What would happen if my router got compromised while using qubes?

  • I was think about the qubes words " the operating system that can help you even you got compromised "

  • How could qubes system deal with this issue .

  • I mean here Router hacking is when someone takes control of your router without your consent.

am I still safe with Qubes Operating System ?

Qubes already assumes that your network is compromised, so if your router is compromised, nothing really changes from Qubes’ perspective.

1 Like

Only your sys-net qube is directly interacting with your router. As long as you don’t do anything sensitive in it, you should be safe. But also see this: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-082-2022.txt.

1 Like

If someone has control over your router, then they can monitor your
activity. Qubes helps to mitigate against this by allowing you to route
traffic through Tor, either using a Tor Proxy or sys-whonix.
There will still be some traffic which will be observed in the clear
unless you take steps to stop it.

If the router is working normally then it will provide some measure of
protection in itself. If someone has control of the router then they can
remove these protections.
They also have a foothold on your local network, which they may be able
to use to attack your Qubes system - that would depend on how you use
Qubes in your local network, and by monitoring traffic they may be able
to identify attack vectors. This would open the way for a direct attack
on a qube other than sys-net.
Otherwise sys-net would be a direct target.

It’s probable that they will be able to subvert your DNS, which may open
you to attack - generally this would only affect individual qubes. The
only direct attack on dom0 would be if they attempted to subvert the
dom0 update process. Not particularly likely.

It’s quite likely that most users don’t have control over their routers
and are dependent on the good will of their ISP.


Since many newer users are not familiar with the dom0 update process, it’s also worth noting that subverting that process would require much more than merely controlling the user’s router. See:


Do you have a way for me to find out if I’ve been hacked or attacked?

To understand if you’ve been hacked, you will need to collect and analyze evidence that would support that assertion. If this something you’re getting started with for the first time, there’s a number of concepts and tools that you’ll want to acquaint yourself with.

An attacker looking to compromise a target will likely largely follow a number of conceptual steps outlined in the cyber killchain (forgive the defense nomenclature, its origins are rooted in the defense industry): What is the Cyber Kill Chain? Introduction Guide | CrowdStrike

The specific areas of investigation you’ll want to be gathering information around will likely fall in the main categories of:

  • Exploitation
  • Installation
  • Command and Control

In general, this means that you’d be looking for processes and connections that are suspicious and analyzing them. You may want to analyze them for indicators of compromise: Indicator of compromise - Wikipedia. A good place to start is to use Wireshark to capture network traffic and analyze it: Introduction to Wireshark - GeeksforGeeks.

Then any suspicious IPs and domains you find can be looked up on AlienVault’s OTX: https://otx.alienvault.com and cross-correlated.

What’s included here in this post is at the base level of The Pyramid of Pain: Enterprise Detection & Response: The Pyramid of Pain but it’s a good start. The fact of the matter is - establishing with evidence and not mere conjecture that one has been hacked is a mildly to wildly complicated undertaking depending upon the attacker’s sophistication. And learning how to capture, analyze, and establish findings in fact takes time and effort.

This is, unfortunately, an inadequate introduction into digital forensics and incident response (DFIR) but if this is something you want to learn more about - I hopefully have given you enough of a footing to start researching and learning!

1 Like

Some of this could also be relevant: What's the best way to check if qubes is hacked?I.


Interesting, what custom router firmware do you personally recommend for security? dd-wrt? openwrt? Another?

Also, if a person is not tech savvy enough to flash custom firmware, is there a commercial router you recommend?

I guess these routers should be reasonably secure: Products | RYF.

1 Like