Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIOS Rootkits and Malware on Mini PC Devices

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    4 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pV5
      last edited by

      While deciding on the hardware for my home pfSense router I considered the following options:

      1. (insert name here) mini PC from Amazon or Ebay
      2. Netgate 1100
      3. Netgate 2100

      I settled on the Netgate 2100. The Qotom seemed to have the best performance for the price but I didnt select it for two primary reasons: (1) Unknown hardware reliability, and (2) I have no basis to trust that the BIOS or other firmware in the device doesnt have malware or rootkit or similar. Now I know this may seem a bit paranoid but after all we are talking about a router and the first line of defense for my network. I wanted to get other peoples opinion on this. Am I being over the top paranoid? Is this a practial threat?

      (I am aware that there is an open source "coreboot" BIOS project)

      Thanks.

      bmeeksB M 2 Replies Last reply Reply Quote 0
      • bmeeksB
        bmeeks @pV5
        last edited by

        @pV5 said in BIOS Rootkits and Malware on Mini PC Devices:

        Am I being over the top paranoid? Is this a practial threat?

        For a home network, my opinion is "yes", you are being over paranoid ☺.

        Not trying to be too harsh here, but exactly what assets within your home network do you believe are attractive enough to nation-state malicious actors that they would go to all the trouble and expense of engineering a supply chain attack against you? Remember your average script kiddie is not going to have the resources to pull off a supply chain attack against you.

        Securing a home network is relatively simple and a cinch if you follow these basic rules:

        1. Keep everything attached to the network up to date with security hotfixes and other software updates.
        2. Run an antivirus client on all devices where that is possible. The built-in Microsoft Defender product is fine for Windows machines so long as you set it to auto-update.
        3. Train the users in your house to be damn careful what they click on, especially attachments in emails! The amount of risk here is inversely proportional to how often you apply security hotfixes and updates.
        4. Stay away from dodgy websites.
        5. Limit any unsolicited inbound remote access to a VPN circuit (for example, if you want to "remote" into your LAN from someplace else).
        M 1 Reply Last reply Reply Quote 2
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by michmoor

          @bmeeks Im paronoid bill. I got a SIEM running at home. Is it a bit much? Sure. :)

          edit: To be fair. Its not just nation-states. We dont know where the OP works at. Could be CIA or Home Depot or their local supermarket. Either way they are a potential exploit to gain access into a secured environment.
          If you look at what happened with LastPass recently as an example, the last pass developer brought home his laptop and the attacker laterally moved. Compromised a media player, etc.

          On top of the basic rules given i would also say deploy a VLAN. If you know you have sketchy devices (IoT) or even a corporate laptop, place those on their own vlan unable to talk to anyone outside that VLAN.

          My personal deployment at home i also deployed Squid as a transparent proxy. I want to know what all my devices are talking too and if needed block those sites. My daughter's Pixel phone was talking to raw.github for some reason...Why?!?! After some investigation, it was for a legitimate purpose but thats the type of paranoid person i am.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 1
          • M
            michmoor LAYER 8 Rebel Alliance @pV5
            last edited by

            @pV5 I would always favor getting a Netgate for two reasons.

            1. Helps supports the project and how people get paid.
            2. reliability and security from a trusted source. Netgate is installing the software. Netgate is delivering the patches. Netgate updates the firmware. The supply chain is at the very least secured and its controlled by a known source - Netgate. The Quotom box is cheap but sketchy. Lots of different variables in getting that mini PC into the hands of consumers. Who updates the BIOS? Who updates the drivers? Even if you wipe the installed software and re-install pfsense yourself that doesnt mean you havent already been exploited.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 2
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.