Compromised portable router

Durian-Pixel

I've been through a lot of these discussions, it seems when someone is seeking help the community is mostly helpful, but also quick to bash someone by claiming that they don't have enough proof to back their claims and they're paranoid, then a mod comes along and locks the thread.

Anyways, I'll try my luck.

I'm currently using a grapheneneos device (6a), I have reasons to believe that it is compromised because my laptop, Fedora Kinoite was compromised (using the same portable router as GOS).

I know that the laptop is compromise because the person living with me has made it obvious that he knew what I was browsing about on the web.

My question is: should I sell both my laptop and my pixel 6a or would reflashing grapheneos on my pixel 6a be sufficient?

I know that grapheneos is supposedly more secure than any Linux distribution but the fact that I'm living with a hacker and the same portable router had been compromised leads me to think that I better either reflash my pixel phone or would selling it be the best option?

Obviously at this point I'm moving out to a new place, possibly even a different town.

Also, is my compromised Linux Kinote PC salvageable? Flashing BIOS seems risky, and I need secure devices to run my businesses.

I hope that this is enough information, instead of being skeptical and locking the thread please give me some good suggestions, I'm already very stressed out and have def been compromised with my laptop for sure and most likely the GOS too.

I do lock my room door when I leave the house but may have forgotten to a few times.

Tryptamine

Durian-Pixel

If he had physical access to your laptop, it is way more likely that something was installed on your laptop when you weren't home! Are the USB ports set to need a supervisor password before anything can be run from them from the F12 menu (where you choose an external drive to boot from)? Do you have a superviso/boot password on it at all? How secure is your login password and is it needed when resuming from sleep/screen off? Ever put a password on your root user? (Many distributions don't have any password on su out of the box)

Before your login screen is it possible to get to an options menu and boot into a recovery terminal? This is where really nasty things can be installed, especially if root has no password... Ubuntu has this option, don't know about Fedora, but I'd hazard a guess they do, since it's the only way other than live CD to fix OS not booting correctly problems.

To wipe everything from your PC, (except BIOS/firmware bugs) just wipe your hard drive and reinstall, preferably with LUKS full dusk encryption. Ubuntu 23.10, and 24.04 if its out support TPM-backed FDE that has verified boot, a first in the desktop Linux world! Choosing this option also installs an all-snap base of software and system packages for enhanced security, and your system folders are not writeable. I would recommend that for reinstall.

Go ahead and flash your BIOS with a USB. Download the most recent from your laptop's drivers page and make a USB, they will walk you through how to do it safely! I do it whenever a new one comes out. You can also in Ubuntu run the firmware updater which will fetch the most recent firmware and update that safely!

After that put a good supervisor and boot password on your laptop, make them different and make the boot password needed on restart as well as on cold boot. Its what I do.

For your Pixel, once you unlock the bootloader as part of reinstalling GrapheneOS, all data is wiped. The reinstall even reinstalls your bootloader and radio firmware. Want to be extra sure? when done the install, get platform tools so you can run this command, then run the installer again to write over the other slot (probably not necessary, but if you want to):

fastboot --set-active=other

Will select the other boot slot, and the installer will overwrite it as well. I think that running it once the data gets copied over, but I'm not knowledgeable to say for sure. When I ran into problems with the command line based flash-all.sh script (which I think is what the web installer uses) and I saw it only writing one side, I just ran the command above and ran the script again. Got me away from my phone saying it was corrupted!

Durian-Pixel

Tryptamine

Firstly thank you for your reply,

Bios itself on my PC has a password but not the USB ports, the password isn't very secure tbh, something I need to work on.

So you're saying to wipe the hard drive by installing Ubuntu with full encryption before updating or flashing BIOS?

Doesn't Ubuntu expose the MAC address which could be used to identify me again? The new Fedora (40) comes with a MAC address randomization feature, but not the TPM feature for booting as you've mentioned as far as I know..

I'm using a Lenovo, and on their support page there's only an executable file that can be downloaded and run by Windows to update firmware, no file seems to be available to flash it.

I'll def put good passwords for supervisor and boot if I manage to flash BIOS and reinstall an os.

Thanks again for the tips, new to cyber security but will def exercise a lot more caution next time.

Probably time to get rid of the portable router too. How safe is using a sim card if someone were to know the number?

Chipper

I certainly dont want to cast aspersions on your experience to bash you or insinuate mental illness, however i am also aware that reality has a tendency to present itself in accordance with our aims, and so while I think it is great that you are being so vigilant in the protection of your privacy (i personally find it completely unacceptable that we live in a world where so many seem to think they have some right to know everything about everyone or else they are hiding something) have you considered other potential avenues for the source of this inside information that your flatmate has indicated they have on you?
You make mention of a compromised portable router? is it possible that if the passwords where known or the device compromised in some way that the person could not have just sniffed your traffic via that mechanisim? or alternatively simply spoofed your router causing you to log into the spoofed access point and again simply sniffed your traffic?
I simply ask because that seems easier to me then installing some persisting malware on your device physically or even remotely.

Durian-Pixel

Chipper

Not at all,

Well as you can see, I am fighting blindfolded.

Sadly the age of social media programs people to think that they have the right to intrude into lives of others without having any consequences.

Going back to fighting blindfolded, I'm at a point now where I will have to move out of my flat but I don't want to have to buy a new laptop - so which method was used to compromise my devices will only drive me insane trying to figure it out.

I am currently on the verge of re-flashing GOS on my Pixel 6a, hopefully that will clear malware (if any) on my phone, and I am also currently stuck up on what to do with my laptop.

I'm having a hard time finding what to do, as suggested earlier - updating the firmware seems to be the only viable option but I'm afraid of exposing my MAC address online, I understand I am being extra careful but I believe that you can't be too careful these days especially when running a serious online business.

Any suggestions on what to do with my GOS moving forward would be much appreciated:

Should I switch to my sim card (same sim in my portable router) after flashing GOS again? Get a new sim card instead?
Would flashing firmware on my Lenovo laptop do the trick? Should I install Fedora afterwards which has MAC address randomization like GOS does, install Ubuntu as suggested by Tryptamine because of the TPM-backed FDE, or familiarize myself with QUBESOS?

Thanks in advanced!

de0u

Durian-Pixel I'm afraid of exposing my MAC address online, I understand I am being extra careful but I believe that you can't be too careful these days especially when running a serious online business.

With all due respect, I don't see what concealing one's MAC address has to do with running an online business. I think it might make sense to focus on the smallest number of things that would improve your confidence in your computing environment, as opposed to trying to protect/conceal everything all at once.

For example: go to a randomly-selected Best Buy, buy a cheap Chromebook (2GB of free memory available and 32GB of free storage space should be possible on a cheap Chromebook), use that to re-flash your phone (if a factory reset would not provide enough confidence). Use the Chromebook to reset passwords etc. You could even have Best Buy run a scan on your Lenovo laptop, and perhaps flash the BIOS.

Just my two cents!

matchboxbananasynergy

You don't need to reflash GrapheneOS. A factory reset does the exact same thing.

Even if your laptop/router has been compromised (I'm not going to fight you on whether it has happened or not; I don't know your circumstances), you don't just "hack" a Pixel device running GrapheneOS.

Unless you think the person doing this has millions of dollars or is some insane blackhat prodigy, you should keep in mind that Android is an extremely secure platform, and GrapheneOS only amplifies that. If they've been able to unlock your phone and potentially install software on it, then they might have installed some stalkerware app, which when given accessibility permissions can have a lot of control over your device, but that's gone with a factory reset.

If you've used Auditor before this point, you could also do a check and see whether any accessibility services have been enabled (Auditor presents results on attestation.app or the screen of a secondary device, which is useful, because an app on your own phone could present fake results if it had been taken over).

Your phone is very likely fine. You should also consider what someone said above: if someone can log into the router's admin panel, they can see traffic coming in and out, that's much easier and more likely than sophisticated persistent malware. The simplest explanation is realistically going to be more likely, as much as we can get carried away.

matchboxbananasynergy

Also, I wanted to add another point towards what was mentioned in the OP about the moderation team coming in and locking threads like this.

We do that not because we don't think people can be compromised, neither do we assume people are imagining things or trolling (though that also happens). We try to provide advice, but really, assuming what's said is true, there's only so much we can do. We develop a secure and private OS, and we can provide general advice as I have in the post above. We don't have the device, and we're not doing analysis like e.g. Citizen Lab would. If people really think they're being compromised with what sounds like insanely expensive mercenary spyware, they should be taking their devices to these organisations to have them figure it out and create a report, not posting about it here, as the latter's not going to be able to provide the assistance someone so thoroughly compromised needs.

Durian-Pixel

matchboxbananasynergy

its a valid question as most of the community are concerned with security otherwise they would have just used a regular android or iOS phone. I was getting some good suggestions until you came around basically saying "don't make our precious grapheneos look bad, hacking is only done by powerful millionaires, its super expensive", but the truth is people are actually getting hacked and its supposedly super easy and common. I don't see anything wrong in asking, I'm trying to make sure I made the right move by choosing this os, that's all.

PeterPan

tbh. if this is your room mate... go to the police or make him friend with a ****** . I assure you he won't do that again. :=)

Furthermore just to tell which webpages you visisted is not magic and even does not require any hacker skills... In addition to that thinking that the router/ap is compromised is still no evidence.

Tryptamine

Definitely get police involved if there is any suspicion of hacking. That should have been one of the first things said... There are many ways that this could have happened, as listed by all the other wonderful people above. If you want to give yourself peace of mind, that's why I gave you my suggestions. As @matchboxbananasynergy said, a factory reset is likely enough. Don't take a backup and set it up from scratch to be extra sure I guess... Only thing that won't do is replace the radio or bootloader, but that's probably not necessary.

I'm a big fan of Ubuntu, especially since they have verified and measured boot now! (Only if you install with TPM-backed FDE) 24.04 is supposed to bring in allowing third-party graphics drivers with this kind of install, 23.10 doesn't allow them yet.

There is MAC randomization on Ubuntu, I think, but maybe not by default. You can get it working with some apt packages. Really don't worry too much about that now though, you have bigger fish to fry!

matchboxbananasynergy

Tryptamine I'm a big fan of Ubuntu, especially since they have verified and measured boot now!

"verified" boot in desktop OSes isn't an actual implementation of verified/secure boot and doesn't provide the same properties required for it to be a proper security feature as on Android/iOS. It's mostly marketing.

Tryptamine

matchboxbananasynergy I dunno, seems to me that they are implementing it quite well, and not just expanding on normal Secure Boot... Of course I could be wrong! Here is another source. I'm sure it is implemented differently in GrapheneOS, would you mind letting me know what is missing from their description of verified and measured boot in conjunction with a secure element is different from how it is done on Android or GrapheneOS? I'd love to know, can't find much more on my own! To me it seems like something desirable to have.

I believe that verified boot on Android attempts to undo corruption or damage to system files, and their method would just result in a boot failing. Is this what you are talking about?

Secured boot has been a thing on the desktop for over 12 years, be a shame if they haven't gotten it right yet. I think it only verifies the early boot process though. Ubuntu's new approach seems to verify the whole boot chain. Then record the process and compare to a "known good" boot to ensure that it went OK. After only allowing each module to load if it is signed with the correct cryptographic keys.

Also you need to do a lot of digging to find this stuff! They don't "market" these features at all...

If you can teach me something about how Android implements it that is different, I'd be most appreciative!

AtavisticPuma

Apart from the reflashing advice, I think it is good general advice to also make sure you are managing your stress levels.
There is a saying, "The best revenge is living well". If you have an enemy who is trying to disrupt your life, make sure you are not doing all the work for them, turning your life upside down and spending thousands of $$$ just based on some vague comments.

Before making big life changes, check in with a calm, level-headed friend to see if they think your reactions make sense given the situation you are in. Talking to a counsellor could help here too, to help you get out of this panic mode, which is the end-goal for most harassers.

Obviously I don't know your whole situation, but from what you've shared I think it sounds very rash to want to sell your devices and move towns based on inferences that you made after one or two conversations with a roommate. Especially given that you don't have a great amount of understanding of how hacking works and what the evidence for it would look like.

Tryptamine

AtavisticPuma Before making big life changes, check in with a calm, level-headed friend to see if they think your reactions make sense given the situation you are in. Talking to a counsellor could help here too, to help you get out of this panic mode, which is the end-goal for most harassers.

I think this is the best advice yet!

Take it easy, and yes, please don't sell your devices. You can certainly clean them out, follow some of the suggestions above or do your own research! If you do your own reading though, take the drastic suggestions with a LOT of salt!

matchboxbananasynergy

Durian-Pixel "don't make our precious grapheneos look bad, hacking is only done by powerful millionaires, its super expensive"

That is not at all what I said, and it's not specific to GrapheneOS. If you think compromising an up-to-date and patched Android device on decent hardware is easy or commonplace, you're sorely mistaken.

It was already explained to you how one can "easily" install stalkerware on an Android device in a way that doesn't require anything advanced, however that requires them having physical access to the device and being able to install an app.

Not only did I mention that, but I also gave you actionable steps (factory reset, don't reflash, if you've made an initial pairing with auditor, use it to check the integrity of the device with high security guarantees). Yet this is your response?

If you want to think you've been magically compromised by some imaginary zero day exploit chain that a normal person possesses yet nation states pay millions upon millions of dollars for, then I don't know what else I can tell you.

Durian-Pixel

Best buy, chrome books, police etc. Not so easy in a 3rd world country.

I was def hacked and just don't know how. Pointing at the specifics like trying to conceal my MAC address is besides the point, I'll do anything to get to the bottom of it.

Anyways, a lot of good suggestions here, really appreciated it. More is welcome of course

Durian-Pixel

matchboxbananasynergy

Not going to argue with you anymore, hacking is super easy.

PS: people liking your comment doesn't validate it

Watch this: https://youtu.be/VPd8s0DrheU?si=4ChTpF6oPWcdGuXg

matchboxbananasynergy

I highly suggest not using YouTube as a source to learn about these topics. The thread isn't productive, and it's fairly obvious that you don't need actionable advice if people aren't going to confirm your belief that you've been compromised.

When someone believes that they've been compromised for vague non-technical reasons, there's rarely a technical solution to the issue.