Introduction[edit]

Before reviewing this section, be sure to also read the Warning page.

This wiki entry purposefully focuses on: General computing security information. Host operating system security advice. Preparatory steps before installing Whonix using a Type I hypervisor (Qubes-Whonix) or a Type II hypervisor like VirtualBox or KVM.

General[edit]

With its default settings, Whonix may provide better protection than Tor alone. Achieving greater security depends on how much time the user is willing to invest in Whonix configuration. Security also rests upon the daily practices and procedures that have been adopted by the user, see Documentation.

Safer Upgrades[edit]

If Whonix is already installed, before a Whonix upgrade is performed on the current platform it is best to shutdown any running virtual machine (VM) instances, particularly if they are attached to the internal virtual network ("Whonix" or "sys-whonix"):

• Qubes-Whonix: Before upgrading Whonix TemplateVMs, close as many open VMs as possible. Do not run VMs from different domains at the same time as upgrading.
• Non-Qubes-Whonix: If running VM instances are not shutdown, there is a cross-contamination risk for new machines being imported into the virtualizer. For example, this is possible if a powerful adversary has taken control over those VMs currently in use. This action is not required if the user intends to create a new virtual network for the machines being imported.

Tor Browser[edit]

Tip: Non-Qubes-Whonix users are recommended to always have the latest Tor Browser Bundle (TBB) release installed on the host operating system (OS). Qubes-Whonix users may also want to have TBB installed in a non-Whonix TemplateVM, like Fedora or Debian.

The TBB is useful to test whether or not:

• The user lives in a censored area.
• Tor is blocked by the Internet Service Provider (ISP).
• (Private) (obfuscated) bridges will be needed for operation of Tor Browser in Whonix, see Bridges.

If TBB fails to properly connect to Tor on the host OS or from a non-Whonix AppVM in Qubes, then Whonix will similarly fail to work. Another benefit of installing TBB in this fashion is that if Tor Browser unexpectedly stops running in Whonix, then Tor Browser can still be independently used to visit the Whonix website for a solution to this issue.

For even greater security and privacy, users should read and follow the advice in the Tor Browser chapter.

Host Security[edit]

Core Dumps[edit]

All OS platforms have a "core dump" functionality which poses potential security and privacy risks. According to Wikipedia: ^[1]

In computing, a core dump (in Unix parlance), memory dump, or system dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

The primary function of core dumps is to provide the user or programmer with specialized information to determine the root cause of a system crash in order to perform debugging. These files are viewable as text or image formats, and can be analysed with special tools. In Windows, both kernel-mode dumps and user-mode dumps are available. The former contains information on either the full memory or large sections of it, while the latter is limited to single processes. ^[2]

Security and Privacy Risks[edit]

Most of today’s operating systems, libraries, languages, and so on leave sensitive data they handle - passwords, financial and other information - scattered throughout memory, and it often leaks to disk. Information may be left there for an indeterminate period and this increases the risk of a system compromise. [3]

Core dumps can potentially contain sensitive information like: ^{[4] [5] [6]}

• Any activities undertaken in a session.
• All existing contents in RAM at the time of a crash:
  • Disk encryption keys and passwords.
  • Details of open documents.
  • Other passwords.
  • Detailed system information that can assist targeted attacks.

Clearly, how long copies of data survive and where they end up are critical factors. There is no guarantee that RAM is wiped or overwritten during this process. This is not just a theoretical concern, as exploits in the wild have been observed which force privileged applications to perform core dumps, disclosing the contents of shadow password files and other information in the process. ^[7]

While this information is stored locally on GNU/Linux distributions, this is not the case on proprietary platforms. Windows and macOS generally ship this memory information to the OS vendor. ^{[8] [9] [10] [11] [12]}

For greater security, advanced users should consider configuring the OS to avoid making core dumps. If possible, preventing access to process memory is also advisable, along with secure storage of the file system. ^{[13] [14]} GNU/Linux users can further research disabling core dump features here and here.

Hostnames[edit]

Computers are given hostnames for a number of good reasons. For instance, this is particularly useful for computers which operate on a network, as administrators and users are then able to ping computers, remotely connect to the computer, mount computer disks, and conduct other relevant activities. Naming conventions for computers are usually left to the individual, and may either comprise random chosen selections (“MrBig”, “coffeelover”, “Qubes-WhonixRocks” etc.), or default values that comprise information such as user name, login name, and device brand / model / make.

In the case of smaller devices like smart phones, these usually have manufacturer-assigned names which are either generic (“Samsung Phone”) or completely unique (“android_f7s89f8ir78etywt”), and may contain information such as the brand name, language used, and the name of the device owner. In many cases, hostnames cannot be changed - or at least not without “rooting” the device. ^[15] In the case of Whonix, the hostname is always set to "host". ^{[16] [17]}

The hostname given to a user’s home computer or device can be leaked via a number of protocols, posing a privacy risk depending on the specificity of the naming convention. Vulnerable protocols which may leak the hostname include, but are not limited to: ^{[18] [19]}

• DHCP.
• DNS address to name resolution.
• Multicast DNS.
• Link-local Multicast Name Resolution.
• DNS service discovery.

Disclosure of information is particularly problematic for mobile devices, since adversaries that monitor remote networks (like Wi-Fi hotspots) are able to obtain the hostname via passive monitoring, or active probing using a variety of Internet protcols. In combination with traffic analysis, adversaries that can obtain a hostname may be able to extract information that identifies the particular device and its properties; potentially revealing unique individuals utilizing the device. ^[20]

Even if generic names are used for hostnames such as “pinkrose” or “linuxfan”, the possible identity of the user is narrowed significantly to a much smaller subset, particularly when combined with data on sites that are visited. This may quickly lead to user identification because hostname disclosure allows for tracking of the computer or device across many domains, and one-time exposure of the user via clearnet traffic can inform databases which link unique hostnames to user identities.

As a further example, consider an adversary that is tracking users connecting to a specific Wi-Fi hot spot in an airport. After retrieving the hostname of a particular user “ABSmith”, and observing VPN connections to the Apple corporate network, the two pieces of information reveal that Mr Smith is the owner, and is an employee of Apple.

Recommendations

Obviously a generic hostname is advisable, but in practice, there are limited other solutions available at present. One is to turn off any protocols that are not strictly necessary and which leak hostnames, particularly when insecure places are visited. This reduces the attack surface, but is impractical for certain protocols; for example, DHCP is necessary for Internet connectivity and many services depend on protocols such as mDNS. Another option is to use different hostnames for different purposes, rather than relying on a global hostname - this option is available on some OSes. Ultimately, a randomized hostname protocol is necessary to protect privacy, similar to methods utilized for MAC addresses. ^[21]

Malware[edit]

The integrity of the host is a critical part of the system's Trusted Computing Base. If the host system is compromised by malware, so is every Whonix virtual machine, Tor process and communication thought to be anonymous.

The Importance of a Malware Free System

Malware has malicious intent and can potentially: ^[22]

• View and take snapshots of the desktop.
• Peruse files and folders.
• Gain access to protected data when decrypted.
• Exfiltrate, corrupt or destroy data (particularly financial and personal information).
• Damage operating system functionality.
• Encrypt the contents of a drive(s) and demand payment for decryption (ransomware).
• Display unwanted advertising.
• Install unwanted software.
• Install persistent rootkits or backdoors.
• Track browsing and other behaviour.
• Remotely turn on webcams and microphones.
• Create "zombie" computers which form part of a botnet for spam email, DDOS attacks or the hosting of illicit / illegal material.
• Record everything a user types, sends and receives.

The Utility of Antivirus Tools

Antivirus products and personal firewalls are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. ^[23] Polymorphic code and rootkits essentially render antivirus products helpless. ^{[24] [25]}

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges. ^[26] Antivirus software also harms privacy by sending system files back to the company servers for analysis.^[27] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. ^[28]

Preventing Malware Infections

The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the internet, and using hypervisors (virtualizers) to isolate software that processes untrusted data.

Detecting Malware Infections

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause. If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Tailored malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users don't have many good options. They can either:

• Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
• Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success. ^{[29] [30]}
• Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. ^[31]

Firmware Trojans[edit]

Once a user is infected with very sophisticated malware that modifies low-level firmware, it is extremely difficult to detect in almost all cases.

Firmware infections should not be confused with hardware/circuit trojans, which are malicious modifications made to machine components during the manufacturing process. Despite their sophistication, circuit trojans are not immune to detection. ^[32]

Virtualizers and Hardware Compromise

Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware. Running all activities inside VMs is a very reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution.

No distribution of Linux, BSD, Xen or any other variant can solve the issue of needing to dispose of potentially infected hardware. Hardware-specific issues can really only be fixed at the hardware level. At best, software interventions can only provide workarounds.

The Promise of Libre Firmware

The problem is no hardware exists that consists of entirely Libre firmware. It is very difficult to analyze the firmware of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version.

Even if a user wholly depended on Libre firmware, this would only make verification easier but it could not stop infection. Disassembling hardware components - BIOS, disk controllers, CPU, Intel AMT and so on - and flashing them with clean versions offline is extremely difficult. It is simply cheaper and more convenient to buy new hardware.

The bundling of undesirable anti-features like DRM in closed firmware is further evidence that Libre firmware is needed, in addition to Libre hardware designs.

A hypothetical stateless computer ^{[33] [34]} would solve the problem of malware persistence, but it still could not protect against the damage (data-exfiltration) caused by successful exploitation.

Avoid Out-of-band Management Features[edit]

A commonly decried hardware feature on modern platforms is the Intel Management Engine (ME) and Active Management Technology (AMT).

Out-of-band Management Design[edit]

Out-of-band management has been around since 1998, when it was dubbed the Intelligent Platform Management Interface (IPMI) framework. ^[35] It consists of a proprietary firmware running on the Baseboard Management Controller (BMC), ^[36] which is a dedicated micro-controller in enterprise NICs to allow complete remote control over a machine despite its power state. ^[37]

Modern Intel ME is a firmware running on a dedicated micro-controller in all machines, while Intel AMT is the remote access feature introduced as part of the vPro platform. Most Intel hardware produced in the last ten years supports ME and AMT "features". ^[38] This includes: desktops, servers, ultrabooks, tablets, and laptops with the Intel Core vPro processor family (Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family). ^[39] Other popular hardware manufacturers also have an analogous feature to ME. For instance, AMD's "Secure Processor" (formerly "Platform Security Processor") is based in turn on ARM TrustZone technology. ^[40]

Out-of-band Management Functionality[edit]

The Electronic Frontier Foundation (EFF) states: ^[41]

The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network.

If the Intel ME is shipped with the AMT module which is both enabled and provisioned, then potentially any vulnerabilities present could allow attackers to bypass password authentication for the module.

Attackers who bypass password authentication can: ^[42]

• Interact with the screen or console in a fashion identical to a user.
• Boot arbitrary operating systems or install new operating systems.
• Steal disk encryption passwords.

If a system is vulnerable, the effect of this Intel technology is administrators (or hackers) can remotely monitor, maintain, update, upgrade and repair (or sabotage) computers, even while they are sleeping. This activity is distinct from software-based (in-band) management, since hardware-based management uses TCP/IP stack communication channels (bypassing any firewalls present), and the presence of an OS or locally installed management agent is not required. ^[43]

Exploitation Risk[edit]

Unfortunately, Intel ME and AMT have created serious security risks, because faults in the design potentially allow remote attackers to access the user's computer secretly and have full control and awareness. ^[44] On 1 May 2017, these fears were realized when Intel confirmed and patched a Remote Elevation of Privilege bug (CVE-2017-5689) in the ME technology.

Not every machine is susceptible to this attack, even though every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a potentially remotely exploitable security hole. In many cases, AMT is enabled but not provisioned by default for the 1st to 7th generation processors. Nevertheless, if a system is vulnerable the risks to unpatched systems include: ^[45]

• An unprivileged network attacker gaining system privileges to provisioned Intel management engines.
• An unprivileged local attacker could provision manageability features to gain unprivileged network or local system privileges.

The safest course of action is for users to disable the AMT module if possible in BIOS and to make sure that LMS is not installed. Failing that, the Intel firmware image should be updated to remove the security vulnerability. ^[46]

General Privacy and Security Concerns[edit]

The concerns posed by Intel (and partially AMD) firmware is comparable to any other proprietary firmware blob running on a user's system or all its peripherals. Almost every component in a modern computer has firmware running on auxiliary processors of varying architectures, all of which have privileged machine access. The inner workings of firmware binaries can still be investigated and examined for malware via reverse engineering. ^{[47] [48]}

Manufacturers are unlikely to insert a malicious backdoor intentionally into every product. The reason is if/when the backdoor was discovered, its intent would be undeniable and it would destroy the reputation of the business and severely impact revenue. Recent disclosures indicate that some adversaries instead favor targeted attacks (product interdiction and implants) to avoid detection for as long as possible. ^{[49] [50]} "Zero day" exploits are another preferred method of access by adversaries. ^[51]

The problem with out-of-band management is exemplified by the recent Intel security advisory. Exposing proprietary, hard-to-patch blobs which contain bugs to the network can lead to remote exploitation by advanced adversaries, including common criminals. The "Nobody But Us" (NOBUS) concept promoted by adversaries is simply a fallacy as evidenced by recent worldwide security incidents, including the leaking of the adversary toolkit used for hacking targets. ^[52] According to prominent Intel ME researchers and reverse-engineers, only corporate AMT firmware includes the networking stack, but the safest action is for users to avoid computers with this feature entirely. ^{[53] [54]}

In principle, the concept of out-of-band management has its place in data centers, not on personal home computers. Even in the former case, without Libre software the owner of the machine(s) cannot be sure they are the only person with remote access control, in order to patch security vulnerabilities on demand. ^[55] While the functionality is not secret, running a network-facing, bug-ridden proprietary OS and giving hardware privileged access to a machine has proven a horrible idea.

Hardware Recommendations[edit]

When buying new hardware, the user should avoid Intel hardware that has AMT. Unfortunately that rules out most modern Intel hardware produced in the last ten years. AMD chipsets do not contain fully featured out-of-band management like AMT. However, there are other comparable problems (from a freedom perspective) with hardware produced by both Intel and AMD. ^[56]

It has been recently discovered that ME can be disabled and mostly erased with a simple python script. The functionality of systems running both Libre and proprietary BIOS firmwares were unaffected, including recent CPU generations. Only experts should attempt this procedure, since the computer may become "bricked" (unusable) if the procedure is completed incorrectly. ^{[57] [58] [59]}

Avoid Other Out-of-band Features[edit]

Users should also avoid or disable the commonly deployed PXE boot ^[60] and Wake-on-Lan (WoL) "features". PXE is implemented either as a Network Interface Card (NIC) BIOS extension or as UEFI code in modern devices (where it can be easily disabled). ^{[61] [62]} On most systems, WoL hardware functionality is usually blocked by default and explicitly needs to be enabled using the system BIOS or UEFI. ^{[63] [64]}

Though rare nowadays, also avoid machines with the LoJack anti-theft feature since it is a persistent BIOS/UEFI firmware module that shares features with trojans or rootkits. For instance, laptops can be remotely locked, have files deleted, or disclose their exact location. Further, the module "phones home" daily to a monitoring center, providing location, user, software and hardware information. ^[65]

Using a Dedicated Host Operating System and Computer[edit]

Both Non-Qubes-Whonix and Qubes-Whonix users should avoid dual / multi-boot configurations. The other OS (like Windows) could modify the unprotected /boot partition or firmware to maliciously compromise Qubes or the host OS, and also potentially spy on user activities.

Non-Qubes-Whonix users are recommended to use one dedicated host OS just for hosting Whonix VMs. Otherwise, if the host OS which is used on a daily basis is compromised, Whonix cannot provide any additional protection since the host is part of the system's trusted computing base.

For even greater security, the dedicated host OS can be used on a computer solely bought for Whonix activities. Ideally this computer will have never been used for anything else before, negating the risk of a prior hardware compromise.

Using Whonix on External Media[edit]

At this time, Whonix does not provide a user-friendly USB creator (community contributions are welcome!). However, for greater security users can install the host operating system(s) required for Whonix on a dedicated (encrypted) external disk(s) such as a USB flash drive, FireWire and eSATA devices and so on.

Using external media reduces the risk of other operating system(s) infecting Whonix's host operating system. When Whonix disk(s) are not in use, they can either be removed or hidden.

There are a number of online guides explaining how to install Linux on a USB. These instructions can be followed to create a live Whonix USB, with the exception that both a supported virtualizer and Whonix must also be installed on the external media.

Using a Non-shared Host[edit]

Tip: Whonix should preferably be used only on computers without shared access.

It is unwise to allow others to use your computer, even if they are trustworthy individuals. If they are not equally knowledgeable in computer security, then one mistake could potentially lead to compromise of the entire system. ^[66]

Needless to say, Whonix should not be hosted in the cloud, on a foreign server that is not controlled by the user, on a virtual private server (VPS), or other remote hosting options. The risks include: ^{[67] [68]}

• Data on these systems is readily accessible to their owners.
• Data can be accidentally or deliberately altered / deleted.
• Legal ownership of data is disputed.
• Shared technological vulnerabilities include insecure interfaces and application program interfaces (APIs), data loss / leakage, and hardware failure.
• Proven vulnerability to large scale attacks like "hyperjacking", along with exposure to traditional threats like network eavesdropping, invasion, denial of service attacks, side-channel attacks and so on.

Firmware Updates[edit]

This chapter contains general security advice and is unspecific to Whonix.

Due to the difficulty of this topic and the specificity of hardware and host OS firmware, this issue is generally outside the scope of Whonix documentation. The links provided further below may not be the most relevant to the end user, necessitating further individual research.

Firmware on Personal Computers[edit]

Firmware is generally defined as the type of software that provides control, monitoring and data manipulation of engineered products. ^[69] In the case of computers, firmware is held in non-volatile memory devices such as ROM, EPROM or flash memory and is associated with: ^{[70] [71] [72] [73]}

• BIOS updates.
• Non-free drivers or firmware.
• Processor microcode updates (on Debian systems, depending on your processor, either the intel-microcode or the amd-microcode package).
• Firmware in storage devices like harddrives, DVD drives, and flash storage.
• All computer peripherals like printers, scanners and cameras / webcams.
• UEFI compliant firmware.
• Routers and firewalls.
• Network adapters, IO controllers, power management and graphics processing units.
• 3-D graphics engines.

Firmware Updating and Security Problems[edit]

The major problem with updating firmware is that it cannot be done automatically in most cases. Therefore, it is difficult to fix functionality or security issues after the hardware has shipped. While utility programs are often available to update BIOS, firmware in other devices is rarely updated and mechanisms for detecting and updating firmware is not standardized. ^[74] If firmware can be upgraded, this is usually possible via a program created by the provider. Old firmware should always be saved before upgrading. If the process fails or the newer version performs worse, the process can be reverted. ^[75]

Updating firmware may or may not improve security. On the one hand it may fix vulnerabilities, but on the other hand an update may introduce a new backdoor. If the reader knows of any such examples, they can be freely listed here. Unfortunately, end users must blindly trust the hardware producer, so it might be better to install non-free updates anyway. ^[76] Until these re-writable firmware areas are locked down or the code is open-sourced and vastly simplified, it is likely to remain a rich environment for malicious adversaries. ^{[77] [78]}

The reality is that advanced adversaries are routinely hacking the firmware of Internet routers, switches and firewalls, along with harddrive firmware, and UEFI/EFI and ethernet adapters. The number of targets is already in the tens of thousands on an annual basis. Subverting firmware in this manner provides a stealthy and persistent presence that can eavesdrop on or re-route all network data, or access information in invisible storage areas that are unecrypted (bypassing disk encryption). Worst of all, the firmware sabotage is believed to survive software updates or complete OS re-installations. Attacks may also be designed to corrupt firmware so machines are prevented from booting, even with an external drive. ^[79]

Using Open-source Hardware[edit]

This chapter contains general security advice and is unspecific to Whonix. Users interested in this topic should undertake significant research before purchasing any open-source hardware.

Hardware Trust in Modern Computing[edit]

Security researcher and Qubes founder, Joanna Rutkowska, has noted that modern computing and networking security relies upon a critical foundation - trusted hardware and firmware domains. Even high-security operating systems have an security upper bound that is defined by the trustworthiness of hardware components that are ideally placed to compromise the entire system if bugs or backdoors are present: ^[80]

... for years we have been, similarly, assuming the underlying hardware, together with all the firmware that runs on it, such as the BIOS/UEFI and the SMM, GPU/NIC/SATA/HDD/EC firmware, etc., is all. . . trusted.

But isn’t that a rational assumption, after all?

Well, not quite: today we know it is rather unwise to assume all hardware and firmware is trusted. Various research from the last ten years, as discussed below, has provided enough evidence for that, in the author’s opinion. We should thus revisit this assumption. And given what’s at stake, the sooner we do this, the better.

Rutkowska has concluded the following hardware components and mechanisms are all vulnerable to exploitation and often flawed in their implementation, making them easy to "backdoor": ^[81]

• x86 boot security (BIOS implementation).
• Vt-d (CPU-enforced sandboxing of networking).
• Graphics cards (GPUs) and sub-systems.
• USB controllers.
• Disk controllers (SATA etc.).
• Embedded controllers (for keyboard operation, battery charging etc.).
• Audio cards.
• Peripheral devices.
• Intel Management Engine (ME) and AMD Security Processor (embedded microcontrollers).
• Built-in speakers, microphones and cameras.

This is particularly true for privileged, out-of-band hardware components like Intel ME's AMT which can read or write any of the host computer's memory, without any constraints - the perfect, undetectable rootkiting infrastructure. ^[82] In short, it appears that modern computing architectures are impossible to secure properly, especially since popular, proprietary hardware options (Intel and AMD) dominate the market. ^[83]

Open-source Hardware Alternatives[edit]

Users who are motivated to avoid proprietary hardware solutions are in a bind. There are few options available that are truly "free" (open-source), affordable, and provide suitable processing power to run "secure" operating systems like Qubes-Whonix, because specific hardware requirements like VT-d and VT-x are necessary for compatibility with future software releases.

Open-source hardware is also not perfectly secure, since it is not "stateless", that is, lacking any persistent storage. ^[84] Further, "free" hardware does not really exist, since by definition it requires that hardware be free at all levels, including: licensing, the chip and circuit board designs, the field-programmable gate array, source code, relevant repositories and so on. Also, proprietary "soft cores" which are often incorporated in various hardware circuits need to be purged to meet the necessary criteria. ^{[85] [86]}

ARM-based Platforms[edit]

ARM architecture dominates smartphone and tablet markets and provides a good level of performance. However, an open-source "ARM processor" is non-existent, because only the specifications and other intellectual property (IP) are released to manufacturers under specific licenses. This leads to NVIDIA, Samsung and others combining the ARM IP with their own, leading to the actual, customized processors called System-on-Chips (SoCs). ^[87] ARM SoCs also often have a TrustZone extension, with implementation providing similar functionality to Intel's ME. There is nothing special in ARM architecture that prevents the possible introduction of backdoors.

Open-source Processors[edit]

Unfortunately, a fully open-source, Linux-capable based processor (SoC) is not yet available, with the design still being finalized. While this project will eventually allow a 64-bit RISC-V instruction set architecture and the development of low-cost boards, the wait may be lengthy (many years) and it is not clear such processors will perform well enough for typical desktop workflows like watching movies, running browsers, using office suites and so on. It is also unknown whether this design will allow for security technologies like IOMMU and memory virtualization. ^{[88] [89]}

Final Hardware Purchase[edit]

The Free Software Foundation (FSF) makes a number of relevant recommendations: ^[90]

• Find devices which support fully free distributions of GNU/Linux.
• Purchase hardware from manufacturers who support GNU/Linux.
• Purchase hardware which supports coreboot/libreboot as a proprietary BIOS replacement. ^[91]
• Purchase hardware without the need for proprietary drivers or firmware: hdnode.org.
• Check the FSF criteria for hardware certification requirements.
• If looking for a single-board computer (SBC), check the list of available (flawed) hardware. ^[92]
• Check the list of motherboards that are compatible with coreboot. ^[93]

Buyer Considerations[edit]

Based on the preceding information and links, users seeking an open-source solution need to make a compromise. Since RISC processors supporting a fully-fledged operating system do not yet exist, the closest thing available is single-board computers (SBCs), which are delivered as one circuit board that are powerful enough to run a real operating system.

These systems generally contain a SoC with an ARM processor, with options like Novena and PandaBoardES falling into this category. However, they still have a number of closed-source binary blobs and the FSF also notes "severe flaws" in these products due to proprietary design concerns.

High-end laptop options like those provided by Purism also seek to remove as many proprietary blobs as possible, for example by using coreboot in place of the standard BIOS implementation. Unfortunately, this solution is expensive and still relies on an Intel processor. Despite the claims that ME is "neutralized", the ME still poses potential security threats to the user as highlighted in Rutkowska's research.

In practical terms, it is just simpler for the majority of users to purchase a standard closed-source architecture. This provides a high-performance solution and the features necessary for compatibility with high-end operating systems like Qubes-Whonix. In the coming years when open-source processors and hardware designs further mature and the necessary functionality is provided for virtualization, users will then have a reasonable and fairly-priced alternative.

Firmware Considerations[edit]

Open-source hardware is not affected by the non-free firmware updates issue described in the previous chapter. Such hardware might be more trustworthy, but open source firmware can be just as insecure as a proprietary one. Fortunately, open source firmware increases the chances of making it actually secure, with options like coreboot appearing to be a promising solution. ^[94]

Host Operating System[edit]

Windows Hosts[edit]

GNU/Linux, Xen or BSD are the only serious options for a host operating system that respects privacy. The user can stop reading here or review the rest of this Windows chapter to find out why.

Windows as Malware[edit]

The Free Software Foundation is scathing in its analysis of Windows, due to the threats posed to user freedoms, privacy and security. Regardless of the version being used, the FSF classifies Windows as "malware", that is, software that is designed to function in ways that mistreat or harm the user. ^{[95] [96]}

Windows Backdoors and User Freedoms

• Microsoft has backdoored its disk encryption.
• Microsoft has a history of updating software without permission; this represents a universal backdoor to impose any changes they like.
• Microsoft now enforces upgrades to Windows 10 involuntarily.
• Microsoft undertook a range of actions to force Windows 7 and 8 users to upgrade to Windows 10.
• Microsoft ignored flags on Windows 7 and 8 specifying that upgrades to Windows 10 were not desired.
• For months, Microsoft tricked users into upgrading to Windows 10 if they failed to notice and deny the upgrade.
• Windows 8 has a backdoor for remotely deleting applications from the user's computer.
• The German government does not trust that Windows 8 and the Trusted Platform Module (TPM) v2.0 is not a backdoored combination.

Windows Insecurity

The suppostion that proprietary software is free of grave bugs is demonstrably false. In fact, the popularity of Windows platforms on desktops actually increases the risk, as attackers target the near monocultural operating system environment with regularity, for example:

• The Wanna Decryptor ransomware attack spreading the globe at the time of writing is solely focused on Windows platforms.
• Flaws in Internet Explorer and Edge have previously allowed attackers to retrieve Microsoft account credentials.
• Point-of-sale terminals running Windows were previously taken over in order to collect customers' credit card numbers.
• Windows uses weak or broken cryptographic verification methods like MD5 and SHA-1.
• Windows 7 and earlier versions do not provide a secure central repository for downloading software, meaning a host of users must risk dangerous downloads from the Internet.

Windows Sabotage

These are Microsoft technical actions that harm users of specific hardware or software:

• Microsoft has rapidly dropped support for Windows 7 and 8 on recent processors following the release of Windows 10.
• Microsoft has made Windows 7 and 8 non-functioning on certain new computers, compelling a switch to Windows 10 for certain users. For example, support has been dropped for all future Intel, AMD and Qualcomm CPUs.
• Proposed Windows 10 "upgrades" deny users the ability to cancel or postpone the proposed upgrade once accepted.
• Windows 10 upgrades delete applications with the user's permission.
• Microsoft has a history of collaborating with adversaries by informing them of bugs before they are fixed.
• Microsoft reportedly gives adversaries security tips on how to crack into Windows computers.
• Microsoft cuts off support for users of specific platforms (like XP) and software (such as popular Internet Explorer versions), after users have developed a software dependency.
• Microsoft has announced that starting with Windows 10, it will begin forcing lower-paying users to test less-secure new updates before giving higher-paying users the option of whether or not to adopt them.

Windows Interference

Microsoft often releases proprietary programs or updates that destabilize or reduce the utility of the user's system:

• Windows displays advertisements for Microsoft products and those of its partners.
• Windows inserts advertisements inside of File Explorer to nag users to buy subscriptions.
• As noted earlier, Microsoft nags users repeatedly to install Windows 10.
• Microsoft has encouraged users to complain to system administrators about not upgrading to Windows 10.

Windows Surveillance

• Windows DRM files can potentially identify people browsing with Tor.
• Windows 10 sends a host of core debugging information to Microsoft and third parties.
• Windows 10 sends information to Microsoft about applications used and those that are running.
• Microsoft has renamed "data slurping" features to give users the impression they were removed.
• Windows 10 has a host of snooping options enabled by default. This includes snooping on user files, text input, voice input, location information, contacts, calendar records, web browsing history, screenshots of running programs and how long they were running, and auto-connection to open hotspots which show targeted advertisements. Many options cannot be disabled at all in a standard installation.
• Windows 10 spyware which tracks the user's text input and unique typing cadence (pattern) is comparable to a corporate keylogger.
• Even when users disable "data slurping" features, Windows 10 still sends a range of identifiable information to Microsoft.
• Windows uses a unique advertising ID for each user so that other companies can track the browsing habits of each individual.
• Windows 8 appears to have a range of spyware functions. For example, it snoops on local searches and there is a secret "NSA key" in Windows, whose functions are unknown. The smartscreen filter also reports what software is running on the computer.
• Microsoft SkyDrive allows adversaries to examine user data.
• Microsoft has enabled spyware in Skype and specifically changed the software to enable this function.
• The "privacy" policy in Windows 10 explicitly enables Microsoft the right to look at user files at any time and to sell almost any information it likes about users.
• Windows 10 full disk encryption gives Microsoft the key.

Other Windows Abuses

• Windows has introduced a range of digital restrictions mechanisms.
• Later Windows versions only allow programs from the Windows Store to be downloaded and installed.
• Windows 8 on mobile devices censors the user's choice of application programs.
• When Microsoft realized it had accidentally allowed GNU/Linux to be installed on RT tablets, it quickly "fixed the error" to prevent the use of other operating systems.

Windows Analysis[edit]

Forfeited Privacy Rights

By now the reader should be convinced that just by using any version of Windows, the right to privacy is completely forfeited. Windows is incompatible with the intent of Whonix and the anonymous Tor Browser, since running a compromised Windows host shatters the trusted computing base which is part of any threat model. Privacy is inconceivable if any information the user types or downloads is provided to third parties, or programs which are bundled as part of the OS regularly "phone home" by default.

Inescapable Telemetry

The fact that there is no way to completely remove or disable telemetry requires further consideration. For instance, non-enterprise editions do not allow a user to completely opt-out of the surveillance "features" of Windows 10. Even if some settings are tweaked to limit this behavior, it is impossible to trust those changes will be respected. Even the Enterprise edition was discovered to completely ignore user privacy settings and anything that disables contact with Microsoft servers.^[97]

Any corporation which forces code changes on a user's machine, despite Windows updates being turned off many times before, is undeserving of trust. ^{[98] [99] [100] [101] [102]} Windows 10 updates have been discovered to frequently reset or ignore telemetry privacy settings.^[103] Microsoft backported this behavior to Windows 7 and 8 for those that held back, so odds are Windows users are already running it.

Windows Insecurity

Ignoring for a moment its own built-in malware, Windows is a pile of legacy code full of security holes that is easily compromised. Microsoft's willingness to consult with adversaries and provide zero days before public fixes are announced logically places Windows users at greater risk, especially since adversaries buy security exploits from software companies to gain unauthorized access into computer systems. ^[104] Even the Microsoft company president has harshly criticized adversaries for stockpiling vulnerabilities that when leaked, led to the recent ransomware crisis world-wide.

Microsoft updates also use weak cryptographic verification methods such as MD5 and SHA-1. In 2009, the CMU Software Engineering Institute stated that MD5 "should be considered cryptographically broken and unsuitable for further use". ^[105] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. ^[106]

Windows is not a security-focused operating system. Due to Microsoft's restrictive, proprietary licensing policy for Windows, there are no legal software projects that are providing a security-enhanced Windows fork. On the other hand, in the Linux community there are multiple Libre Software Linux variants that are strongly focused on security, like Qubes OS.

Windows Software Sources

Before Windows 8, there was no central software repository comparable to Linux where users could download software safely. This means a large segment of users remain at risk, since most Windows users are still running Windows 7. ^[107]

On the Windows platform, a common way to install additional software is to search the Internet and install the relevant program. This is risky, since many websites bundle software downloads with adware, or worse malware. Even if the user always downloads software from reputable sources, they commonly act in very insecure ways. For example, if someone downloads Mozilla Firefox from a reputable website like chip.de, ^[108] then the download would take place over an insecure, plain http connection. ^[109] In that case, it is trivial for ISP level adversaries, Wi-Fi providers and others to mount man-in-the-middle attacks and to inject malware into the download. But even if https is used for downloads, this would only provide a very basic form of authentication.

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world. For this reason it is safe to assume that virtually nobody using a Windows platform is regularly benefiting from the strong authentication that is provided by software signature verification.

In contrast, most Linux distributions provide software repositories. For example, Debian and distributions based on Debian are using apt-get. This provides strong authentication because apt-get verifies all software downloads against the Debian repository signing key. Further, this is an automatic, default process which does not require any user action. Apt-get also shows a warning should the user attempt to install unsigned software. Even when software is unavailable in the distribution's software repository, in most cases OpenPGP / gpg signatures are available. In the Linux world, it is practically possible to always verify software signatures.

Libre Software Superiority

Based on the preceding section and analysis, users are strongly recommended to learn more about GNU/Linux and install a suitable distribution to safeguard their rights to security and privacy. Otherwise, significant effort is required to play "whack-a-mole" with Windows malware, which routinely subjects users to surveillance, limits choice, purposefully undermines security, and harasses via advertisements, forced updates, remote removal of applications without consent, and so on.

Open Source software like Linux and Whonix is more secure than closed source software. The public scrutiny of security by design has proven to be superior to security through obscurity. This aligns the software development process with Kerckhoffs' principle - the basis of modern cipher-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Libre Software projects are much more open and respectful of the privacy rights of users. Libre Software projects also encourage security bug reports, open discussion, public fixes and review.

MacOS Hosts[edit]

In a similar vein to Windows platforms, there are also many problems with Apple operating systems including: ^[110]

• Intentional backdoors allowing remote root privileges, wipes and deletion of applications.
• Censorship of allowable programs like games, and media, political, bitcoin and health-focused applications.
• An insecure design allowing execution of malicious code by applications and the extraction of a user's messaging history.
• Forced system upgrades without user consent.
• Imposing arbitrary limits on the use of software.
• Bricking devices if fixed by an "unauthorized" repair shop.
• Scanning user system files.
• Failing to fix system security bugs and preventing users from taking manual steps to do so.
• Bricking devices that had been unlocked without permission.
• Deleting files from user devices that had been downloaded from sources competing with Apple companies.
• Using biometric markers like fingerprints to allow devices to be used.
• Sending lots of personal user information to Apple servers. For example, automatically uploading photos and videos used by certain applications, and sending unsaved documents and program files to Apple servers without permission.
• Sending user search terms and location information to Apple.
• Imposing digital restrictions mechanisms.
• Preventing users from installing older versions of operating systems.
• Designing user interfaces to make specific options hard to find and enable/disable.

See this write-up by the FSF for further detailed information. ^[111]

GNU/Linux Hosts[edit]

A Free Software OS that respects user freedom is the only practical choice when it comes to privacy and security. It also comes with many advanced anti-exploit mechanisms built-in.

Use GNU/Linux on the host and only use in-repository software that is automatically gpg-signed and installed from the distributor's repositories by the package manager. This is far safer than downloading programs from the Internet like Windows users are required to do.

Recommended GNU/Linux Distribution[edit]

Debian GNU/Linux is recommended as providing a reasonable balance of usability, security and user freedom.

Interested readers can find a complete list of reasons to use Debian here. For instructions on downloading, verification and installation see Debian Tips.

Formerly, virtually any GNU/Linux distribution could be recommended in order to protect user privacy, however Ubuntu's data-mining functionality makes it an unsuitable choice. ^[112] In fact, Ubuntu's February 2016 Privacy Policy still states at the time of writing: ^[113]

When you enter a search term into the dash Ubuntu will search your Ubuntu computer and will record the search terms locally. Depending on whether you have opted in or out (see the “Online Search” section below), we may also send your keystrokes as a search term to productsearch.ubuntu.com and selected third parties so that we may complement your search results with online search results from such third parties including: Facebook, Twitter, BBC and Amazon. Canonical and these selected third parties will collect your search terms and use them to provide you with search results while using Ubuntu.

By searching in the dash you consent to: 1. the collection and use of your search terms and IP address in this way; and
2. the storage of your search terms and IP address by Canonical and such selected third parties (if applicable).

There are of course other options. See "Why don't you use <your favorite most secure operating system> for Whonix?" for analysis of alternatives.

Router and Local Area Network Security[edit]

If the Whonix-Gateway is ever compromised, it can theoretically access any computer in the local area network (LAN).

Based on the threat posed by a Whonix-Gateway compromise, users who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible.

The State of Router Insecurity[edit]

Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if users fail to take appropriate steps. ^[127]

Many experienced users who are concerned about computing security overlook these problems and instead focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers, including state-level adversaries. Compromised routers can easily spy on a user's activities, conduct man-in-the-middle attacks, alter unencrypted data, or send the user to websites that masquerade as webmail or on-line banking portals. ^[128]

Suitable Hardware and Router Configurations[edit]

Experts routinely advise that low-grade routers should be avoided. Cheap models often fail to notify of firmware updates that patch security vulnerabilities, have limitations on password length for administrator access, and typically come as a less-secure, combined modem/router unit.

Users should consider upgrading to a commercial-grade router that is normally intended for small businesses as a sensible investment in security. Further, it is safer to have a personally owned routing device that connects to an ISP-provided modem/router in order to maximize administrative control over routing and wireless features of the home network.

Before purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use. ^{[129] [130]}

Accessing Router Settings[edit]

To access and change router settings, the user must type the router's IP address into a web browser address bar and enter the administrative login and password. Users who are unsure of the default login credentials can check the list here and search by manufacturer and model.

Routers usually have a common address like: 192.168.1.1, but there are many alternatives depending on the make and model of the router. Check the manual that comes with the router to determine the correct address, or alternatively research the manufacturer's website to determine this address. ^[131]

If users cannot confirm the relevant address to access the router, terminal commands can be used to trace the ip route or various networking tools can be accessed to ascertain it.

Linux[edit]

On Linux operating systems, run the following command in a terminal. ^[132]

ip route

The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings.

Alternatively, most linux desktops have a network icon which has this information: Right-click on network icon -> Select "Connection Information" or similar.

The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. ^[133]

Windows[edit]

To find the router IP address in Windows, open a command prompt.

Start -> Search box -> Type cmd

ipconfig

The output should show the relevant IP address next to the "Default Gateway".

Alternatively, look for the relevant network settings under: Control Panel -> Network and Internet -> View network status and tasks -> Left-click on the appropriate connection -> Left-click on "Details".

The router's IP address is to the right of the IPv4 Default Gateway. Network and router configuration^[134]

macOS[edit]

In a terminal, run. ^[135]

ifconfig

This command will show all the interfaces and their respective IP and MAC addresses.

Alternatively, look for the relevant network settings under: System Preferences -> Network -> TCP/IP (hardwired) or Wi-Fi (wireless) section. ^[136]

Recommended Router Settings[edit]

Many router models do not allow the user to change specific settings discussed in this section.

General Router Settings[edit]

To lock down the router, the following settings are recommended: ^{[137] [138] [139]}

• Change the default router username and password to something suitably long and random using a Diceware passphrase. ^[140]
• Turn off Universal Plug and Play (UPnP), which can allow applications to open ports to external computers.
• Disable NAT-PMP, since it has similar functionality to UPnP.
• Disable the Home Network Administrative Protocol since it allows remote management of network devices.
• If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet.
• Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available.
• Do not bind services to the external interface.
• Reconfigure the router firewall rules to drop all relevant incoming packets.
• Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: https://192.168.1.1:82 instead of http://192.168.1.1
• Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history.
• Change the Service Set ID (SSID) which often leaks router information. Do not use personally identifying information like the apartment number you live in.
• If offered, disable cloud-based router management because trust is shifted to another person between the user and the router.
• Do not use mesh router systems that do not permit local administrative access.
• Disable remote administrative access and administrative access over Wi-Fi. Set administrator access only via wired ethernet connections (not possible with mesh routers).
• Disable all other remote-access protocols like PING, Telnet and SSH.
• Firewall ports should be set to "stealth" rather than "closed". This way no response is given to unsolicited external communications from attackers probing the network.
• Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on.
• Avoid administrating the router with a smartphone application.
• Use Gibson Research Corp.'s Shields Up port-scanning service to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.

Wireless Network Router Settings[edit]

Warning: Recent research suggests that WPA2 encryption may be broken. [141] Although various countermeasures are reported in the literature and Linux distributions have already patched relevant software, users who require greater security may wish to disable Wi-Fi completely on their systems. [142]

The following wireless settings are recommended: ^{[143] [144] [145]}

• Disable Wi-Fi Protected Setup (WPS) because it allows any device to connect to the network with the relevant eight-digit PIN.
• Do not bother disabling SSID broadcasting since it is trivial to guess.
• Do not rely on the WEP and WPA standards which are cryptographically weak and have known security weaknesses. Use the WPA2 standard so only authorized users can use the network. ^[146]
• Use routers that exclusively use WPA2, preferably with the AES standard (CCMP) and not TKIP which is less secure.
• Enable the "Block WAN Requests" option to conceal the network from other Internet users.
• Limit the number of Dynamic Host Configuration Protocol (DHCP) leases (connects) to the Wi-Fi network to match the number of personal devices owned.
• Enable MAC Filtering so only specific devices may connect to the network.
• If you must allow use of the Wi-Fi network to visitors, set up a guest network that turns itself off after a set period.
• Use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band (if possible), since the 5 GHz band does not travel as far.
• If possible, schedule Wi-Fi networks to turn off at night, and then turn on in the morning.

Router Firmware[edit]

Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as OpenWrt and DD-WRT provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems.

The strengths of this approach are openness, regularly updated firmware images, a great number of functionalities (fully-featured), less bloat, and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware.

Host Firewall[edit]

It is recommended to use a simple host firewall and deny any incoming connections on all ports. For a Linux host OS like Debian, Ubuntu and Arch Linux, gufw provides a simple graphical user interface for the Uncomplicated Firewall program. ^[147]

The following steps install gufw on a Debian host.

1. Install gufw.

sudo apt-get update && sudo apt-get install gufw

2. Start gufw.

gufw

3. Press Unlock. Enter the password.

4. Press Enabled. ^[148]

5. Check the settings.

By default, the settings should be Incoming: Deny and Outgoing: Allow.

Although not recommended, users can add special firewall rules, use pre-configured options for common programs and services, or set other advanced options in gufw by following this guide.

Disable TCP Timestamps[edit]

TCP timestamps provide protection against wrapped sequence numbers.

The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host's clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. ^[149]

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems being used. The less information available to attackers, the greater the security.

Qubes[edit]

TCP timestamps are disabled by default in Qubes R3.1 and above. ^[150]

Linux[edit]

^[151]

Open a terminal (Konsole).

Become root.

sudo su

Add the following line to /etc/sysctl.d/tcp_timestamps.conf.

net.ipv4.tcp_timestamps = 0

To do that, use the following command.

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

To apply the sysctl settings without a reboot, run the following command.

sysctl -p

Check if the changes have been properly set.

sysctl -a

If it worked correctly, the system should provide the following output.

net.ipv4.tcp_timestamps = 0

Windows[edit]

The user must have administrator privileges.

To disable TCP timestamps on Windows, run the following root command.

netsh int tcp set global timestamps=disabled

Other Operating Systems[edit]

MacOS

This procedure is untested. It should also work for BSD-like operating systems.

Users must disable rfc1323 which handles TCP timestamps. To check system-set TCP values, run. ^[152]

sysctl net.inet.tcp

A value of 1 against net.inet.tcp.rfc1323 indicates it is enabled, while 0 indicates it is disabled.

To permanently disable TCP timestamps, run. ^{[153] [154]}

sudo su

echo net.inet.tcp.rfc1323=0 > /etc/sysctl.conf

To temporarily disable TCP timestamps (until reboot) for testing purposes, run.

sudo sysctl -w net.inet.tcp.rfc1323=0

TODO: expand.

Disable ICMP Timestamps[edit]

The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping. ^[155]

The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a "receive timestamp", which captures when the timestamp was received and a reply sent. ^[156]

Qubes[edit]

ICMP timestamps are disabled by default in Qubes R3.1 and above. ^[157]

Linux[edit]

ICMP timestamps need to be blocked with the firewall. ^[158] This is distribution dependent and varies widely as does having a firewall enabled on your specific OS. Be aware that some distributions do not turn on the firewall by default.

There are many differing ways to accomplish blocking ICMP timestamps via the command line, therefore users are recommended to consult the specific distribution's documentation. ^[159] The most straightforward way is to download a GUI front-end (like gufw) to configure the firewall and have it set to silently drop all incoming connections by default, and allow only outgoing traffic from the machine.

Windows[edit]

This is untested.

Recent Windows operating systems (Win 10, Win 8/8.1, Win 7) should have disabled ICMP settings by default in the Windows firewall. ^[160]

From the Menu

The status of ICMP timestamps can be manually checked and changed on Windows systems via the Firewall settings. ^[161]

Right-click on Start button -> Select Control Panel -> Select Windows Firewall -> Select Advanced Settings tab

The ICMP Settings dialog box should show the ICMP timestamp is disabled: Allow incoming timestamp request is unchecked. ^[162]

From the Command Line

ICMP timestamp responses can be disabled via the netsh command line utility. This is necessary for Vista and earlier Windows versions. ^[163]

Open a terminal.

Run as an administrator.

netsh firewall set icmpsetting 13 disable

Outgoing ICMP timestamp responses are now blocked.

Other Operating Systems[edit]

MacOS

This is untested.

MacOS systems should have ICMP timestamps disabled by default. Therefore, if the firewall is enabled and "Stealth Mode" is set, the system should not respond to any ICMP requests. This is how to check the system is properly secured: ^[164]

Menu -> System Preferences -> Security & Privacy -> Select the Firewall tab -> Check Firewall is On -> Click Firewall Options -> Enable Stealth Mode -> Click OK

The "Block all incoming connections" checkbox should also be enabled for greater security.

The user can also manually change or check the timestamp status of ICMP, since the system variable is net.inet.icmp.timestamp in the /etc/sysctl.conf file. ^[165]

To permanently disable ICMP timestamps. ^[166]

sudo sh -c "echo net.inet.icmp.timestamp=0 >> /etc/sysctl.conf"

OpenBSD

This is untested.

The easiest solution is to configure the firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response). ^[167]

Alternatively, set the relevant sysctl variable to 0 (it is enabled by default). In a terminal, run.

sysctl -w net.inet.icmp.tstamprepl=0

TODO: expand.

Microphones[edit]

Advanced adversaries already have specialized implant plug-ins which can take over the computer's microphone and record nearby conversations. [168] [169]

Eavesdropping Risk

The user should check whether the computer or notebook has a microphone. Microphones are often built-in and go unnoticed. In most cases it is recommended to disable the microphone for security reasons. If the Whonix-Workstation is ever compromised by malware, an adversary could eavesdrop through the microphone. ^[170]

Voice Recognition

It is safe to assume that everyone has had an unencrypted phone call during their lifetime and that one of them has been recorded. Voiceprints allow a person to be identified from the specific characteristics (acoustics) of their voice and it is a useful biometric marker. ^[171] This means personal and unique voiceprints can be used to link non-anonymous and "anonymous" voice samples; a process called voice recognition and documented on the VoIP wiki page in the introduction chapter. ^[172]

Disabling or Removing Microphones

Unfortunately, by default microphones that are connected to the host are made available to virtual machines like Whonix-Workstation (except for Qubes-Whonix, see further below).

For the greatest security, external microphones should be unplugged. If the microphone is built-in and the user decides to disable it, there may be a BIOS option to achieve this. Suitably skilled users may also attempt to remove built-in microphones, although this is more difficult.

Select Use of Microphones

Multiple Whonix-Workstations should be used for: making internet calls, conducting Voice over IP (VoIP), or microphone use for other reasons inside Whonix-Workstation. In this way the microphone is used in selected, not all, Whonix-Workstations. Unplug the microphone after use.

For VoIP purposes, audio passthrough capability may need to be enabled for the respective hypervisor. The following section documents how to get audio working on supported platforms.

Expand for more information:

Webcams[edit]

Webcams pose a spying risk. Webcams on infected machines can be used to take snapshots and/or eavesdrop using the webcam's built-in microphone.

The user should always check if their computer or notebook has a webcam. One might be built-in, but have gone unnoticed - check the computer's datasheet and operating system hardware manager to be sure.

It is recommended that webcams are disabled or removed, unless the user plans to use it inside Whonix-Workstation. If webcam use is planned, it should be disabled and possibly unplugged immediately after use.

External webcams should also be unplugged for optimal security. If the webcam is built-in, the user should check whether it can be disabled with a BIOS setting. Suitably skilled users can attempt to remove built-in webcams, although this may be difficult. Alternatively, the webcam can be covered externally with adhesive tape or a cap.

Wireless Input Devices[edit]

Avoid using wireless keyboards and mice because most send data unencrypted. Even if this wasn't the case, there is no way to verify the robustness of the cryptography involved in proprietary products. A local adversary (up to 100 meters away) can sniff keystrokes and inject their own, allowing them to take over the machine.^[175][176]

Backups[edit]

It is important to store multiple, encrypted backups of sensitive data.

If the user does not possess at least two copies of the original data, then it should be considered lost. The reason is data on one medium might become inaccessible and beyond repair at any minute. In this case, the computer would not even detect the risk, so data recovery tools would not be of help either. ^[177]

Best practice recommendations:

• Store the original, encrypted file on a medium like the internal hard drive.
• Create a first encrypted backup: for example, on an external hard drive from manufacturer A.
• Create a second encrypted backup: for example, on an external hard drive from manufacturer B.

For greater security and to protect from incidents like fire or theft, backups in separate physical locations are recommended. Additionally, backups can be stored on remote servers, but the user must be sure it is encrypted properly. ^[178]

Whonix information[edit]

MAC Address[edit]

Introduction[edit]

All network cards, both wired and wireless, have a unique identifier called a MAC address^[179]. MAC addresses are stored in hardware and are used to assign an address to computers on the local network.

The MAC address is normally not traceable because it is not passively sent to computers beyond the local router. ^[180] However, other computers on the local network can potentially log it, which then would provide proof that the user's computer has been connected to that specific network. If users intend to use an untrusted, public network then MAC spoofing should be considered. ^[181]

MAC Spoofing Warning

Warning: According to recent research, MAC address spoofing is not effective against advanced tracking techniques that can still enumerate the address by looking at physical characteristics of the Wi-Fi card. [182] Unfortunately, a solution requires manufacturers to modify drivers or firmware of their hardware products to add privacy preserving mitigations.

One workaround is to buy new "burner" Wi-Fi USB sticks of different brands. Take care to disable the computer's native Wi-Fi functionality in the BIOS setting if pursuing this option. The reason is the computer's characteristics are likely to have already been logged if it was ever used from an untrusted hotspot. Connectivity with these burner devices should only be enabled from the intended public destination. At no point should burner devices be used for network connections at locations tied to, or regularly visited by, the user. Use a different stick for every new location to avoid location profiling/tracking.

Other Location Tracking Risks

Dealing with the MAC address problem is only one piece of the larger location tracking puzzle. Attention must also be given to changing the usual Tor entry guards used for connections. To thwart this attack, entry guard changes are necessary for every Tor instance on the user's machine host (apt-transport-tor) and guest.

An authentication technique can fingerprint devices - and also track user devices as a side-effect - by observing inter-packet timings on a LAN's wire-segment. The timing effects are the result of how various components in a machine create packets. ^[183] Fortunately, this technique cannot be used to identify devices across the internet. ^[184] This technique can be defeated by inducing random delays in a machine's packet stream. Since there is no concern about impersonating other devices on the LAN, it doesn't matter that such an authentication system will view such machines as "unknown". ^[185] Note that spectrum analyzers are also mentioned as a way to fingerprint the unique electromagnetic (EM) characteristics of a Wi-Fi card. The disposable USB Wi-Fi workaround would mitigate this attack. ^[186]

Using a Home Connection[edit]

Tip: MAC address changes for home connections are not required.

Warning: This recommendation comes with an important caveat. If a browser exploit is successfully used for activities outside a VM, then the physical MAC address could be revealed to an attacker. If a user is already under suspicion, this would eventually provide proof of identity. In this scenario, if the MAC address was changed beforehand, then root access is required to discover the real physical address (this has not yet been tested).

Connectivity Risk

If the user's home network has a cable modem internet connection, the ISP either provides the cable modem device as part of the service or requires pre-registration of the MAC address of the self-provided cable modem in order to setup the service.

If a user manages to hack or change the MAC address of the modem, the service would immediately cease functioning because the IP address assignment is apportioned for, and bound to, that specific MAC address. As a result, when connecting from behind a cable modem/NAT router, MAC address spoofing of the computer's ethernet adapter may be pointless. If a user is traced, the trackable endpoint will be the MAC address of the cable modem device.

Using a Public Computer[edit]

This refers to use of computers in public places like libraries and Internet cafes.

The MAC address should not be changed in this scenario, otherwise it may bring undesired administrator attention to the service/user and/or simply prevent access to the Internet.

Using a Personal Computer in a Public Network[edit]

This refers to using a personal laptop, desktop or any other Internet-facing device in a public network.

In this scenario, the MAC address should be changed. A new set of Tor entry guards should be selected by removing /var/lib/tor/state. Attempts should be made to disguise the use of Tor from the administrator of the public network. Depending on the user's configuration, this may involve using an obfsproxy bridge or the tunneling of traffic through SSH or a VPN prior to connecting to the Tor network.

Depending on the user's threat model, changing the MAC address and using Tor might rule out revisiting that public network again in the future. If the same public network is to be reused, then users must decide whether to use the same MAC address (and set of Tor entry guards) or to create a new MAC address.

If MAC address logging by the administrator is suspected, it could be unwise to change the MAC address, since this may appear suspicious. If the user believes the network is sufficiently public and they have not been observed, then it might be safe to use a new MAC address - with a popular vendor ID and random/unique second part - each time the network is used.

For more discussion on this rather complex topic, see Dev/MAC.

Random MAC Addresses[edit]

Warning: Using a completely random MAC address is not recommended. While this technique might be sufficient to confuse lessor adversaries, it will not defeat skilled adversaries.

The problem of using a random MAC address is that the vendor ID which is chosen may be non-existent. Even if it exists, the user might end up with a vendor ID which has either never been used or not for decades. When spoofing MAC addresses, it is critical to use a a popular vendor ID. The initial, second part of the MAC address can safely be random or unique. ^[187]

Research on this issue is still ongoing. Whonix cannot yet provide detailed instructions on how to create appropriate MAC addresses fulfilling the criteria above.

Auto-connect Risk[edit]

Apart from the difficulty in creating an appropriate MAC address for spoofing purposes, there are also technical hurdles to overcome in the form of preventing automatic network connections.

Preparing a spoofed MAC address will be futile if (when the computer is booted) it instantly connects to the public network, disclosing the user's real MAC address in the process:

• For VM users: The host operating system most likely automatically connects via updates, perhaps time sync, and other avenues.
• For Physical Isolation users: Whonix-Gateway automatically connects to Tor after start.
• For USB Wi-FI device users: Automatic connections might also occur, depending on the configuration.

Changing MAC Addresses[edit]

For Qubes Hosts[edit]

Qubes OS does not currently “anonymize” or spoof the MAC address automatically.

Qubes users can manually change MAC addresses in the NetVM by following either the Network Manager or macchanger guides. Refer to the following Qubes documentation and related support items:

• https://www.qubes-os.org/doc/anonymizing-your-mac-address/
• https://groups.google.com/forum/#!searchin/qubes-users/macchanger/qubes-users/gUPK-YqkC3E/WsarnjrddrsJ
• https://github.com/QubesOS/qubes-issues/issues/938

For Linux Hosts[edit]

If you are interested in MAC address spoofing in Non-Qubes-Whonix, please press on Expand on the right.

Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.

TODO: please help to test and expand these instructions.

1. Edit the Network Interfaces File

• Standard-Whonix-Version (VM) users: Edit /etc/network/interfaces on the host.
• Physical Isolation users: Edit /etc/network/interfaces on Whonix-Gateway.

2. Get Macchanger

In a terminal, run.

[select code]

su

su

[select code]

apt-get update && apt-get install macchanger

apt-get update && apt-get install macchanger

3. Change the MAC Address (I)

The following steps will manually change the MAC address for the device. An example is provided for a wireless device (wlan0). Replace wlan0 to match your device, such as a ethernet device (eth0) and so on.

[select code]

su

su

[select code]

ifconfig wlan0 down

ifconfig wlan0 down

[select code]

macchanger -a wlan0

macchanger -a wlan0

[select code]

ifconfig wlan0 up

ifconfig wlan0 up

If instructions from Step 1+ did not work, the following steps might also work without macchanger. Replace wlan0 to match your specific device.

[select code]

su

su

[select code]

ifconfig wlan0 down

ifconfig wlan0 down

[select code]

ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE

ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE

[select code]

ifconfig wlan0 up

ifconfig wlan0 up

Or use iproute2 commands to change the MAC address.

[select code]

ip link set down wlan0

ip link set down wlan0

[select code]

ip link set wlan0 address 00:AA:BB:CC:DD:EE

ip link set wlan0 address 00:AA:BB:CC:DD:EE

[select code]

ip link set up wlan0

ip link set up wlan0

4. Change the MAC Address (II)

Below iface eth0 inet dhcp, add.

[select code]

hwaddress ether 00:00....

hwaddress ether 00:00....

5. Optional: Automatically Randomize MAC Address on Boot

If this is desired, add.

[select code]

pre-up macchanger -e eth0

pre-up macchanger -e eth0

6. Change New Network Interfaces Settings

To prevent automatically bringing up new network interfaces, uncomment the following.

[select code]

auto eth0

auto eth0

Then set manual bring ups with the following.

[select code]

sudo ifup eth0

sudo ifup eth0

For Windows Hosts[edit]

In Windows, the MAC address can be changed with specific tools, by editing the registry, or via Device Manager.

The following instructions outline MAC address spoofing in Windows 10 via Device Manager. Complete the following steps: ^[188]

Press Windows Key + X -> select Device Manager -> Expand the list of Network adapters -> Right-click the appropriate adapter -> Select Properties -> Navigate to Advanced tab -> Select Network Address -> Enter any 12 digit hexadecimal value -> Click OK

Reboot the computer for the changes to take effect. To check the changes are correct, in a terminal run.

ipconfig /all

The physical address of the adapter should show the new MAC address.

For MacOS Hosts[edit]

These steps are untested.

1. Find the Current MAC Address of the Interface ^[189]

Open System Preferences -> Click on Network -> Select the interface from the listbox on the left -> Select the Advanced button -> Click on Hardware tab

The first line is the MAC address of the interface.

2. Change the MAC Address

Note: There is no eth0 on default configurations of MacOS. By default, en0 and en1 are the physical network connections (wired and wireless LAN). ^[190] Disconnect from the networks before running these commands.

In a terminal, run as an administrator.

ifconfig en0 | grep ether

The output will show the MAC address for the en0 interface. Depending on how many interfaces there are on the computer, the command might need to be run several times by adding 1 to the number each time.

Once a MAC address is listed that matches the one seen via System Preferences, the user knows which interface (en0, en1....) to change.

In a terminal, run the following as an administrator. Change "en0" to match the relevant interface, and "XX:XX:XX:XX:XX:XX" for the desired new MAC address (for example: f8:1e:df:d8:9d:8a).

sudo ifconfig en0 ether XX:XX:XX:XX:XX:XX

3. Check the MAC Address has Changed

In a terminal, re-run.

ifconfig en0 | grep ether

The output should show a value matching the user's change.

Sources[edit]

See footnote. ^[191]

Known Bugs[edit]

Follow these links to learn more about known bugs affecting Non-Qubes-Whonix and Qubes-Whonix. For a list of all open issues affecting Whonix on both platforms, refer to the Phabricator bug tracker.

Greater Security and Next Steps[edit]

After reading and applying relevant steps outlined in this section, users can download and verify the Whonix images before installing them. In all cases, users should follow the post-installation advice.

For greater security pre and post Whonix installation, users should also refer to the Documentation pages to learn more about potential threats and mitigations. For instance, users might like to consult the Design pages and consider the recommendations outlined in the Security Guide and Advanced Security Guide. Users with limited time can refer to the System Hardening Checklist.

References[edit]

License[edit]

Whonix Computer Security Education wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Computer Security Education wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)