-what are the possible bad results if the USB drive's serial number
is exposed in Whonix? How could that lead to de-anonymization?
Yes, if these serial numbers are stored somewhere else also. They
could be limited to a specific geographical area. Or they might even
have a trail to who sold it. And the seller might have a trail to whom
it was sold.
-I'm not sure what "flashing" is. What could be the bad results of
an attacker flashing the USB drive while connected to Whonix?
Flashing means overwriting the firmware. Which is, simply put, like
the operating system running on a device. On the USB stack in this
case. Malware could be flashed on the firmware while the USB is still
functional. Once reconnecting the USB to the host
-do you have to be de-anonymized before these USB problems could
In most cases, the VM needs to be already compromised.
Reading USB serials though non-code exploration level exploits, bugs
or new fancy [browser or similar] features is also thinkable. [Like
webrtc allows to read the users _local_ IP address.]
-does tunneling Whonix through a VPN reduce the risk of these USB