top | item 41447458

Ask HN: Security risks when buying mini-PCs/PCs from unknown vendors?

12 points| bmer | 1 year ago

I was looking at [Low Cost Mini PCs](https://news.ycombinator.com/item?id=41389931) a few days ago, and saw comments recommending vendors such as Beelink or Minisforum.

These companies are relatively unknown compared to companies like Lenovo, Dell, HP, etc. My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells (e.g. with additional chips that are meant to "phone home", or otherwise store data in some retrievable way) because that would damage their reputation and hence their business.

But a relatively unknown vendor might not have such a concern?

So I wonder:

* are my concerns even realistic?

* if so: how does one evaluate security risks that exist when buying PCs from "relatively unknown" vendors?

12 comments

LinuxBender|1 year ago

I've bought three mini-PC's from different vendors via Amazon. All three had malware on their pre-installed image. I replace the storage and install Linux but there is still the risk of a malicious BIOS. Given I don't use them for anything important I accept the potential malicious BIOS risk. I would never use these with any data I or others cared about but that is just my own personal opinion that is shared by some security teams. I would never bring one of these into a company or government organization.

bmer|1 year ago

Is it possible to “install” (“flash”?) an open source BIOS onto a newly bought device?

atlasduo|1 year ago

Could you elaborate? What kind of malware was pre-installed?

talldayo|1 year ago

> My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells

lol

Man, that's good. I'm a full blown Lenovo apologist, but you cannot catch me dead going to bat for their appreciation of local security. There's a good reason most Thinkpad users entirely wipe the drive they get sent with the machine. In many cases, it literally comes preinstalled with Israeli malware: https://en.wikipedia.org/wiki/Superfish

2rsf|1 year ago

> most Thinkpad users

I have nothing for or against Lenovo, but can you support the "most" claim?

> comes

Came, many years ago

p0d|1 year ago

I bought a pc from an unknown computer vendor and my credit card details where stolen. My card was used to buy lottery tickets and had to be cancelled.

Malidir|1 year ago

Did they win the lottery?

PrimaryAlibi|1 year ago

I think you have the same problem either way. NSA (most likely) recently was caught for putting backdoor in IOS. It doesn't matter how big the brand is.

Unfortunately it comes down to just needing to learn how to verify the hardware. If you only trust then you have lost.

giantg2|1 year ago

I bought a Beelink a few years ago. It seemed to be fine. Normal malware scans didn't turn up anything, but I didn't dig too deep into that. Windows was very slow on it (as expected) so I put Linux on it for better performance.

As someone else mentioned, it's still possible there's some sort of firmware malware, such as the BIOS. I'm not sure that most normal scans would even catch that. I'm not too concerned since I don't do anything important or sensitive on that box.

On a side note, weren't the big vendors like Dell building in backdoor and stuff for the NSA too?

ahoka|1 year ago

Funny that you say this, as Lenovo actually got caught backdooring devices they sell.