Essential Host Security
Whonix ™ comes with many security features . Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
This page is targeted at advanced users who wish to improve the general security of their host operating system to become even more secure.
Host Security Essentials
It is recommended to first read relevant Computer Security Education entries concerning host security, such as:
- Core Dumps
- Firmware Security and Updates
- Hardware Threat Minimization
- Host Firewall Essentials
- Host Operating System Selection
- MAC Address
- Malware and Firmware Trojans
- Open-source Hardware
- Out-of-band Management Technology
- Router and Local Area Network Security
- System Configuration and Access
- TCP and ICMP Timestamps
Anonymous Mobile Modems
"Mobile modems" refers to portable broadband modems which allow a computer to connect to the Internet via the cellular network. These devices support use of the 2G, 3G and 4G networks.
For activities necessitating the best possible anonymity, it is theoretically safer to use an anonymous mobile modem far away from one's normal location, rather than use a local Internet connection. The reason is the dial-up or broadband provider normally knows your name, postal address and non-anonymous payment method. This is problematic if Tor or Whonix ™ is compromised, since an adversary could pressure the service provider and very easily confirm your identity. However, if a mobile modem user is successfully attacked, the IP address leaked will not immediately lead back to the postal address of the user.
It is safest to assume that identification and location information can be discovered if specifically targeted, alongside potential eavesdropping of activities and communications. Always conduct a threat assessment of planned activities before following any course of action!
Many mobile modem devices are manufactured by a handful of companies like Huawei, Gemtek, Quanta and ZTE, with insecure software/firmware being the norm. Devices have often shown critical zero days: 
The findings include Remote Code Execution (RCE) in web scripts, integrity attacks, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS).
The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator's website, and APT attacks.
All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic. Further infection can continue through the operator's networks, popular websites or equipment infected by worms (when connecting a new device).
- Virtually all the exploits could be conducted remotely.
- 60% of the mobile modems studied were vulnerable to RCE.
- Only a minority of mobile modems protected against arbitrary firmware modifications.
- In some cases, CSRF attacks could be used to remotely upload modified firmware and perform arbitrary code injection.
- XSS often allowed for everything from host infection to SMS interception, as well as modified firmware installation.
The take-home message is always choose hardware carefully and conduct meticulous manufacturer research beforehand!
Safe Purchase of a Mobile Modem and SIM Card
- Buy the mobile modem anonymously. This may be in a store, second-hand, or on the street. Be sure to leave no personal data during the purchase.
- Be aware of cameras and potential witnesses to purchases.
- Do not use the modem for any non-anonymous activity prior to using it for Whonix ™ purposes.
- Telecommunication companies routinely log the serial numbers of phones (IMEI) and SIM cards, as well as the phone number for network logins. Therefore it is also necessary to:
- Buy the SIM card anonymously (prepaid is better).
- Buy cash codes in different stores anonymously.
- Never use the anonymous SIM card with a non-anonymous phone or mobile modem beforehand.
Table: Whonix ™ Mobile Modem Configuration
|Default Configuration Whonix ™||
|Physically-isolated Whonix ™||It is necessary to use the second method outlined above. There is no host in the sense that the Whonix-Gateway ™ is running bare-metal on a second computer.|
Mobile Modem Operation
When using cellular networks, it is common to receive a shared external IP address due to the scarcity of IPv4 IPs. This can lead to thousands of people sharing one IPv4 address at the same time. Also, some providers do not yet log the users' (NAT) ports; this means providers cannot pinpoint individuals when they are given an IP address and time stamp. This is a nice feature, but do not rely on it for strong anonymity!
Some providers assign additional and unique IPv6 IP addresses to their users. This does not prohibit safe use of the Tor network, because IPv6 is not (yet) configured by default, see: The Tor IPv6 Roadmap. For greater security, on-line activities should be conducted in locations that are new, distant, random, and non-circular.
Anonymous WiFi Adapters
Normally the dial-up or broadband provider knows your name, postal address and non-anonymous payment method. If Tor or Whonix ™ is compromised, then an adversary only needs to pressure the service provider to confirm your identity. This is not the case if using an anonymous WiFi adapter plugged or integrated into the Whonix-Gateway ™.
For safer use, it is recommended to:
- Buy the WiFi adapter anonymously in a store, second-hand or on the street.
- Never provide personal data during a purchase.
- Do not use the adapter for prior, non-anonymous activity. Some providers or hotspots log MAC addresses and the username (if paid).
- If possible, only use free hotspots or pay for them anonymously. Otherwise abstain from paid hotspots.
- For greater security, always use a new, distant, random, non-circular hotspot location.
- Check for cameras and witnesses during online activities.
Whonix ™ does not yet improve host security. It is recommended to use a secure host operating system like Qubes or Debian GNU/Linux and manually harden it. Also follow relevant steps in the System Hardening Checklist for better security.
Hardware Component Risks
In the default configuration, Whonix ™ provides significant protection against circumvention of the proxy obedience design. This includes:
- Applications not honoring proxy settings (proxy bypass IP leaks).
- Applications disclosing the user's real IP address (protocol IP leaks).
- Remote code execution exploits with user-only rights (exploit + unsafe browser).
- Remote code execution exploits with root rights (exploit + root exploit + unsafe browser).
However, if a second exploit is used to break out of the VM, the default Whonix ™ installation is broken and the real IP address will be revealed. Only Whonix ™ run with physical isolation will defeat this attack. This is because the Whonix-Workstation ™ host does not know the real IP address, only the Whonix-Gateway ™ which is running on another machine. This means deanonymization requires the attacker to either: exploit the physically isolated Whonix-Gateway ™, subvert the Tor process, or successfully attack the Tor network at large.
Nevertheless, physically-isolated users should be aware that if an adversary manages to break out of the Whonix-Workstation ™ VM using an exploit, then additional risks are posed by the hardware components that are built-in or have been additionally installed. This includes CPU and HDD / SSD temperature sensors, microphones and cameras.
In the case of Whonix ™ with physical isolation:
- The real IP address is still safe, but the temperature sensors can be used for anonymity set reduction.
- Different CPU, HDD and SSD models will report different sensor information, depending on climate and weather. If possible, it is advised to remove or to obfuscate the sensor results.
- Webcams, microphones and speakers can be covertly activated by the adversary. Remove external hardware and/or disable them in BIOS if possible. At a minimum, cover them or ideally remove them.
In the case of a default Whonix ™ installation, the same general recommendations apply, although it does not really matter since the user will have been deanonymized successfully.
The hostname given to a home computer or device can be leaked via a number of protocols, posing a privacy risk depending on the specificity of the naming convention. For further information, see here.
Power Saving Considerations
Users at high risk or traveling should avoid leaving a system in the suspend or standby state. Instead, the recommended power mode to use is hibernation. This will lock all system partitions to a safe state, though there is a small trade-off in startup time.
On GNU/Linux hosts, standby will not always result in having LUKS keys retained in memory. Some experimental projects  and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.
Following a system standby period, the network fingerprint for Tor on the Whonix-Gateway ™ is identical to a standard Tor instance on the host that has gone through the same procedure. There are some old connections that go stale and need renewal, but nothing is seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol / OpenSSL, and TCP Timestamps are gone.
To reconnect to Tor following a suspend / standby / hibernation period:
- Non-Qubes-Whonix ™: Manual time adjustment is required or the VM can simply be powered off and then powered on again. 
- Qubes-Whonix ™: After resume, time adjustment is automatic and seamless.  
- For a detailed description of how these vulnerabilities are exploited, refer to the source document and additional reference.
- 3G and 4G USB modems are a security threat.
- This is undocumented and therefore unrecommended.
- This step will be unnecessary once hypervisor-specific post resume hooks are used, because guest clocks will be seamlessly updated upon power state changes from the host.