Actions

Host Security

From Whonix


Host Security Basics[edit]

It is recommended to first read relevant Computer Security Education entries concerning host security, such as:

Anonymous Mobile Modems[edit]

Introduction[edit]

Ambox warning pn.svg.png Warning: The technique outlined in this section may be ineffective against advanced adversaries who can:

"Mobile modems" refers to portable broadband modems which allow a computer to connect to the Internet via the cellular network. These devices support use of the 2G, 3G and 4G networks.

For activities necessitating the best possible anonymity, it is theoretically safer to use an anonymous mobile modem far away from one's normal location, rather than use a local Internet connection. The reason is the dial-up or broadband provider normally knows your name, postal address and non-anonymous payment method. This is problematic if Tor or Whonix ™ is compromised, since an adversary could pressure the service provider and very easily confirm your identity. However, if a mobile modem user is successfully attacked, the IP address leaked will not immediately lead back to the postal address of the user.

It is safest to assume that identification and location information can be discovered if specifically targeted, alongside potential eavesdropping of activities and communications. Always conduct a threat assessment of planned activities before following any course of action!

Warnings[edit]

Many mobile modem devices are manufactured by a handful of companies like Huawei, Gemtek, Quanta and ZTE, with insecure software/firmware being the norm. Devices have often shown critical zero days [archive]: [1]

The findings include Remote Code Execution (RCE) in web scripts, integrity attacks, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS).

The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator's website, and APT attacks.
...

All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic. Further infection can continue through the operator's networks, popular websites or equipment infected by worms (when connecting a new device).

Key points from this research: [2] [3]

  • Virtually all the exploits could be conducted remotely.
  • 60% of the mobile modems studied were vulnerable to RCE.
  • Only a minority of mobile modems protected against arbitrary firmware modifications.
  • In some cases, CSRF attacks could be used to remotely upload modified firmware and perform arbitrary code injection.
  • XSS often allowed for everything from host infection to SMS interception, as well as modified firmware installation.

The take-home message is always choose hardware carefully and conduct meticulous manufacturer research beforehand!

Safe Purchase of a Mobile Modem and SIM Card[edit]

Recommendations:

  • Buy the mobile modem anonymously. This may be in a store, second-hand, or on the street. Be sure to leave no personal data during the purchase.
  • Be aware of cameras and potential witnesses to purchases.
  • Do not use the modem for any non-anonymous activity prior to using it for Whonix ™ purposes.
  • Telecommunication companies routinely log the serial numbers of phones (IMEI) and SIM cards, as well as the phone number for network logins. Therefore it is also necessary to:
    • Buy the SIM card anonymously (prepaid is better).
    • Buy cash codes in different stores anonymously.
    • Never use the anonymous SIM card with a non-anonymous phone or mobile modem beforehand.

Configuration[edit]

Table: Whonix ™ Mobile Modem Configuration

Whonix Platform Recommendation
Default Configuration Whonix ™
  • Easy: Plug or integrate the mobile modem into the host operating system as its internet connection replacement.
  • Difficult: Plug the mobile modem into the Whonix-Gateway ™ (sys-whonix) and only route Whonix-Gateway ™ traffic through it, not the host traffic. [4]
Physically-isolated Whonix ™ It is necessary to use the second method outlined above. There is no host in the sense that the Whonix-Gateway ™ is running bare-metal on a second computer.

Mobile Modem Operation[edit]

When using cellular networks, it is common to receive a shared external IP address due to the scarcity of IPv4 IPs. This can lead to thousands of people sharing one IPv4 address at the same time. Also, some providers do not yet log the users' (NAT) ports; this means providers cannot pinpoint individuals when they are given an IP address and time stamp. This is a nice feature, but do not rely on it for strong anonymity!

Some providers assign additional and unique IPv6 IP addresses to their users. This does not prohibit safe use of the Tor network, because IPv6 is not (yet) configured by default, see: The Tor IPv6 Roadmap [archive]. For greater security, on-line activities should be conducted in locations that are new, distant, random, and non-circular.

Anonymous WiFi Adapters[edit]

Normally the dial-up or broadband provider knows your name, postal address and non-anonymous payment method. If Tor or Whonix ™ is compromised, then an adversary only needs to pressure the service provider to confirm your identity. This is not the case if using an anonymous WiFi adapter plugged or integrated into the Whonix-Gateway ™.

For safer use, it is recommended to:

  • Buy the WiFi adapter anonymously in a store, second-hand or on the street.
  • Never provide personal data during a purchase.
  • Do not use the adapter for prior, non-anonymous activity. Some providers or hotspots log MAC addresses and the username (if paid).
  • If possible, only use free hotspots or pay for them anonymously. Otherwise abstain from paid hotspots.
  • For greater security, always use a new, distant, random, non-circular hotspot location.
  • Check for cameras and witnesses during online activities.

Hardening[edit]

Whonix ™ does not yet improve host security. It is recommended to use a secure host operating system like Qubes [archive] or Debian GNU/Linux and manually harden it. Also follow relevant steps in the System Hardening Checklist for better security.

Hardware Component Risks[edit]

In the default configuration, Whonix ™ provides significant protection against circumvention of the proxy obedience design. This includes:

  • Applications not honoring proxy settings (proxy bypass IP leaks).
  • Applications disclosing the user's real IP address (protocol IP leaks).
  • Remote code execution exploits with user-only rights (exploit + unsafe browser).
  • Remote code execution exploits with root rights (exploit + root exploit + unsafe browser).

However, if a second exploit is used to break out of the VM, the default Whonix ™ installation is broken and the real IP address will be revealed. Only Whonix ™ run with physical isolation will defeat this attack. This is because the Whonix-Workstation ™ host does not know the real IP address, only the Whonix-Gateway ™ which is running on another machine. This means deanonymization requires the attacker to either: exploit the physically isolated Whonix-Gateway ™, subvert the Tor process, or successfully attack the Tor network at large.

Nevertheless, physically-isolated users should be aware that if an adversary manages to break out of the Whonix-Workstation ™ VM using an exploit, then additional risks are posed by the hardware components that are built-in or have been additionally installed. This includes CPU and HDD / SSD temperature sensors, microphones and cameras.

In the case of Whonix ™ with physical isolation:

  • The real IP address is still safe, but the temperature sensors can be used for anonymity set reduction.
  • Different CPU, HDD and SSD models will report different sensor information, depending on climate and weather. If possible, it is advised to remove or to obfuscate the sensor results.
  • Webcams, microphones and speakers can be covertly activated by the adversary. Remove external hardware and/or disable them in BIOS if possible. At a minimum, cover them or ideally remove them.

In the case of a default Whonix ™ installation, the same general recommendations apply, although it does not really matter since the user will have been deanonymized successfully.

Hostnames[edit]

The hostname given to a home computer or device can be leaked via a number of protocols, posing a privacy risk depending on the specificity of the naming convention. For further information, see here.

Power Saving Considerations[edit]

Ambox warning pn.svg.png Warning: Upon system suspend / standby, Full Disk Encryption (FDE) keys are still kept in RAM.

Users at high risk or traveling should avoid leaving a system in the suspend or standby state. Instead, the recommended power mode to use is hibernation. This will lock all system partitions to a safe state, though there is a small trade-off in startup time.

On GNU/Linux hosts, standby will not always result in having LUKS keys retained in memory. Some experimental projects [5] and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.

Following a system standby period, the network fingerprint for Tor on the Whonix-Gateway ™ is identical to a standard Tor instance on the host that has gone through the same procedure. There are some old connections that go stale and need renewal, but nothing is seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol / OpenSSL, and TCP Timestamps are gone.

To reconnect to Tor following a suspend / standby / hibernation period:

  • Non-Qubes-Whonix ™: Manual time adjustment is required or the VM can simply be powered off and then powered on again. [6]
  • Qubes-Whonix ™: After resume, time adjustment is automatic and seamless. [7] [8]

Footnotes[edit]

  1. http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html [archive]
  2. For a detailed description of how these vulnerabilities are exploited, refer to the source document and additional reference.
  3. 3G and 4G USB modems are a security threat [archive].
  4. This is undocumented and therefore unrecommended.
  5. https://github.com/jonasmalacofilho/ubuntu-luks-suspend [archive]
  6. This step will be unnecessary once hypervisor-specific post resume hooks are used, because guest clocks will be seamlessly updated upon power state changes from the host.
  7. https://github.com/Whonix/sdwdate/blob/master/etc/qubes/suspend-pre.d/30_sdwdate.sh [archive]
  8. https://github.com/Whonix/sdwdate/blob/master/etc/qubes/suspend-post.d/30_sdwdate.sh [archive]


We are looking for help in managing our social media accounts. Are you interested?

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png