BIOS Rootkits and Malware on Mini PC Devices

pV5

While deciding on the hardware for my home pfSense router I considered the following options:

1. (insert name here) mini PC from Amazon or Ebay
2. Netgate 1100
3. Netgate 2100

I settled on the Netgate 2100. The Qotom seemed to have the best performance for the price but I didnt select it for two primary reasons: (1) Unknown hardware reliability, and (2) I have no basis to trust that the BIOS or other firmware in the device doesnt have malware or rootkit or similar. Now I know this may seem a bit paranoid but after all we are talking about a router and the first line of defense for my network. I wanted to get other peoples opinion on this. Am I being over the top paranoid? Is this a practial threat?

(I am aware that there is an open source "coreboot" BIOS project)

Thanks.

bmeeks

@pV5 said in BIOS Rootkits and Malware on Mini PC Devices:

Am I being over the top paranoid? Is this a practial threat?

For a home network, my opinion is "yes", you are being over paranoid .

Not trying to be too harsh here, but exactly what assets within your home network do you believe are attractive enough to nation-state malicious actors that they would go to all the trouble and expense of engineering a supply chain attack against you? Remember your average script kiddie is not going to have the resources to pull off a supply chain attack against you.

Securing a home network is relatively simple and a cinch if you follow these basic rules:

1. Keep everything attached to the network up to date with security hotfixes and other software updates.
2. Run an antivirus client on all devices where that is possible. The built-in Microsoft Defender product is fine for Windows machines so long as you set it to auto-update.
3. Train the users in your house to be damn careful what they click on, especially attachments in emails! The amount of risk here is inversely proportional to how often you apply security hotfixes and updates.
4. Stay away from dodgy websites.
5. Limit any unsolicited inbound remote access to a VPN circuit (for example, if you want to "remote" into your LAN from someplace else).

michmoor

@bmeeks Im paronoid bill. I got a SIEM running at home. Is it a bit much? Sure. :)

edit: To be fair. Its not just nation-states. We dont know where the OP works at. Could be CIA or Home Depot or their local supermarket. Either way they are a potential exploit to gain access into a secured environment.
If you look at what happened with LastPass recently as an example, the last pass developer brought home his laptop and the attacker laterally moved. Compromised a media player, etc.

On top of the basic rules given i would also say deploy a VLAN. If you know you have sketchy devices (IoT) or even a corporate laptop, place those on their own vlan unable to talk to anyone outside that VLAN.

My personal deployment at home i also deployed Squid as a transparent proxy. I want to know what all my devices are talking too and if needed block those sites. My daughter's Pixel phone was talking to raw.github for some reason...Why?!?! After some investigation, it was for a legitimate purpose but thats the type of paranoid person i am.

michmoor

@pV5 I would always favor getting a Netgate for two reasons.

1. Helps supports the project and how people get paid.
2. reliability and security from a trusted source. Netgate is installing the software. Netgate is delivering the patches. Netgate updates the firmware. The supply chain is at the very least secured and its controlled by a known source - Netgate. The Quotom box is cheap but sketchy. Lots of different variables in getting that mini PC into the hands of consumers. Who updates the BIOS? Who updates the drivers? Even if you wipe the installed software and re-install pfsense yourself that doesnt mean you havent already been exploited.