qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

Disable speaker output for domUs by default

Open rootkovska opened this issue 8 years ago • 8 comments

To prevent them from communicating to other mic-equipped devices and deanonymizing the user. (Note we do not expose mic to any AppVM by default since forever.)

Seems like we can easily do that during installation via Salt config. But maybe consider also some runtime check to ensure this also (in Qubes 4.x)?

/cc @adrelanos

rootkovska avatar Mar 23 '17 16:03 rootkovska

This issue is being closed because:

If anyone believes that this issue should be reopened, please let us know in a comment here.

andrewdavidwong avatar Apr 01 '19 04:04 andrewdavidwong

Please re-open. Applies to any milestone.

adrelanos avatar Apr 01 '19 11:04 adrelanos

Microphones and speakers are a risk for all VMs, Whonix and non-Whonix, see: https://www.kicksecure.com/wiki/Hardware_Threat_Minimization

Therefore this isn't a Whonix specific task. The sane default would be to attach neither a microphone nor a speaker to any VM. In other words, VMs should be microphone-less and speaker-less by default.

Suggested title (feel free to use a better one): disable speaker output for all VMs by default

Opt-in could be similar to how android asks if a permission should be granted (such as GPS) as soon as the app attempts to use the device.

Therefore also tag C: Whonix is inappropriate.

adrelanos avatar Jun 08 '22 16:06 adrelanos

Instead of disabling audio output altogether, I think a much better approach would be for audio output to be enabled, but muted by default. I suspect this is much less likely to break buggy programs that do not handle audio device hotplug and/or stream corking well, and the attack surface is identical as 0 * x = 0 no matter what X is (no, floating point trickery is not useful here).

DemiMarie avatar Jun 22 '22 20:06 DemiMarie

I have a little bash menu script I run. Hitting 'm' mutes all VMs and dom0, while 'M' unmutes all.

Configuring anything more fiddly requires going into the PA control panel.

B

brendanhoar avatar Jun 22 '22 20:06 brendanhoar

I have a little bash menu script I run. Hitting 'm' mutes all VMs and dom0, while 'M' unmutes all.

I just added something like that here.

However the default on VM start should still be "muted" as that approach doesn't help with disposable VMs started later.

3hhh avatar Aug 10 '22 15:08 3hhh

Agreed.

Leaning toward auto-muting disposables (or perhaps all VMs?), perhaps controlled by a global setting (or two)?

Default setting might be audio enabled but guide could reference changing the flag (for vulnerable users). Really a development team call.

B

brendanhoar avatar Aug 10 '22 16:08 brendanhoar

As this issue is 5 years old, I rediceded and added a daemon to execute arbitrary code - incl. VM mutes - on VM starts, stops, ... etc. here.

3hhh avatar Aug 11 '22 20:08 3hhh