Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Deanonymization through keystroke and mouse movement analysis, fingerprinting techniques, and protective measures.

Keystroke Dynamics[edit]

Keystroke biometric algorithms have advanced to the point where it is viable to fingerprint users based on soft biometric traits. This is a privacy risk because masking spatial information -- such as the IP address via Tor -- is insufficient to anonymize users. ^[1]

Users can be uniquely fingerprinted based on: ^[2]

• Typing speed.
• Exactly when each key is located and pressed (seek time), how long it is held down before release (hold time), and when the next key is pressed (flight time).
• How long the breaks/pauses are in typing.
• How many errors are made and the most common errors produced.
• How errors are corrected during the drafting of material.
• The type of local keyboard that is being used.
• Whether they are likely right or left-handed.
• Rapidity of letter sequencing indicating the user's likely native language.
• Keyboard Layout as the placement of the keys on the keyboard leads to different key seek times and typing mistakes.

A unique neural algorithm generates a primary pattern for future comparison. It is thought that most individuals produce keystrokes that are as unique as handwriting or signatures. This technique is imperfect; typing styles can vary during the day and between different days depending on the user's emotional state and energy level. ^[2]

Unless protective steps are taken to obfuscate the time intervals between key press and release events, it is likely most users can be deanonymized based on their keystroke manner and rhythm biometrics. Adversaries are likely to have samples of clearnet keystroke fingerprinting which they can compare with "anonymous" Tor samples.

Typing on the most popular keyboard layout which is probably en-US might help mitigation however a more effective way is the following. At a minimum users should not type into browsers with Javascript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.

In addition, users must also disguise their linguistic style to combat stylometry (stylometric analysis) and be aware of mouse tracking techniques available to adversaries.

Mouse Fingerprinting[edit]

Mouse or cursor tracking occurs when software collects the positions of the mouse cursor and click data on the computer. While this can have benefits for web designers, it also poses a privacy (profiling) threat. Without explicit user consent or awareness, a range of data can be leaked via JavaScript, plug-ins or other software: ^[3]

• JavaScript and Cascading Style Sheets (CSS) ^[4] readily allow developers to track users' mouse movements by simply entering relevant code on the webpage. This has already been employed on high-traffic websites, such as search engines.
• Similar to JavaScript, installed and enabled software modules (plug-ins) can track mouse movements.
• Specific mouse tracking software can reveal:
  • mouse location
  • time stamps
  • mouse clicks
  • a mouse cursor hovering over embedded links and its duration
  • the amount of time spent in certain webpage areas
  • heat maps
  • full playbacks which retrace the mouse's trajectory
  • mouse wheel tracking ^[5]

For a practical example of deanonymization, consider someone who regularly uses both clearnet and Tor with JavaScript enabled. Individuals have distinctly unique characteristics associated with mouse movements and mouse clicks. Therefore, if these research methods are used in the public domain, supervised learning methods are likely to "learn" the typical behavior of individuals. Over time, it may be possible to link "anonymous" activities with the known profile of a clearnet user with a high degree of probability. ^{[3] [6]}

Disabling JavaScript cannot mitigate this as it can also be done with just CSS. ^[7] The author of the Kloak software tool has noted high accuracy device fingerprinting can be performed with DOM event timestamps and this affects both keyboard and mouse events.

A solution was implemented that involves slights delays of mouse events to throw off phase estimation in Kloak. ^[8]

Threat Model[edit]

There are two general situations where biometric fingerprinting via keyboard and mouse behavior can be a problem:

• An adversary can observe your behavior both when using Tor and when using clearnet, and is attempting to link your activity on Tor to your identity.
• An adversary can only observe your behavior over Tor, and is attempting to uniquely detect you separately from other Tor users.

Without defenses, the adversary in either of these scenarios can obtain a fingerprint unique to you by observing your patterns of keystrokes as described above. Mouse movements can be fingerprinted in a manner very similar to keystrokes. If the adversary can observe your behavior both on Tor and when using clearnet, they can conclude that the person with your fingerprint when using Tor is the same person with your fingerprint when using clearnet, and thus deanonymize your Tor activity.

If the adversary can only observe your behavior when using Tor, they cannot determine your real identity using biometric techniques alone, but they can still tell you apart from other Tor users. This may be problematic if an entity that provides a resource over Tor has the desire to prevent you from accessing the resource, or wishes to watch what you in particular do when you interact with the resource.

Defenses[edit]

Kloak[edit]

Kloak is an input device anonymization tool. It includes mitigations for keystroke fingerprinting as well as for masking unique user mouse movement behavior.^[9][10][11] Kloak does not mask mouse movement behavior as effective as it masks typing behavior, see Limitations below.

• Non-Qubes-Whonix supported by default.
• Qubes-Whonix^™ Unavailable. ^[12]

Kloak is installed in Non-Qubes-Whonix^™ Whonix-Workstation^™ by default.

We recommend installing kloak on the host too so it remains effective in event of a Whonix-Workstation VM compromise. If you need to access accounts (for example banking) that enforce keystroke biometrics, then it may be a good idea to just limit installation to Whonix VMs.

Kloak has the added benefit of foiling attacks that identify search queries in encrypted network traffic using information leaked through autocomplete suggestions of search engines. ^{[13] [14]}

kloak is designed to stymie adversary attempts to identify and/or impersonate users' biometric traits. The GitHub site succinctly describes kloak's purpose and the tradeoff between usability and the level of privacy. Notably, shorter time delays between keystrokes and release events reduces overall anonymity: ^[15]

kloak is a privacy tool that makes keystroke biometrics less effective. This is accomplished by obfuscating the time intervals between key press and release events, which are typically used for identification. This project is experimental.

...

kloak works by introducing a random delay to each key press and release event. This requires temporarily buffering the event before it reaches the application (e.g., a text editor).

The maximum delay is specified with the -d option. This is the maximum delay (in milliseconds) that can occur between the physical key events and writing key events to the user-level input device. The default is 100 ms, which was shown to achieve about a 20-30% reduction in identification accuracy and doesn't create too much lag between the user and the application (see the paper below). As the maximum delay increases, the ability to obfuscate typing behavior also increases and the responsive of the application decreases. This reflects a tradeoff between usability and privacy.

While kloak makes it hard for adversaries to identify individuals or to replicate their typing behavior -- for example to overcome two-factor authentication based on keystroke biometrics -- it is not perfect and has #Limitations.

Rescue Keys[edit]

Kloak by default recognizes a "rescue key" sequence, which will terminate the kloak process.

The default rescue key sequence is KEY_LEFTSHIFT + KEY_RIGHTSHIFT + KEY_ESC (i.e. left shift + right shift + escape).

Depending on how kloak is run:

• A) daemon: If you are running kloak as a systemd service (the default), this will restart kloak (as systemd will automatically re-launch it after it terminates).
• B) manual: If you are running kloak in a terminal, this will terminate kloak, which then will be no longer anonymizing keyboard and mouse actions.

Rescue Keys Customization[edit]

Kloak rescue keys may be customized by using the -k option, which takes a comma-separated list of key codes as an argument. The full list of supported key codes can be seen at keycodes.c.

For instance, to run kloak with the rescue key set to KEY_LEFTSHIFT + KEY_ESC, run:

1. Stop background kloak process first.

sudo systemctl stop kloak

2. Run kloak in terminal.

sudo kloak -k KEY_LEFTSHIFT,KEY_ESC

3. Terminate with Ctrl+C or rescue key sequence when done.

4. Restart background kloak process.

sudo systemctl start kloak

5. Persistent configuration change.

To make this change permanent, see setting persistent kloak settings.

6. Done.

Disabling rescue keys[edit]

Some users have reported that they are unable to use certain keyboard shortcuts on account of the rescue key functionality. To disable the rescue key feature entirely, you may use the -p option. Be warned that this will prevent you from terminating or restarting kloak using the rescue key sequence! To run kloak with the rescue key feature disabled:

1. Stop background kloak process first.

sudo systemctl stop kloak

2. Run kloak in terminal.

sudo kloak -p

3. Terminate with Ctrl+C when done.

4. Restart background kloak process.

sudo systemctl start kloak

5. Persistent configuration change.

To make this change permanent, see setting persistent kloak settings.

6. Done.

Kloak Debug Mode[edit]

If you are experiencing problems with kloak, generating debug logs can be useful for determining what's going wrong.

Kloak provides a -v option that is useful in these scenarios. Due to the volume of data kloak produces during logging, it is recommended that you run kloak in a terminal when gathering logs. To run kloak in verbose mode, run the following commands:

1. Stop background kloak process first

sudo systemctl stop kloak

2. Run kloak in terminal

sudo kloak -v

3. Gather logs, then terminate with Ctrl+C or rescue key sequence.

4. Restart background kloak process

sudo systemctl start kloak

5. Persistent configuration change.

To make this change permanent, see setting persistent kloak settings.

6. Done.

Setting persistent kloak settings[edit]

Notes:

• Kloak's verbose mode can be enabled as a persistent setting by following these instructions. However, verbose mode generates copious amounts of data, which may consume large amounts of disk space or cause wear-and-tear on the disks. Enabling verbose mode as a persistent setting is not recommended.

If you use kloak as a systemd service and wish to use some of its options, you may do so by adding a configuration file for kloak. To do this:

1. Open file /lib/systemd/system/kloak.service.d/50_user.conf in an editor with root rights.

Non-Qubes-Whonix^™

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /lib/systemd/system/kloak.service.d/50_user.conf

Qubes-Whonix^™

NOTES:

• When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /lib/systemd/system/kloak.service.d/50_user.conf

• After applying this change, shutdown the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and unspecific to Qubes-Whonix^™.

Others and Alternatives

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /lib/systemd/system/kloak.service.d/50_user.conf

2. Paste.

Note: Replace <options> with the options you wish to pass to kloak.

[Service] ExecStart=/usr/sbin/kloak <options>

3. Save and exit.

4. Reload systemd manager configuration.

sudo systemctl daemon-reload

5. Restart kloak.

sudo systemctl restart kloak

6. Done.

Kloak will now run with custom options.

View kloak journal log[edit]

If you want to look at any info kloak may have output since starting it, you may do so by checking the journal logs. To do this, run:

sudo journalctl -u kloak | cat

xrdp[edit]

Looked into what would be necessary to make kloak work over xrdp. Sadly this does not seem possible, as xrdp acts as its own X server (to my awareness) and thus intercepting and delaying keystrokes would require kloak to somehow intercept the keystrokes at the layer between the X server and the applications. I looked ways of doing this but failed to find them - there are ways of logging keystrokes at the X server level, but my research failed to find a way to block keystrokes or otherwise keep them from being delivered to applications for the purpose of delaying them. This issue affects any use of kloak over a remote desktop session - unless the remote desktop application creates uinput devices on the remote machine and then feeds user input into them, kloak will not be able to intercept them. Recommendation - xrdp users should run kloak on the client machine to obfuscate their typing patterns on the client. This will then naturally obfuscate them on the remote machine as well.ArrayBolt3

Stop Kloak[edit]

It is usually not required to stop kloak unless for testing, debugging.

Stop clock until restart or reboot.

sudo systemctl stop kloak

Start Kloak[edit]

It is usually not required to start kloak as it is running by default.

Start kloak.

sudo systemctl restart kloak

Kloak Status[edit]

sudo systemctl status kloak

Qubes Event Buffering[edit]

Qubes Event Buffering is Kloak-alike software.

Qubes OS is incompatible with Kloak, due to the fact that most VMs in Qubes OS do not use evdev to receive input. To provide the same benefits as Kloak despite these limitations, Qubes OS R4.3 provides a feature known as "event buffering". Whereas Kloak would run within each individual VM, intercepting and buffering evdev input events, Qubes event buffering runs on dom0, catching X11 input events intended for a particular VM and buffering them before sending them to the VM. Qubes event buffering uses the same underlying algorithms as Kloak, and should be similarly effective.

Qubes event buffering does not mask mouse movement behavior as well as it masks typing behavior, see Limitations below.

To enable event buffering for a particular VM:

1. Determine the VM you want to enable event buffering on. We will use whonix-workstation-17-dvm as our example here.

2. Open a terminal in dom0.

3. Run:

qvm-features whonix-workstation-17-dvm gui-events-max-delay 200

This will enable event buffering on whonix-workstation-17-dvm, with a maximum buffer time of 200ms. If you want a longer buffer time, specify a larger number as the last argument.

4. This setting does not take effect on currently running VMs. If whonix-workstation-17-dvm or any DispVMs based on it are running, shut them down.

5. Done. Event buffering is now enabled for whonix-workstation-17-dvm. You should notice a delay in typing when you launch the VM next.

Limitations[edit]

Kloak and Qubes Event Buffering[edit]

Both Kloak and Qubes event buffering have some limitations users MUST be aware of before relying on them for security:

• Mouse events are cloaked, but not as effectively as keyboard events. Pointing devices (mice, touchpads, trackballs, etc.) produce a very large number of events when the pointer is being moved by the user. Both Kloak and Qubes event buffering use a scheduling system that queues events as they arrive and tries to ensure no event is delayed longer than the set maximum delay value. Because pointing devices flood the queue with events when the pointer is moved, this usually results in almost all of the events involved in a pointer movement being delayed for exactly the maximum delay time. This removes almost all anonymizing jitter and may allow an adversary to fingerprint and identify the user via mouse movements even if Kloak or event buffering is being used.
• Typing may be substantially more difficult. Because Kloak and event buffering both queue, delay, and release keystrokes at semi-randomly chosen times, typing is not as easy when using Kloak. Lag is usually noticeable and unpredictable. Shorter maximum delay times can improve usability, but only at the cost of providing less anonymity.
• Biometric software can tell that you're using Kloak. When using Kloak, one's typing rhythm will appear very unnatural and strange to biometric software, which is a clear indicator that one is using Kloak or similar software. Kloak makes no attempt to mask its use; it only ensures that all Kloak and Kloak-alike users appear similar to each other. This is similar to the limitations of Tor - one cannot tell which Tor user is accessing a resource or the true identity of the Tor user, but they can very easily tell that the resource is being accessed over Tor.
• Legitimate uses of biometric software will break. If you use software that relies on keystroke biometrics to identify you, it will almost certainly fail to do so if you are using Kloak. This may require you to temporarily disable Kloak before using certain services.
• Small delays are not effective; higher values that can be tolerated are preferable.
• It does not address Stylometry threats.
• Repeated (held-down) key presses that repeat at a unique rate can lead to identification.

Kloak only[edit]

The following limitations apply only to Kloak, not to Qubes event buffering:

• Kloak only works if the system uses the evdev input driver. Almost all modern Linux distributions use evdev by default for input devices. Qubes OS is a notable exception - it uses its own virtual input device, which the X server in each Qube reads from. Kloak is not capable of intercepting events from non-evdev-based input devices.
• Kloak does not intercept events that are fed directly to the system's display server without going through an input device driver. Any form of emulated input cannot be intercepted by Kloak. Remote desktop software frequently uses emulated input for obvious reasons. Another common class of software that makes use of emulated input is Keyboard-Video-Mouse (KVM) software such as Barrier, Synergy, and Input Leap. If you need Kloak to provide anonymity in these scenarios, you must run Kloak on the machine that the physical keyboard and mouse are attached to. This will obfuscate the movements the host machine sees and, therefore, obfuscate the movements that are sent to other machines via emulated input.

Qubes event buffering only[edit]

The following limitations apply only to Qubes event buffering, not Kloak:

• Event buffering is not available in any version of Qubes R4.2 or earlier. It will be present in Qubes R4.3.0 and later.
• There is no easy way to enable or configure event buffering. The only way to enable and configure event buffering is using the qvm-features command in a dom0 terminal. A configuration feature for event buffering may be added to Qube Manager in the future.
• Event buffering is not enabled by default on Qubes-Whonix-Workstation. It must be explicitly enabled by the end user. This is expected to be fixed. See Enable X11 event buffering in Whonix by default.

Defense Testing[edit]

You can test that kloak actually works by trying a keystroke test website. https://vmonaco.com/device-fingerprinting/ is a good choice as it is free, open source, and requires no personal data or signup process to use. The code is visible at https://github.com/vmonaco/device-fingerprinting.

To use the test:

• Ensure kloak is not running.
• Open the website.
• Move the mouse around and click on random locations on the page. You will see a graph labeled "mousemove" start to update. As the mouse moves, the graph should eventually show a few (oftentimes only one) orange-marked spikes that act as a fingerprint for your device.
• Click inside the text area and type for some amount of time. A graph labeled "keydown" should show one or more prominent orange-marked spikes after a bit of typing.
• Start kloak. then refresh the page.
• Move the mouse around again. The graph will act erratically and fail to obtain an orange-marked spike for very long.
• Click inside the text area and type for some amount of time. The graph should act erratically similar to the mouse graph.
• By default, the website uses event.timeStamp as a time source for fingerprint extraction. If desired, repeat the above steps with the other time sources (Date.now(), performance.now(), and Web Worker).

A device or biometric fingerprint can be obtained quickly and with high certainty when kloak is not used. The tests done with kloak enabled show that kloak obfuscated typing behavior, making it difficult to authenticate or identify a particular user.

Note that websites that observe typing behavior will likely see users running kloak as being distinctly different from other users (due to the randomized, unnatural typing rhythms and mouse movements). This is similar to how Tor users can be detected separately from internet users who do not use Tor, but telling individual Tor users from each other is very difficult. As more users use kloak, the anonymity set will increase.

Other potential tests (not recommended):

• https://www.typingdna.com/demo-sametext.html
• https://github.com/topics/keystroke-dynamics
• forum discussion

Previously KeyTrac was recommended for testing kloak. However, the KeyTrac demo is no longer available. When KeyTrac did exist, the following results were obtained by training and testing KeyTrac with and without kloak:

Table: Sample KeyTrac versus Kloak Test Results

Without Kloak users can be identified with very high certainty. The second set of tests show that Kloak definitely obfuscates typing behavior, making it difficult to authenticate or identify a particular user. Third set: users running Kloak may look "similar" to other users running Kloak. That is, it might be possible to identify Kloak users from non-Kloak users. These results are similar to the results obtained using vmonaco's device fingerprinting test.

Potential future development research[edit]

• Do X11 or Wayland provide hooks that would allow intercepting input events as read by the Wayland compositor or X server, before those events are sent directly to applications? This would allow Kloak to work even with setups that don't use evdev.
• Could a "toggle" feature be added to Kloak to allow temporarily enabling and disabling it without having to stop the Kloak service entirely? This would be useful for users who have high anonymity requirements but also have to use systems that use keystroke biometrics as a legitimate method of authentication.
• Can mouse events be obfuscated better? It might be possible to randomly select times at which to deliver mouse events, then deliver all queued mouse events at once at those selected times, with intermediate events "squashed" together so that the mouse simply jumps to the position it would have ended up in had all mouse events been processed normally. If this is done, mouse events should probably be handled in a separate queue from keyboard events.

Resources[edit]

• arxiv: Obfuscating Keystroke Time Intervals to Avoid Identification and Impersonation

See Also[edit]

• Device Fingerprinting with Peripheral Timestamps
• Stylometry
• Surfing Posting Blogging

References[edit]

• https://github.com/vmonaco/keystroke-obfuscation
• https://github.com/vmonaco/keystroke-obfuscation/issues/1#issuecomment-268598887
• https://github.com/vmonaco/kloak
• https://github.com/vmonaco/kloak/issues/7#issuecomment-893817507
• https://twitter.com/Whonix/status/1111053743905226752
• https://github.com/vmonaco/kloak/releases/tag/v0.2
• https://forums.whonix.org/t/current-state-of-kloak/5605
• https://forums.whonix.org/t/try-kloak-anti-keystroke-deanonymization-tool-and-leave-feedback/18826
• https://forums.whonix.org/t/device-fingerprinting-with-peripheral-timestamps-mouse-fingerprinting/12114

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!