Security risks when buying mini-PCs/PCs from unknown vendors?

Question

I was looking at [Low Cost Mini PCs](https://news.ycombinator.com/item?id=41389931) a few days ago, and saw comments recommending vendors such as Beelink or Minisforum.These companies are relatively unknown compared to companies like Lenovo, Dell, HP, etc. My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells (e.g. with additional chips that are meant to "phone home", or otherwise store data in some retrievable way) because that would damage their reputation and hence their business.But a relatively unknown vendor might not have such a concern?So I wonder:* are my concerns even realistic?* if so: how does one evaluate security risks that exist when buying PCs from "relatively unknown" vendors?

LinuxBender · Accepted Answer

I've bought three mini-PC's from different vendors via Amazon. All three had malware on their pre-installed image. I replace the storage and install Linux but there is still the risk of a malicious BIOS. Given I don't use them for anything important I accept the potential malicious BIOS risk. I would never use these with any data I or others cared about but that is just my own personal opinion that is shared by some security teams. I would never bring one of these into a company or government organization.

talldayo · Answer

> My guess as a layman would be that that Lenovo is not likely to try and "compromise" the hardware it sells
lol
Man, that's good. I'm a full blown Lenovo apologist, but you cannot catch me dead going to bat for their appreciation of local security. There's a good reason most Thinkpad users entirely wipe the drive they get sent with the machine. In many cases, it literally comes preinstalled with Israeli malware: https://en.wikipedia.org/wiki/Superfish

p0d · Answer

I bought a pc from an unknown computer vendor and my credit card details where stolen. My card was used to buy lottery tickets and had to be cancelled.

PrimaryAlibi · Answer

I think you have the same problem either way. NSA (most likely) recently was caught for putting backdoor in IOS. It doesn't matter how big the brand is.Unfortunately it comes down to just needing to learn how to verify the hardware. If you only trust then you have lost.

giantg2 · Answer

I bought a Beelink a few years ago. It seemed to be fine. Normal malware scans didn't turn up anything, but I didn't dig too deep into that. Windows was very slow on it (as expected) so I put Linux on it for better performance.
As someone else mentioned, it's still possible there's some sort of firmware malware, such as the BIOS. I'm not sure that most normal scans would even catch that. I'm not too concerned since I don't do anything important or sensitive on that box.
On a side note, weren't the big vendors like Dell building in backdoor and stuff for the NSA too?

ahoka · Answer

Funny that you say this, as Lenovo actually got caught backdooring devices they sell.