Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Security risks when buying mini-PCs/PCs from unknown vendors?
12 points by bmer 16 days ago | hide | past | favorite | 12 comments
I was looking at [Low Cost Mini PCs](https://news.ycombinator.com/item?id=41389931) a few days ago, and saw comments recommending vendors such as Beelink or Minisforum.

These companies are relatively unknown compared to companies like Lenovo, Dell, HP, etc. My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells (e.g. with additional chips that are meant to "phone home", or otherwise store data in some retrievable way) because that would damage their reputation and hence their business.

But a relatively unknown vendor might not have such a concern?

So I wonder:

* are my concerns even realistic?

* if so: how does one evaluate security risks that exist when buying PCs from "relatively unknown" vendors?




I've bought three mini-PC's from different vendors via Amazon. All three had malware on their pre-installed image. I replace the storage and install Linux but there is still the risk of a malicious BIOS. Given I don't use them for anything important I accept the potential malicious BIOS risk. I would never use these with any data I or others cared about but that is just my own personal opinion that is shared by some security teams. I would never bring one of these into a company or government organization.


Is it possible to “install” (“flash”?) an open source BIOS onto a newly bought device?


Possible, maybe. End up with a working machine? Probably not. There are alternatives like coreboot [1] libreboot [2] system76 [3] but this isn't something that can be flashed to just any board. These alternatives would have to become supported by the manufacturer upstream from the dodgy resellers that end up on Amazon and I don't know if that might actually make it easier for dodgy players to replace it with a backdoor version. The low-end devices like mini-PC's do not have dual firmware options like some of the Asus mobo's and a few other mainstream vendors.

[1] - https://coreboot.org/

[2] - https://libreboot.org/

[3] - https://github.com/system76/firmware-open


Could you elaborate? What kind of malware was pre-installed?

Bladabindi and Redline on two of them. Those were also configured by someone to disable alerts and scheduled scans in Defender. On the third it was something to do with bitcoin / wallet stealing and I don't use bitcoin. I can't remember the name. I just boot them up long enough to know it isn't DOA then eventually wipe them with Linux assuming I even keep the tiny NVME they come with. I started running scans after seeing the mini-PC malware issues in 2023 to let others on Amazon know what I find and to steer very clear of those vendors.

> My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells

lol

Man, that's good. I'm a full blown Lenovo apologist, but you cannot catch me dead going to bat for their appreciation of local security. There's a good reason most Thinkpad users entirely wipe the drive they get sent with the machine. In many cases, it literally comes preinstalled with Israeli malware: https://en.wikipedia.org/wiki/Superfish


> most Thinkpad users

I have nothing for or against Lenovo, but can you support the "most" claim?

> comes

Came, many years ago


I bought a pc from an unknown computer vendor and my credit card details where stolen. My card was used to buy lottery tickets and had to be cancelled.


Did they win the lottery?

I think you have the same problem either way. NSA (most likely) recently was caught for putting backdoor in IOS. It doesn't matter how big the brand is.

Unfortunately it comes down to just needing to learn how to verify the hardware. If you only trust then you have lost.


I bought a Beelink a few years ago. It seemed to be fine. Normal malware scans didn't turn up anything, but I didn't dig too deep into that. Windows was very slow on it (as expected) so I put Linux on it for better performance.

As someone else mentioned, it's still possible there's some sort of firmware malware, such as the BIOS. I'm not sure that most normal scans would even catch that. I'm not too concerned since I don't do anything important or sensitive on that box.

On a side note, weren't the big vendors like Dell building in backdoor and stuff for the NSA too?


Funny that you say this, as Lenovo actually got caught backdooring devices they sell.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: