As a response to what feels like a mandate to update to Windows 11 devices that wave a myriad of privacy and security concerns, I decided to opt out and switch to Linux. So, I am new to this and sometimes looking for answers to specific questions is like trying to take sips from a fire hose.
I was afraid of bricking my Windows 10 PC because I’m a tech klutz, so I looked at craigslist and found some old laptops - like 2011/2012 Dell Latitudes - for less than 100 bucks a piece which I didn’t mind risking. As it turns out, these are great computers for running Linux. I upgraded the SSD and RAM and I’m becoming more and more convinced that I can transition my whole work life and online life to Linux almost seamlessly with these devices.
I don’t want a new computer because of the Bitlocker nonsense and TPM 2.0 and probable backdoors which I consider a huge security risk. Time will tell.
My understanding is that there are hardware security issues with these devices that cannot be abated easily or at all.
Is it something to be very concerned about? Should I avoid logging into personal accounts on these machines or can I use them freely as long as they’re not hooked up to an ethernet cable?
It’s recommended to use BitLocker if you’re on Windows as it provides full volume encryption which protects you.
As far as I’m aware, TPM 2.0 only provides benefits over TPM 1.2.
If you want to assume hardware is backdoored, there’s no good reason to believe that 2011 hardware isn’t also backdoored. Even if they weren’t backdoored, it’d be a safe assumption that if their firmware is no longer being updated, they’re more likely to contain unpatched vulnerabilities.
Under this speculative assumption that everything is backdoored, you’re still better off using newer hardware as it’d at least be less vulnerable to the vast majority of attackers who don’t have access to this theoretical backdoor.
It’s a risk you can’t really escape if you want to use computers. If you want to get really extreme there are ways to mitigate it but there are very few scenarios where that amount of effort is worth it.
Unless you’re referencing something more specific, the main concern would probably be how outdated their firmware could be. It’s recommended to use devices which are fully up to date but there are still many people who use old outdated PCs with modern Linux distros just fine. You haven’t specified your threat model so I’ll assume you’re asking about malware in general. I don’t want to say using an outdated device is great but if you’re running modern software and know how to be careful on the internet, you’ll probably be fine.
As in using an air-gapped computer completely disconnected from the internet? Yeah that’d be a pretty effective yet extreme measure. Air gaps are usually only necessary for highly sensitive work so it’s probably unnecessary in your case.
Be sure to make sure that Computrace isn’t enabled on them, and be sure to also activate the permanent disable option. It was quite common on those older enterprise focused computers.
Also be sure Intel AMT is disabled, and some also have a ME toggle without any mod.
Otherwise, they’re realistically safe enough for most people as long as your OS and programs are fully updated.
If you’re on Linux, running lscpu will show what hardware/CPU vulnerabilities are for your machine, but that won’t cover anything in the BIOS/SMM/EC.
If you’re willing to spend in the $300 range (assuming USA), you can get some late model ThinkPads that still have at least a year left of updates.
Yes. I’m just a regular consumer. However, I’ve heard there are risks if your BIOS is out of date, and there are risks from devices with IME capabilities - such as from corporate-owned machines that allow tech folks to remotely access them.
Newer devices are equipped with surveillance technology. It’s baked in. TVs, phones, vehicles, etc. So to assume that something as data-centered as a computer is somehow more secure than everyday, benign devices like these seems naive.
Is it just fine to use one of these devices with an outdated BIOS and an IME chip without worrying? I assume the biggest threats come from software compromises, but there are some folks who make it seem like hardware threats are also a big deal.
Since I’ve been looking around for more information and there’s just not much out there - and some is conflicting - I’m not terribly concerned. But before I use one of these to check my bank account, I want to make sure that an outdated BIOS isn’t something to be worried about.
I want to point out that older laptops are vulnerable to zero-days like Spectre/Meltdown which affects nearly every single CPU before 2018/2019. This is a very real zero-day that affects devices that do not have the latest firmware updates
The issue is not only websites you visit, the issue is figuring out what is the likelihood that you will encounter malware on your hypothetical Dell Latitude. If you are in a situation where you download and open files, then there is a genuine case for using something like Qubes OS. That would require a newer laptop with lots of RAM.
Older is never always better. However, if you are a normal user, I’m sure that you can get away with using older laptops.
But if you are genuinely concerned about “backdoors”, which we don’t know exist for consumer-facing PCs, you should consider reading more into how bootloader attacks work (i.e. Rootkits) and the fact they are proven to be exploited in the real world. These are the real backdoors we’re talking about here…especially since they exploit vulnerabilities that have not been discovered or disclosed yet.
Tldr; Get a Thinkpad or Lattitude that is still supported by Lenovo and Dell. Learn how to manually apply firmware updates on Linux and enable Secure Boot.