Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information


Hardware Threat Minimization


Eavesdropping Risk[edit]

The user should check whether the computer or notebook has a microphone. Microphones are often built-in and go unnoticed. In most cases it is recommended to disable the microphone for security reasons. If Whonix-Workstation (anon-whonix) is ever compromised by malware, an adversary could eavesdrop through the microphone. [3] Similarly, keyboard acoustic side channel attacks can use the audio leakage from keyboard typing to infer the words up to a certain degree of accuracy. [4] [5]

Voice Recognition[edit]

It is safe to assume that everyone has had an unencrypted phone call during their lifetime and that one of them has been recorded. Voiceprints allow a person to be identified from the specific characteristics (acoustics) of their voice and it is a useful biometric marker. [6] This means personal and unique voiceprints can be used to link non-anonymous and "anonymous" voice samples; a process called voice recognition and documented on the VoIP wiki page in the introduction chapter. [7]

Disabling or Removing Microphones[edit]

By default, microphones that are connected to the host are made available to virtual machines like Whonix-Workstation (except for Qubes-Whonix, see further below).

For best security, external microphones should be unplugged. If the microphone is built-in and the user decides to disable it, there might be a BIOS option available. Suitably skilled users can also attempt to remove built-in microphones, although this is more difficult.

Select Use of Microphones[edit]

Multiple Whonix-Workstations should be used for:

  • Making Internet calls.
  • Conducting Voice over IP (VoIP).
  • Any other microphone use inside Whonix-Workstation (anon-whonix).

In this way, the microphone is used in select Whonix-Workstations and not all. The microphone should be unplugged after use.

For VoIP purposes, audio pass-through capability may need to be enabled for the respective hypervisor. The following section documents how to get audio working on supported platforms.

Expand for more information:


KVM by default emulates a line-in/line-out in the virtual sound device, meaning microphone passthrough to guests is enabled if it is turned on for the host.


VirtualBox has access to the host's microphone by default. Users can disable access by muting it on the host. Alternatively, from VirtualBox 5.2 there is an option to enable/disable VM guest access to the host's microphone. [8]

When the VM is stopped, run.

VBoxManage modifyvm <uuid|vmname> audioin off

Or when the VM is up and running, use.

VBoxManage controlvm <uuid|vmname> audioin off


From Qubes R4, the desktop panel icon ("Q") is used to attach or detach microphones to select VMs: [9] [10]

Left-click "Q" -> Assign the microphone to select VM


Webcams on infected machines can be used to take snapshots, record video or eavesdrop using the built-in microphone. Recent research reveals that even remote screen views can be accurately determined via webcams, due to "content-dependent acoustic leakage from LCD screens." [11]

Always check if the computer or notebook has a webcam; one might be built-in, but have gone unnoticed. Check the computer's datasheet and operating system hardware manager to be sure. It is recommended that (external) webcams are disabled or removed, unless there are immediate plans to use it inside Whonix-Workstation (anon-whonix). Once a webcam session has finished, it should be disabled and preferably unplugged straight away.

If the webcam is built-in, check whether it can be disabled with a BIOS setting. Suitably skilled users can attempt to remove built-in webcams, although this may be difficult. As a stop-gap measure, the webcam can always be covered with thick adhesive tape or a cap, so long as it is opaque.

Wireless Input Devices[edit]

Avoid using wireless keyboards and mice because most send data unencrypted. Even if this was not the case, the robustness of the cryptography involved in proprietary products cannot be verified. A local adversary up to 100 meters away can sniff keystrokes and inject their own, allowing them to take over the machine.[12] [13]


  1. The implant is called CAPTIVATEAUDIENCE, while the webcam equivalent is called GUMFISH.
  3. One attack vector is the use of spam emails which contain malware.
  5. Researchers continue to improve the accuracy of various techniques and attack vectors like feature extraction and classification, keyboard geometry and triangulation.
  7. Writing styles are also personal and unique. Individuals can be identified with a similar method called stylometry, which is documented on the Surfing Posting Blogging wiki page.
  10. Functionality is gradually being shifted from Qube Manager to standalone tools.
  11. This is a novel acoustic side-channel attack variant that relies on neural networks and the "coil whine" audio emissions from electronic components that power the LCD display.


Whonix Hardware Threat Minimization wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Hardware Threat Minimization wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Do you wonder why Whonix will always be free? Check out Why Whonix is Free Software.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.