Ask HN: Security risks when buying mini-PCs/PCs from unknown vendors?
I was looking at [Low Cost Mini PCs](https://news.ycombinator.com/item?id=41389931) a few days ago, and saw comments recommending vendors such as Beelink or Minisforum.
These companies are relatively unknown compared to companies like Lenovo, Dell, HP, etc. My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells (e.g. with additional chips that are meant to "phone home", or otherwise store data in some retrievable way) because that would damage their reputation and hence their business.
But a relatively unknown vendor might not have such a concern?
So I wonder:
* are my concerns even realistic?
* if so: how does one evaluate security risks that exist when buying PCs from "relatively unknown" vendors?
12 comments
[ 3.4 ms ] story [ 50.7 ms ] threadlol
Man, that's good. I'm a full blown Lenovo apologist, but you cannot catch me dead going to bat for their appreciation of local security. There's a good reason most Thinkpad users entirely wipe the drive they get sent with the machine. In many cases, it literally comes preinstalled with Israeli malware: https://en.wikipedia.org/wiki/Superfish
I have nothing for or against Lenovo, but can you support the "most" claim?
> comes
Came, many years ago
[1] - https://coreboot.org/
[2] - https://libreboot.org/
[3] - https://github.com/system76/firmware-open
As someone else mentioned, it's still possible there's some sort of firmware malware, such as the BIOS. I'm not sure that most normal scans would even catch that. I'm not too concerned since I don't do anything important or sensitive on that box.
On a side note, weren't the big vendors like Dell building in backdoor and stuff for the NSA too?
Unfortunately it comes down to just needing to learn how to verify the hardware. If you only trust then you have lost.