I am running PureOS KDE Plasma on a librem mini with no wireless card. Can anyone tell me how someone would be able to see my screen (boot screens and OS desktop) and possibly have access to my keyboard and mouse, from the minute I turn on the computer (not even connected to internet yet)? I’ve blacklisted bluetooth and nfc. What technology am I missing? This person is in close proximity to me if that helps narrow it down.
Theoretically an attacker could capture the electromagnetic signals that are emitted by your devices. Not sure what equipment and knowledge an attacker needs to have to get images where anything is recognizable.
If your keyboard and mouse are wireless they may be a good chance that these are vulnerable. Logitech e.g. has peripherals with 2.4GHz radio and Bluetooth connections which they tell are encrypted. I don’t know if they mean both channels. Anyway there have been vulnerabilities discovered. New firmware has been released to fix it. I tell this just as an example to show that it may be difficult to get secure wireless peripherals at all. I am not a specialist but Bluetooth doesn’t seem to be are very secure channel.
How do you know that someone is seeing your screen and do you see that your device is remote controlled?
I would think that such a screen capture attack is relatively sophisticated and needs special software maybe radio equipment. I would not expect such from a script kiddie in the neighborhood. Maybe law enforcement or intelligence services or scientists. I have never heard of an actual screen capturing in the wild, but I am no insider. On the other side sometimes such attacks can be surprisingly cheap. Cheap radio hardware. There is something like software defined radios. 
And there may be open source software to perform such an attack.
P.S. People who read this post also bought a Faraday cage.
Thank you so much for weighing in so fast. Let’s just say they are kind enough to let me know they can see my screen. Keyboard and mouse are wireless. I’ll continue to look for clues. Thank you!
Maybe they see your screen directly? Or via mirroring? Or via a camera device? Or they are in control of your computer via some Trojan software? The last would explain both, that they read your screen and control your inputs.
Did they ever get physical access to your computer? Did you get any storage device like a thumb drive from them? Did you get email from them? Why do you run KDE? Do you connect your Android to the Librem Mini? What about pureboot? Did it alert any system tampering?
Thanks for your questions. I’m not sure why I am running KDE plasma.
Yes I was alerted to tampering the first time I updated grub on this machine trying to get rid of the screen flickering. I think there was also an exploit that got on my machine at this time. I do not have a camera on this computer. Could anything be happening via some type of spoofing?
I would argue this is a topic regarding general computer security as it is not unique to PureOS, but I digress…
Electronic emanations
Correct. The challenge with electronic emanations is that this attack vector exists whether wired or wireless. It is often a cat-and-mouse game, and “thorough” mitigations are usually prohibitively expensive, unless you work for a SCIF construction company/defense contractor. Context:
“TEMPEST is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC).” Source: Wikipedia
There are a myriad of ways in which device emanations may be detected and deciphered by an attacker. @prolog is exactly correct by mentioning that software-defined radios provide an easy attack vector. Here is a relatively well-known method to use SDR to snoop on video signals, for example.
Peripherals
Generally, the more wired devices you use, the better. As is often the case with computer security, there is no completely secure computer but you can set up as many security measures as appropriate for your threat model and asset value.
However, people are clever and even wired devices may be tampered with. There are USB cables, for example, that look completely identical to normal ones but include microcontrollers and even WiFi/BT chips for data exfiltration.
Anyway…
I just have so many questions. I’d need soooo much context.
1 Like
Thank you @JCS
I know, its a long story and fairly unbelievable so I didn’t bother. I know its hard to help with very little context, but I’ve seen some nasty replies to ppl in similar situations such as mine.
I see some weird stuff in journal logs. Can I blacklist module kvmgt.ko?
Oct 06 19:48:25 MorningSun audit: EXECVE argc=31 a0=“modprobe” a1=“–all” a2=“–set-version=5.10.0-23-amd64” a3=“–ignore-install” a4=“–quiet” a5=“–show-depends” a6=“ttm” a7=“mgag200” a8=“vmwgfx” a9=“radeon” a10=“virtio-gpu” a11=“gma500_gfx” a12=“sil164” a13=“ch7006” a14=“nouveau” a15=“amdgpu” a16=“bochs-drm” a17=“vgem” a18=“cirrus” a19=“drm_vram_helper” a20=“qxl” a21=“drm_xen_front” a22=“drm” a23=“gpu-sched” a24=“drm_ttm_helper” a25=“vboxvideo” a26=“i915” a27=“kvmgt” a28=“udl” a29=“ast” a30=“drm_kms_helper”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=30 a0=“modprobe” a1=“–all” a2=“–set-version=5.10.0-23-amd64” a3=“–quiet” a4=“–show-depends” a5=“ttm” a6=“mgag200” a7=“vmwgfx” a8=“radeon” a9=“virtio-gpu” a10=“gma500_gfx” a11=“sil164” a12=“ch7006” a13=“nouveau” a14=“amdgpu” a15=“bochs-drm” a16=“vgem” a17=“cirrus” a18=“drm_vram_helper” a19=“qxl” a20=“drm_xen_front” a21=“drm” a22=“gpu-sched” a23=“drm_ttm_helper” a24=“vboxvideo” a25=“i915” a26=“kvmgt” a27=“udl” a28=“ast” a29=“drm_kms_helper”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=3 a0=“mkdir” a1=“-p” a2=“/var/tmp/mkinitramfs_zp2Ynq//usr/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=4 a0=“cp” a1=“-pP” a2=“/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/i915.ko” a3=“/var/tmp/mkinitramfs_zp2Ynq//usr/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/i915.ko”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=6 a0=“modinfo” a1=“-k” a2=“5.10.0-23-amd64” a3=“-F” a4=“firmware” a5=“/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/i915.ko”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=3 a0=“mkdir” a1=“-p” a2=“/var/tmp/mkinitramfs_zp2Ynq//usr/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/gvt”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=4 a0=“cp” a1=“-pP” a2=“/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/gvt/kvmgt.ko” a3=“/var/tmp/mkinitramfs_zp2Ynq//usr/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/gvt/kvmgt.ko”
Oct 06 19:48:25 MorningSun audit: EXECVE argc=6 a0=“modinfo” a1=“-k” a2=“5.10.0-23-amd64” a3=“-F” a4=“firmware” a5=“/lib/modules/5.10.0-23-amd64/kernel/drivers/gpu/drm/i915/gvt/kvmgt.ko”
Oct 06 14:14:22 MorningSun kernel: i915 0000:00:02.0: [drm] failed to retrieve link info, disabling eDP
Pulled from the internet. Could this be the culprit? I am a noob with poor technical knowledge:
“Am I understanding it correctly? “KVMGT” (or whatever acronym is correct) makes it possible to run with the KVM hypervisor a VM that can run a native GPU driver/module and therefore get near-native performance AND use the same GPU that the host is using (no dedicated GPU for the VM)?”
To know what the culprit is, I would need to have a bounded understanding of the issue. All I understand is that you are experiencing screen flickering (could be a faulty physical connection or display driver) and that you suspect malicious activity from someone nearby (a whole different conversation altogether).
Going on to your next question:
After looking it up, the kvmgt kernel module is also used in Intel GVT-g technology which is
used to virtualize the GPU for multiple guest virtual machines, effectively providing near-native graphics performance in the virtual machine and still letting your host use the virtualized GPU normally.
…so I would say that you are correct.
tysm. I am going to blacklist this module.
Of course you don’t have to tell us more if you are uncomfortable with it or if it would get you in trouble. Still I am curios.
If “they” told you that they see your screen they may do so to show off. Like some criminals tend to talk proudly about they crime to a third party. That could be some students with technical knowledge bothering you and maybe to see your reactions.
If it is some more serious actor what would be the intent to let you know that they can see your screen. Let’s just imagine for a moment that you are in suspect of doing something illegal. If they really see your screen, why should they tell you so? They would give away an advantage. But they may do mistakes, too. Or they simply don’t see your screen and just pretend it to drive you nuts, to stop some activity and maybe do some fatal mistake.
Maybe you think about why they target you? Is it just the opportunity that you are near by? Do they have a reason to be after you (at least in their logic)? Are you worth the effort of such an attack?
That could be factors for your risk evaluation, also there are no guarantees, that a motivated attacker brings high effort to the table to go after someone who seems unimportant. I guess history has quite some of those cases.
So there are many speculations. I have simply watched to many spy movies. ^^
Maybe on important note to the wireless keyboard. This may be an severe attack vector. If the attacker manages to spoof keyboard inputs malicious programs like scripts may be simply “typed in” via that keyboard connection.
1 Like