Re: [qubes-users] Re: Are "smart" monitors/TVs a security issue?

[Alex Smirnoff]

To my best knowledge, no PC graphic card ever supported ethernet over HDMI.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f254001b-0d75-49ad-810c-c5b093858caen%40googlegroups.com.

Re: [qubes-users] Re: Are "smart" monitors/TVs a security issue?

[haaber]

For "native" thunderbolt monitors there certainly could be an issue! For
HDMI/DP, honestly, do not know how much a malicious device could do.


For "smart"-tv's please notice existence of ethernet-over-hdmi :) Often
these machines have microphones (for vocal commands). As well as the STB
that decodes your ip-TV. Better you own your hardware ... and harden
the linux on it :)

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/264cccae-bab2-3ba9-8094-0de5e60e8160%40web.de.

[qubes-users] xen resource reporting

[Alex Smirnoff]

It is rather a xen issue, but I did not find xen groups alive enough, so..

I have a 6-core cpu, so.. xen thinks there are two "CPU's" per core, 
probably due to HT.
And it does, apparently, cause a lot of confusion.

from "xenpm start 1:
Socket 0
 Core 0 CPU 0
 Core 1 CPU 2
 Core 2 CPU 4
 Core 3 CPU 6
 Core 4 CPU 8
 Core 5 CPU 10

But, when I try to get CPU states, xenpm assumes the core count to the cpu 
count! thus, it tries to get status of CPU0-CPU5, which succeeds only for 
even CPUs, odd CPUs get dropped and return error when xenp tries to control 
them, and CPU6-CPU10 are ingored.

also, xenpm get-cpufreq-para returns obviously incorrect values (for even 
CPUs only, again, for odd ones it just "falied to get cpufreq parameter" 
and 6-10 are igored), as well as xentop. At the same time, values at 
get-cpufreq-average are apparently right. 

Is it a known issue?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce8023ed-1a25-4f1d-884e-ddfcc300f835n%40googlegroups.com.

[qubes-users] Re: Are "smart" monitors/TVs a security issue?

[Alex Smirnoff]

For "native" thunderbolt monitors there certainly could be an issue! For 
HDMI/DP, honestly, do not know how much a malicious device could do.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/299d7cbe-574b-45eb-bbae-7b8998699318n%40googlegroups.com.

Re: [qubes-users] Are "smart" monitors/TVs a security issue?

[Andrew David Wong]

On 11/25/20 6:31 AM, River~~ wrote:

Hi all

In the days of CRT monitors one way the security of a computer system
could be compromised non-intrusively (ie without amending the
installed code) was by picking up the radio-frequency leakage from the
tube in the monitor. This could only be done from near by, but where
possible it enabled the spy to see what was on the screen -- almost
everything that you typed (aprt from passwords that were blanked or
starred out). This was a remote form of shoulder surfing, where
someone looks over your shoulder in an environent like an internet
cafe.

Nowadays we do not have to worry about CRT monitors.


This is known as a TEMPEST attack:

https://en.wikipedia.org/wiki/Tempest_(codename)

Although we may not use CRT monitors any more, there are still many 
other forms of this attack, many of which are still relevant today. It's 
still important to be mindful of any kind of leaking emanation.



But TVs are
increasingly delivered with their own internet connection, making it
easy to watch You-Tube (etc) without needing a separate computer or
phone. Clearly there is a computer inside which can be hacked, and if
so a remote shoulder surfing attack would be very possible.



Yes, definitely. Smart TV spying is already a widely-reported phenomenon:

https://duckduckgo.com/?q=smart+tv+spying


Is the same true of monitors and of TVs that do not have an apparent
internet link? The digital tech to draw a picture from the input is
unlikely to be done by traditional electronics, but being all digital
is likely done by a miniporcessor of some kind in all digital
displays.



It's impossible to say without knowing exactly what kind of hardware is 
inside.



To put my question in the most provocative way on this forum: if there
much point securing the OS when the monitor might be an easier target
for those out to (umm) monitor our reading and our keystrokes?

This thught has only just come to me, and I wonder if there is already
some available mitigation? Any ideas?

Or am I being overly cautious?

R~~

Any ideas?



Well, there's no such thing as perfect security, but you can decrease 
your risk here in multiple ways, such as selecting a monitor with as few 
"smart" features as possible or, if you use a laptop, sticking with the 
built-in monitor. There might also be some advantage to preferring 
"dumb" ports on your monitor. For example, DisplayPort and Thunderbolt 
are probably bigger risks than VGA and DVI, since DisplayPort can 
transmit USB and other data, and Thunderbolt combines PCIe and DisplayPort.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0126b42-d45f-80fb-c783-b30a0202e8cf%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

Re: [qubes-users] Re: Getting wifi working on a new machine in qubes 4.0.3 and 4.0.4-rc1

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

River~~:
> 00.08.0 Network controller: Intel Corporation Wi-Fi 6 AX200 (rev 1a)

https://github.com/QubesOS/qubes-issues/issues/5615#issuecomment-702032377

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl+/nAZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/L8A/9FLdY6g4GEXCE2PCl8rtJfy/TqAadc4Qi0aCYfo0Jg+EyloHabsGcVHYV
1gd4wPQmB7jjHM8hRhozmRn9cPDi5K2s+J6qladI4EZ6w1bWpX3vq3kwXtb4Yz9l
kr76DVR+RUtp+beg04me9mS0imNraBSBFremBF1KWE/eO0dpGGAS9puPEJ8Zto8m
+RP8rcj0MWxVzUA04vT10b/CVBSn5mQDjgDG4jujiLOXM67zXw6aSY1gdis9PIOO
AndoP2iytenRfJwbLSyU4IOA68R7tTmnUfNOuoF3OKHtvQO3wBV+2h0IV690uwtF
vYOrBIL6UF84Km5h26xcL0cJ3JfiUbYcqaG+iT1znNfzylABIUTDK/vLlYAE5Lf3
QQ9s/ttFkLH3Q3YtnIk6X3XMpull4YbyUmsez4kkwu65NsD7vRHEjmDlkfSLRloI
KjoNKhY//p3VEo9esnsW+9BGEB7OyO9aq9VH/iP2A1NDcWdHK4oPpG3b31fCOBRp
S3cfhifNrm76plggTyt4beGJipytUZCH8pw4eDrCwJvvQJsuGUnV+aEF7u+lZ4o+
Nlxl0xcUt0TElWDqbTfvEBPr5+H6BQwDxL64JNYIuZejFsrvAOuVhdnnvSUI2gXL
LKkOeDEs/j7sA2xnw8zQI7mUDxCVJ1EX+2j3u56Y1+5ND8PdiBQ=
=Afss
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201126121358.GA5331%40mutt.

[qubes-users] Re: Are "smart" monitors/TVs a security issue?

[Mark Fernandes]

Hello trueriver,

Thanks for your post. No, you're not being overly cautious. Regarding your 
thoughts on whether there is much point securing the OS, I had the same 
kind of issues after my computer was hacked earlier this year. I realised, 
I couldn't just do a small fix here or there, as the issue of security was 
a bit like a water-carrying pipe with many punctured holes: patching just 
one or a few holes only meant that water came out of some other holes.

The result of my encountering of these issues, was the creation of a Wikibooks 
book on end-user computer security 
, particularly 
aimed at individuals without much resources (resources such as money)—feel 
free to add/edit its content, as it is a wiki.

On Wednesday, 25 November 2020 at 14:31:55 UTC trueriver wrote:

> ... 

In the days of CRT monitors one way the security of a computer system 
> could be compromised non-intrusively (ie without amending the 
> installed code) was by picking up the radio-frequency leakage ...
>
> Nowadays we do not have to worry about CRT monitors. But TVs are 
> increasingly delivered with their own internet connection, ...  

Clearly there is a computer inside which can be hacked, and if 
> so a remote shoulder surfing attack would be very possible. 
>
>
Getting back to your particular issues, smart TVs (and other 
internet-connected devices), are clearly a security concern, and I am not 
convinced that these issues are adequately dealt with for general 
consumers. Firmware doesn't generally seem to be sufficiently locked-down, 
meaning that middle-men attackers can possibly reprogram devices without 
leaving much evidence that leads personally back to them.
 

> Is the same true of monitors and of TVs that do not have an apparent 
> internet link? ... 
>
>
Regarding microprocessor/micro-controller VDUs without 
wireless-communications tech, they are probably safer. However, because you 
can now even get small WiFi SD cards , 
even at what appears to be relatively inexpensive prices, I would perhaps 
be concerned over whether such VDUs might have undergone tampering so as to 
be able to steal your information through wireless means.

...if there much point securing the OS when the monitor might be an easier 
> target 
> for those out to (umm) monitor our reading and our keystrokes? 
>
>
There is a point in securing the OS in spite of the other security 
vulnerabilities you've highlighted, but only as part of a comprehensive 
security solution. It only takes the weakest link in the chain...
 

> ... I wonder if there is already some available mitigation? ...
>
>
In terms of available mitigation, the latest idea I've had (not yet 
properly included in the book), is to buy computer hardware with anonymity 
over Amazon (see some notes about it here 
).
 
You could also try using brands you trust more, or that are advertised as 
being more secure than normal. Also, you might think about going 
"barebones" in respect of the VDU: strip out the "bells and whistles" so as 
to reduce the attack surface.


Hope this helps,


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31910182-8bc7-400c-bd63-b389e479feban%40googlegroups.com.