Able to view dom0 timezone from inside Whonix based qube

chessjazz · July 31, 2023, 6:47am

The Network Time Synchronization page on the Whonix wiki says the following

Warning: The system clock inside Whonix ™ is set to UTC to prevent against time zone leaks. This means it may be a few hours ahead or behind the user’s host system clock (timezone). It is strongly recommended not to change this setting.

But the dom0 timezone can be viewed from inside a Whonix based qube by reading it from qubesdb.

qubesdb-read /qubes-timezone

I am able to mitigate it by adding this to the rc.local file inside the Whonix template

qubesdb-write /qubes-timezone "Etc/UTC"

Is this intentional design?

Patrick · July 31, 2023, 11:54am

reported this bug to Qubes just now:

github.com/QubesOS/qubes-issues

Stop leaking dom0 timezone to Whonix qubes

opened 11:54AM - 31 Jul 23 UTC

adrelanos

T: enhancement privacy C: Whonix P: default

### Qubes OS release R4.2 ### Brief summary Qubes VMs leak timezone. … Reported by @[chessjazz](https://forums.whonix.org/u/chessjazz). ### Steps to reproduce qubesdb-read /qubes-timezone ### Expected behavior No command available to leak dom0 timezone. ### Actual behavior Dom0 timezone can be leaked in VM if malware is running inside the VM. ### Additional information For issue tracking. * issue caused by Qubes-Whonix: no * affects Qubes-Whonix: yes, because Whonix sets timezone to UTC as it should be hidden. (It doesn't leak to remote websites but malware with local code execution could read dom0 timezone.) * only relevant for Whonix: Dunno if there are also other users who would prefer not to leak this information to VMs. ### Suggested solution If `qvm-features` or similar mechanism has `whonix-ws 1`, `whonix-gw 1`, `notimezone 1`, then don't write `/qubes-timezone` to qubesdb.

This isn’t a bulletproof mitigation.
The threat model here: malware with local code execution privileges.
But under that threat model, malware could stealthy run earlier and read the timezone before you’ve obfuscated it.

It’s the default Qubes design and I don’t think they had a VM Fingerprinting alike threat model in mind.

Eldricht · August 2, 2023, 12:18pm

Worrisome. Do you suggest applying the mitigation for the time being?

Eldricht · August 2, 2023, 12:45pm

After looking at qubes-db; the keyboard-layout is also available as a data point for non-US keyboards. This is true for KVM as well if you change the layout, but is there a possibility of hiding it in Qubes while still allowing for special characters or keymaps to be used?

extraextra · August 2, 2023, 1:08pm

qubesdb-multiread /

Patrick · August 2, 2023, 2:45pm

After looking at qubes-db; the keyboard-layout is also available as a data point for non-US keyboards.

Added another comment to that ticket just now.

No, because it requires locally running malware to specifically targeting this but if that happens it could easily circumvent the mitigation.

That might make sense in the far future (if that ever happens) when hardening such as the following is implemented:

I doubt it but I also don’t know. This you need need to ask Qubes. Qubes-Whonix is an integration of Whonix into Qubes. Qubes-Whonix however will inherit all the advantages and disadvantages (such as this specific use case of qubesdb) from Qubes.

These issues can easily remain unresolved for years. See also:

qwhnx · October 22, 2024, 11:00am

If we’re in luck @arraybolt3 thinks this issue looks interesting.

Excellent work with kloak for Qubes. This is another core qubes component that may need C code contributions from Whonix’s end.