[LinuxBender]

I've bought three mini-PC's from different vendors via Amazon. All three had malware on their pre-installed image. I replace the storage and install Linux but there is still the risk of a malicious BIOS. Given I don't use them for anything important I accept the potential malicious BIOS risk. I would never use these with any data I or others cared about but that is just my own personal opinion that is shared by some security teams. I would never bring one of these into a company or government organization.

[bmer]

Is it possible to “install” (“flash”?) an open source BIOS onto a newly bought device?

[LinuxBender]

Possible, maybe. End up with a working machine? Probably not. There are alternatives like coreboot [1] libreboot [2] system76 [3] but this isn't something that can be flashed to just any board. These alternatives would have to become supported by the manufacturer upstream from the dodgy resellers that end up on Amazon and I don't know if that might actually make it easier for dodgy players to replace it with a backdoor version. The low-end devices like mini-PC's do not have dual firmware options like some of the Asus mobo's and a few other mainstream vendors.

[1] - https://coreboot.org/

[2] - https://libreboot.org/

[3] - https://github.com/system76/firmware-open

[atlasduo]

Could you elaborate? What kind of malware was pre-installed?

[Bender]

Bladabindi and Redline on two of them. Those were also configured by someone to disable alerts and scheduled scans in Defender. On the third it was something to do with bitcoin / wallet stealing and I don't use bitcoin. I can't remember the name. I just boot them up long enough to know it isn't DOA then eventually wipe them with Linux assuming I even keep the tiny NVME they come with. I started running scans after seeing the mini-PC malware issues in 2023 to let others on Amazon know what I find and to steer very clear of those vendors.