I am considering buying a used Lenovo ThinkPad to serve as a secondary/backup laptop. I want to install Linux (considering Fedora Workstation/Silverblue) and also see if I can completely switch over to Linux as my daily driver.
I am looking at eBay and have come across a few good ThinkPad options to buy used. Most come with Windows 11 which I am planning on replacing with Fedora.
Are there any privacy and security best practices when buying a used laptop? I am new to setting up systems and buying used electronics. Based on some research, I have come up with a plan is as below:
Buy only if BIOS is not locked with a supervisor password, does not have computrace, Absolute or LoJack activated
Run ThinkPad Secure wipe if available
Do a clean install of Fedora overwriting any existing Operating System
Are the above steps enough to ensure any spyware, malware, ransomware, keyloggers, tracking can be securely removed? Are there any other things I need to look out for?
I would be connecting it to my Home WiFi, logging in to personal accounts, installing and using my Password Manager and basically doing everything I would on my personal device. I understand I may sound a little paranoid but I have been working on improving my security and privacy lately and I don’t want to introduce a weak link.
I can’t speak to best practices, but what I do is somewhat inline with you:
If buying on Ebay, buy from a seller with a decently long history and many ratings (not security specific)
Inspect visually and internally (not security specific)
Reset the bios to factory defaults, also update the bios.
Wipe or replace the SSD
Install Linux
Check for other firmware updates, apply if needed
edit: Many people on this forum are uncomfortable buying used. I get that, but I personally don’t feel that way, I think the cost/benefit (both in $$ and in privacy) for buying used is good and not especially risky if you follow best practices. All things considered I typically prefer buying used. In my experience its much easier to have a private transaction when you buy used.
Its hard to trust 2nd hand devices for serious work. But for testing purposes for your new Linux workflow it should be fine. Also check if the apps you need to run can work properly under Wine.
With that said it is vital to completely wipe the old hard drive with something like DBAN (now nwipe), just in case the previous owner has something nasty in it like CSAM pictures.
As for the BIOS, you definitely should update it but UEFI rootkits are a thing that may persist even after updating and I dont really know how to check for previous indications of compromise. Maybe someone can comment below.
You should keep this “new” device in the your guest network. It should be ok.
Hey Halogen, personally, I don’t think it’s worth it to risk your user privacy and security just to save a few dollars. Low-end new laptops are cheap now.
Also, think about the dirt and grime that the laptop would have on its keyboard from the previous user…