- 1 Host Security Basics
- 2 Anonymous Mobile Modems
- 3 Anonymous WiFi Adapters
- 4 Hardening
- 5 Hardware Component Risks
- 6 Hostnames
- 7 Power Saving Considerations
- 8 Footnotes
Host Security Basics
Users are recommended to first read relevant Computer Security Education entries concerning host security, such as:
- Core Dumps
- Firmware Security and Updates
- Hardware Threat Minimization
- Host Firewall Basics
- Host Operating System Selection
- MAC Address
- Malware and Firmware Trojans
- Open-source Hardware
- Out-of-band Management Technology
- Router and Local Area Network Security
- System Configuration and Access
- TCP and ICMP Timestamps
Anonymous Mobile Modems
|Warning: The technique outlined in this section may be ineffective against advanced adversaries who can:|
"Mobile modems" refers to portable broadband modems which allow a computer to connect to the Internet via the cellular network. These devices support use of the 2G, 3G and 4G networks.
For activities necessitating the best possible anonymity, it is theoretically safer to use an anonymous mobile modem far away from one's normal location, rather than use a local Internet connection. The reason is the dial-up or broadband provider normally knows your name, postal address and non-anonymous payment method. This is problematic if Tor or Whonix is compromised, since an adversary could pressure the service provider and very easily confirm your identity. However, if a mobile modem user is successfully attacked, the IP address leaked will not immediately lead back to the postal address of the user.
It is safest to assume that identification and location information can be discovered if specifically targeted, alongside potential eavesdropping of activities and communications. Always conduct a threat assessment of planned activities before following any course of action!
Default Configuration Whonix Users
- Easy: Plug or integrate the mobile modem into the host operating system as its internet connection replacement.
- Difficult: Plug the mobile modem into the Whonix-Gateway (
sys-whonix) and only route Whonix-Gateway's traffic through it, not the host traffic. 
Physically-Isolated Whonix Users
It is necessary to use the second method outlined above. There is no host in the sense that the Whonix-Gateway is running bare-metal on a second computer.
Safe Purchase of a Mobile Modem and SIM Card
- Buy the mobile modem anonymously. This may be in a store, second-hand, or on the street. Be sure to leave no personal data during the purchase.
- Be aware of cameras and potential witnesses to purchases.
- Do not use the modem for any non-anonymous activity prior to using it for Whonix purposes.
- Telecommunication companies routinely log the serial numbers of phones (IMEI) and SIM cards, as well as the phone number for network logins. Therefore it is also necessary to:
- Buy the SIM card anonymously (prepaid is better).
- Buy cash codes in different stores anonymously.
- Never use the anonymous SIM card with a non-anonymous phone or mobile modem beforehand.
Mobile Modem Warnings
Many devices are manufactured by a handful of countries that have run insecure software in the recent past. Also, devices often show critical zero days, such as remote code executive flaws, exploitable firmware, vulnerability to cross-site scripting, and CSRF vulnerabilities.
Always choose hardware carefully and conduct meticulous manufacturer research beforehand!
Mobile Modem Operation
When using cellular networks, users often receive a shared external IP address due to scarcity of IPv4 IPs. This can lead to thousands of users sharing one IPv4 address at the same time. Also, some providers do not yet log the users' (NAT) ports. Consequently, providers cannot pinpoint users when they are given an IP address and time stamp. This is a nice feature, but do not rely on it for strong anonymity!
Some providers assign additional and unique IPv6 IP addresses to their users. This is not a concern for intended Tor usage, as it does not yet automatically utilize IPv6.  For greater security, on-line activities should be conducted in locations that are new, distant, random, and non-circular.
Anonymous WiFi Adapters
Normally the dial-up or broadband provider knows your name, postal address and non-anonymous payment method. If Tor or Whonix is compromised, then an adversary only needs to pressure the service provider to confirm your identity. This is not the case if using an anonymous WiFi adapter plugged or integrated into the Whonix-Gateway.
For safer use, it is recommended to:
- Buy the WiFi adapter anonymously in a store, second-hand or on the street.
- Never provide personal data during a purchase.
- Do not use the adapter for prior, non-anonymous activity. Some providers or hotspots log MAC addresses and the username (if paid).
- If possible, only use free hotspots or pay for them anonymously. Otherwise abstain from paid hotspots.
- For greater security, always use a new, distant, random, non-circular hotspot location.
- Check for cameras and witnesses during online activities.
Whonix does not yet improve host security. It is recommended to use a secure host operating system like Debian GNU/Linux and manually harden it. Also follow relevant steps in the System Hardening Checklist for greater security.
Hardware Component Risks
In the default configuration, Whonix provides significant protection against circumvention of the proxy obedience design. This includes:
- Applications not honoring proxy settings (proxy bypass IP leaks).
- Applications disclosing the user's real IP (protocol IP leaks).
- Remote code execution exploits with user-only rights (exploit + unsafe browser).
- Remote code execution exploits with root rights (exploit + root exploit + unsafe browser).
However, if a second exploit is used to break out of the VM, the default Whonix installation is broken and the user's real IP address will be revealed. Only Whonix run with physical isolation will defeat this attack. This is because the Whonix-Workstation host does not know the real IP address, only the Whonix-Gateway which is running on another machine. Consequently, to successfully deanonymize the user, the attacker must also: exploit the physically isolated Whonix-Gateway, subvert the Tor process, or attack the Tor network at large.
Nevertheless, physically-isolated users should be aware that if an adversary manages to break out of the Whonix-Workstation VM using an exploit, then additional risks are posed by the hardware components that are built-in or have been additionally installed. This includes CPU and HDD / SSD temperature sensors, microphones and cameras.
In the case of Whonix with physical isolation:
- The user's IP address is still safe, but the temperature sensors can be used for anonymity set reduction.
- Different CPU, HDD and SSD models will report different sensor information, depending on climate and weather. If possible, it is advised to remove or to obfuscate the sensor results.
- Cameras and microphones can be covertly activated by the adversary. Remove external hardware and/or disable them in BIOS if possible. At a minimum, cover them or ideally remove them.
In the case of a default Whonix installation, the same general recommendations apply, although it does not really matter since the user will have been deanonymized successfully.
The hostname given to a user’s home computer or device can be leaked via a number of protocols, posing a privacy risk depending on the specificity of the naming convention. For further information, see here.
Power Saving Considerations
|Warning: Upon system suspend / standby, Full Disk Encryption keys are still kept in RAM.|
Users at high risk or traveling should avoid leaving a system in the suspend or standby state. Instead, the recommended power mode to use is hibernation. This will lock all system partitions to a safe state, though there is a small trade-off in startup time.
On GNU/Linux hosts, standby will not always result in having LUKS keys retained in memory. Some experimental projects  and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.
Following a system standby period, the network fingerprint for Tor on the Whonix-Gateway is identical to a standard Tor instance on the host that has gone through the same procedure. There are some old connections that go stale and need renewal, but nothing is seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol / OpenSSL, and TCP Timestamps are gone.
In order to reconnect, manual time adjustment is required or the VM can simply be powered off and then powered on again. This step will not be necessary once hypervisor-specific post resume hooks are used, because guest clocks will be seamlessly updated upon power state changes from the host.
- This is undocumented and therefore unrecommended.
- https://github.com/Whonix/sdwdate/blob/master/etc/qubes/suspend-pre.d/30_sdwdate.sh https://github.com/Whonix/sdwdate/blob/master/etc/qubes/suspend-post.d/30_sdwdate.sh
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.