Safety of Used Hardware

How big of a concern do you think malware is when buying used PCs? I’m not really concerned about hard drives as those can be low level formatted, but motherboards are trickier. I guess one can flash the BIOS on the motherboard, but that isn’t the only attack vector possible. To my knowledge it isn’t easily possible to ensure that a used motherboard is completely safe.

I know some people use the argument that a brand new motherboard can also be compromised, but the probability of that has to be significantly lower due to how the production chain is handled, so I don’t really think that is a strong argument.

My main concern would be protection from keyloggers and tools that can capture the output to my monitor in real time.

Likelohood that a mobo is dirty the chances are slim to none, flashing the BIOS is the only thing one can do as a precaution but can you trust that the firmware is clean afterwards? No.

Simple truth is be real, don’t worry about all the crazy supermalware that are 99.2% of the time only theoretical or demonstrated by researchers… those barely exist in the wild. cough intel cough
Loosen up the tinfoil, overwrite the hard drive, flash the BIOS and call it a day.
Just don’t install the mobo in a governmental setup.

3 Likes

I agree with @Baz. Unless you suspect that some motivated, smart people want to dedicate considerable time and energy to hacking you, then you shouldn’t worry about it.

The thing about capable, intelligent people is that they tend to have decent jobs that preclude them from needing to key log random consumers of used PC parts.

That said, if you are really concerned about it, I would recommend buying used from an established dealer instead of a random individual on eBay/craigslist/whatever.

Honestly if you found one like that, I’d be curious who you bought it from. Lol hit up your local CIA KGB agents on craigslist :thinking:

2 Likes

How would I know though? I’m not sure I have the sophistication to determine whether it has been compromised on a firmware level.

You wouldn’t. I mean if you wanna be all tinfoil hat about it-
-Flashing is isn’t necessarily gonna remove whatever the NSA put on there.
-The story of the tor developer that bought a new laptop that was rerouted to Virginia:


-Plus I mean, just Google the KGB, CIA, and NSA’s spy tools… Firmware flash is the least of your worries.
At this point, Idk what you’re doing but if you don’t want to be spied on, don’t use the internet.

If you’re going to be paranoid then hard drives ain’t safe either: https://thehackernews.com/2015/02/hard-drive-firmware-hacking.html

1 Like

I don’t really see any proof that the NSA intercepted her laptop. It’s certainly possible though, especially given her high profile.

-Plus I mean, just Google the KGB, CIA, and NSA’s spy tools… Firmware flash is the least of your worries.
At this point, Idk what you’re doing but if you don’t want to be spied on, don’t use the internet.

I’m not talking about privacy concerns such as somebody figuring out which websites I visited. I’m talking about cybersecurity, making financial transactions secure, preventing identity theft etc. Like I said, my main concern are keyloggers and somebody being able to read the output to my screen in real time.

I was considering whether that attack vector was possible too, part of what I meant when I said I wasn’t too concerned about hard drives, was that I’m not really looking for used hard drives, as they are very slow and can make using old hardware unpleasant for me personally. I’m quite likely to just through out any drives in a used machine and put in an SSD of my own.

Guys, please don’t forget this discussion is meant to be hypothetical, I’m not trying to convince anyone not to by used hardware, I’m just trying to gauge the security risk.

2 Likes

If we’re being hypothetical then used hardware is the least of you worries. How can you be sure that the hardware isn’t coming to you infected from the factory? Or that it is being intercepted in route in the mail? Or employees in a physical store/warehouse are loading things up with malware?

As far as taking security risks to the hypothetical extremes goes we’re just hypothetically boned. The stuff security researches dig up is scary enough with out thinking about what a government actor could potentially do with a near limitless budget.

1 Like

This is a good point. I know Wendell mentioned that Lenovo had this issue with malware more than once.

There is no such thing as absolute security. It’s about reducing the probability of being compromised. I’m not talking about hypothetical extremes. Assume buying brand new is the benchmark in terms of security, and then consider my query as being relative to that. I.e. is it significantly more risky or not? My question was already answered somewhat by Baz.
I’m also not talking about being a high profile target either, such as in the case of the Tor core developer in the article that Ramiel linked to. Just an unknown basically. I guess identity theft e.g. can’t be that common, because there are a lot of people that promote buying used hardware and there is a fairly big market for that.

I believe what’s been established here is that used hardware is of very little concern in terms of security.

But if you’re going to worry about used hardware, I’d be more concerned with high-count resellers on eBay than someone on Craigslist, for instance.

I don’t follow your logic, why is the high count eBay re-seller more problematic than an individual on Craigslist?

I’d be more concerned with someone who is willing to do this through a BIOS mod by volume. There’d be little point in doing it once locally, aside from perhaps a test run. Not like anyone buying the motherboard would know, either.

Ok, that makes sense. On the flip side, a trusted eBay seller is also very easy to prosecute should it become known that he has compromised the Bios. Better would be to compromise the Bios on used machines and then resell to a large reseller in bulk. Since a reseller of used machines probably doesn’t have any sort of control mechanism for such things (because profit margins), it would be an easy way to get compromised hardware in circulation.

I’m the god of used hardware / ancient hardware and I’ve never really had that many issues to be honest.