finding that it was too difficult to pull off in most scenarios since it involves physically accessing the microSD card and opening the tiny package for modifications, which would likely leave marks.

Some workplaces have such requirements to reduce risk to a minimum; others are just cautious. Regardless, this is one of those ‘thought experiment’ assumptions, like when someone asks you to imagine flying a plane on Jupiter–you can ask, “Why assume this?” but that’d be beside the point.

But the physical firewall has far more assurances than the digital firewall, since the connection between the containers are less prone to attacks of the unknown unknown variety (e.g. a yet unknown flaw in a firewall built from issues with the microcode)–the “different and extra steps” are valuable and generate an asymmetry in cost in your favor. The laws of physics are harder to find workarounds to than code.

The digital barrier only requires the circumvention of digital defences (everything is hackable), while the physical barrier in almost all cases require physical presence and novel techniques on top of the requirements for the former if implemented and relevant.

1 Like

Ooooohhh, that would be an interesting pentesting technique.

Tricking a microSD card reader that’s wired in the machine as a serial device into thinking that it’s got a keyboard plugged in…. :thinking:

You could be onto something :wink:

there one problem, microsd card is too small to do that
i remember i read somewere even a usb that when plug in there only enough plastic to unplug it can be considered safe
is that true?

Maybe now, but with a big enough budget, I’m sure there would be a way to do it…

Any chance you can reword this question? I’m not quite sure what you mean… :kissing:

a usb that just as big as a small thumb (or a normal eraser)

i can’t think any other word because my bad english

Honestly, I wouldn’t be assuming anything like that, just in case…

Basically, with cybersecurity, if you can imagine it, it’s most likely possible; and if you assume it “can’'t be done” or is “impossible”, you do so at your own peril…

Microsoft thought their Exchange servers were bulletproof (or at least “sufficient”). Solarwinds thought their updates were “secure”.

Hacking (both malicious hacking, and rooting your phone or ISP router to unlock features) is a creative art. I mean, you’re basically trying to find creative ways to achieve access to something, while working within certain parameters. It’s a logic game, and usually the most outlandish solutions end up working.

My point is, thinking up ways to attack is a creative process, and so is defending against them. Kind of like the way a lawyer will look for loopholes in legislation :slight_smile:

1 Like

i know, because the usb at that size can insert a μSD card so you can create a badusb based on that case

true
in my idea, you can make microsd card that make the computer thinking that a keyboard with 32mb memory can be flashed with nfc in theory

For what it’s worth, desktop SD card readers are SATA-based, and I have a feeling built-in laptop readers are as well.

I think the technical difficulty of writing malware that rests on your microSD that then hacks your SD card reader firmware (serial or not) is insane if not outright impossible, but I’m not the best judge of that. This is something the resident firmware expert @plexus might weigh in on.

When I say ‘logical possibility’, I meant to highlight how the possibility belongs in the realm of academic curiosities, but not really in the realm of practical threats. For one: microSD cards, AFAIK, have basically nothing beyond the filesystem space for firmware malware, and are compact enough that physical tampering and hardware modifications would be immediately spotted if one is paying attention (and if you think your threat model includes someone who can hack you by tampering with your microSD, you’d better be paying attention–everywhere; all the time)

 


Not technically-trained; consume with salt.

my desktop integrated card reader are usb

Bus 001 Device 005: ID 0bda:**** Realtek Semiconductor Corp. RTS5129 Card Reader Controller

it possible depend on what interface you sd card reader is (and if it usb, it also possible to have a mircosd card in that to store payload and the sd card itself act like a badusb)

what about making a new mircosd card?

1 Like

I meant to say ‘widely available’, and that those who are worried about keyboard emulation attacks should use them.

You mean make a microSD card that’s indistinguishable from the original, containing malware that would somehow hack your device, all in a microSD card’s original form factor? That would probably require foundry access. If that’s the case you have a state-owned actor on your tail and you have far bigger things to worry about.