"They managed to hack the AppVM Whonix-gw-15 on one of my secure Qubes install"

on 28/jun Frédéric JOUVIN a Researcher on IC Security Flows, P2P & Mesh Networks, FPGA & Microprocessors Architectures. Hardware Hacker. Electronician and Low-level Programming Engineer posted on his twitter:

@Snowden @QubesOS FYI - As Edward knows it, I am targeted by the highest level of states cyber weapons thanks to Amazon and Postal Operators of 8 countries involved in Antitrust complaint I deposited against them. I just wanted to inform you that “they” managed to hack the AppVM Whonix-gw-15 on one of my secure Qubes install. It seems their attack did not propagated to other qubes. I reinstalled the whonix-gw-15 template and everything went back to normal.

see the post here

Does anyone knows more about this attack? how did he detected it? :smiley:

4 Likes

I don’t know any details, but still it would be nice to at least speculate how on earth THEY could infect a template? What could be possible attack vectors? Most definitely this would involve software updates, so some sort of supply chain attack.

QSB or it didnt happen :slight_smile:

2 Likes

His tweet is not clear. He says “AppVM Whonix-gw-15” so maybe he means an AppVM based on Whonix-gw-15 template. In that case reinstalling the template was overkill, as he could have deleted and created a new AppVM.

First step I would have taken would be to power down, pull the drive to a forensics machine and make an image of the drive with DD. Then I would invest a large amount of time doing at least a basic analysis that backed up my position, asa precursor to making the image of the compromised VM available to sec research community.

What I would not have done is tweeted “this happened” and then re-installed, erasing any hope of understanding how this happened and fixing the alleged vulnerability for everyone else in the world.

6 Likes

@i2p I find post such as your highly problematic.

What"s the news? It happens to me all the time… at the template
level too.

This you better back up with lots of details if you want to be taken
seriously.

The new thing is through the Video API.

Can you be more specific? Which API exactly? What is happening? References?

The only anonymity you MIGHT get is through p2p’s.

What does anonymity have to do with this topic? We are talking about
compromised templates and if/how such a thing might happen.

MuWire

… helps with any of the above how?

I am trying very hard to be open to the possibility that you have
something of value to share, but what you’ve written so far makes that
extremely difficult.

4 Likes

he talked so much that he ended up saying nothing…

please @i2p be more specific and share with us your knowledge…

1 Like

i marked i2ps post as spam, because they only plugged thier network scheme without adding value to the topic.

2 Likes

this should be standard procedure for everyone who may have been owned, now he is having problem with the vm…

tt1
tt2

1 Like

Related reading:

1 Like