What are the risks of buying a used/refurbished computer? How can I mitigate those risks?

It all boils down to which kinds of threats you want to migitate against - a determined attacker has many more options of leaving malware on your computer than just your hard drive, but it's getting increasingly complex to do so. If you're a rocket scientist working on the newest version of ICBMs you have more to fear than a college student who uses their computer for a few class assignments and some of the newest games (but in the rocket scientist's case, you won't be allowed to use self-bought used computers anyway).

Also, it depends a bit on how competent a presumed non-malicious previous owner was in protecting against malware.

And of course, "wipe clean" can mean anything from "deleting personal files, then emptying the wastebasket" to "reinstall the OS" to "completely overwrite the disks with random data/zeroes, then do an install from scratch".

The typical threats you should migitate against are random malware infections that the previous owner caught somehow. Wiping the disks clean, then reinstalling the OS should be enough to get rid of those.

Some computers, mainly laptops, come with a "recovery partition" that allows you to quickly reset the computer to factory condition; I wouldn't use that. First, because a virus might have altered the install files as well to survive a reinstallation; second, these recovery partitions often come with a lot of crapware which the manufacturer installs because they're paid a few dollars by the crapware maker. Better download an installation DVD/USB medium from Microsoft/Ubuntu/whichever OS you're using, and do a fresh install from that.

Besides that, there's many more locations that could have malware, but it's unlikely to find them on your used computer unless you are specifially targeted.

  • The computer BIOS might be altered to do stuff even before booting, for example, it could have a keylogger trying to steal your passwords, or even keep a few cores of your CPU busy mining bitcoin for the previous owner. It can't hurt to check the manufacturer's website for the newest BIOS update, and flashing the newest version of it, even if that's the version you already (seem to) have. This is already quite paranoid, but still something you can do in a few minutes so doing it won't hurt you much.

  • The hard drive firmware itself could be altered. Someone published a proof-of-concept a few years ago who installed Linux on the hard drive - no, the computer didn't run Linux; the hard drive itself ran Linux, ignoring the fact that it was supposed to be a hard drive (see http://spritesmods.com/?art=hddhack - on page 6, he adds a backdoor by replacing the root password hash with a known one every time the disk reads /etc/shadow, and on page 7, he boots a linux kernel on the disk itself).

  • The CPU microcode itself could be altered to do .. stuff, including ignoring any further microcode updates. Unlikely that this could be done without cooperation from Intel, but still a possibility if the NSA is trying to target you. (However, if the NSA were targeting you, "hope he'll buy the spiked used computer we put on ebay for him" wouldn't be their primary strategy, I assume).

So, if you're just a random guy, wiping the hard disks and doing an OS reinstall from scratch provides good protection against the kinds of threats you can reasonably expect. However, if you have any reason to assume someone is actively targeting you - this includes MDs keeping patient data on their computers, credit card processors, ... - "Just don't buy used computers" is the first thing in a long chain of measures you need to take.


Since you are buying a used server, I assume that you aren’t the target of a nation state’s intelligence services, and that you aren’t being targeted with implanted hardware spying modules. All you really need to do is make sure the disk is free of malware.

Load DBAN onto bootable removable media, then boot the server with it and use it to wipe the disks. That's will get them as clean as you can, without delving deeply into the internals of disk storage.


Well, depends on how you define secure. Are you being actively targeted by a large organization, such as a conglomerate or a government? Or just scared of criminals taking over your webcam to take photos?

If you are in the first group, congratulations! Assume all electronic devices you use tainted. There's so many ways that these organizations can spy on you without your knowledge, whether it's hardware based or software based. Most electronic devices sold today do not come with a board schematic - you have no way to verify if there isn't an extra component added, such as a keylogger, recording your activity.

On the other hand, if you are just a regular guy with nothing sensitive, I wouldn't worry too much. A simple wipe of the hard drive and a reinstall of whatever operating system you prefer would suffice. Maybe reflash the BIOS if you're really, really paranoid.

Tags:

Hardware

Recent Posts