TL;DR: basically the title
I’m using regular laptops that can be purchased everywhere. And, of course they don’t have open source BIOS, just wonder how high is the risk, when:
Note: I’m no expert in tech, so maybe I didn’t explain my question clearly… 
I’m sure some folks have some good information here. Just remember that a lot of the worry and fear surrounding this topic are the direct result of market campaigns which benefit on it.
Your actions and how you use your computer play a much larger roll in your privacy and security than essentially anything else.
Malware in the BIOS/UEFI isn’t very common now-a-days, because most PC makers now use a signed BIOS/UEFI, so it is very hard to crack it and change it. For more info, see:
The bigger issue is the fact that you have a giant blob that you don’t control and can’t change, so you have hardware which you can’t trust. If the NSA or Chinese government infiltrated the plant where the BIOS/UEFI is being flashed (or simply had an agreement with manufacturer), spyware could be added to the BIOS/UEFI and you would probably never detect it. It is effectively the same as the Chinese government inserting spy chips in Supermicro servers.
Of course, it is pretty low probability that you will be targeted by a group which is capable of changing your BIOS/UEFI and groups like the NSA probably have easier ways to spy on their targets, but it is something to think about.
My laptops are all running Linux Mint at the moment, does this help to mitigate the risks?
Can’t install PureOS, the hardware won’t support… even the choice of OS matters
PureOS is basically Debian main, plus some configuration options for greater privacy and security, such as the privacy settings in PureBrowser and easy setup of full disk encryption. The big thing that is special about Librem laptops is what happens with PureBoot+Heads or Coreboot+SeaBIOS, which is below PureOS.
Mint is a derivative of Ubuntu which is a derivative of Debian, so your system isn’t that different from PureOS. From what I understand, the Ubuntu devs were very good about upstreaming any security patches they made to Debian.
Running any desktop Linux distro helps a lot in terms of security, because the vast majority of the world’s malware wasn’t created for your system, and very few Linux users install software from outside their distro’s repos, so it isn’t easy for malware to propagate in Linux. See: https://source.puri.sm/Librem5/community-wiki/-/wikis/Frequently-Asked-Questions#how-secure-is-the-librem-5-compared-to-an-android-phone
Your biggest worry is web scripts, which can run on any computer with a web browser. If you are using an up-to-date web browser, you are pretty safe because web browsers generally do a good job of isolating web content from the rest of the operating system.
The other major problem is if you have WINE installed, because that means that Windows software can execute on your system. It is better to uninstall WINE and run all your Windows software inside a virtual machine to isolate it from the rest of your Linux system.
Also Linux Libre (AKA Linux without proprietary firmware)
As far as I’m concerned, Trust but verify.
Don’t trust Purism/System76? check the source code.
Don’t trust Dell? Welp 
To be fair, if we look at it from a realistic point of view, the chances of Dell adding a backdoor into it’s BIOS for the NSA is quite low. I think most of time worries are blown out of proportion and are often fantasies about existing in a world like 1984.
What is more important, in my opinion, is that time and time again security through obscurity has been proven to be ineffective as opposed to being transparent about your current measures. Open source also tends to support systems for all of their lifetime instead of having it defined by your manufacturer.
The short answer is “it depends”. What make of laptop (specifically, what chipset) determines how big an issue we’re talking. Also, what’s your threat model matters.
If you lose your laptop, the bios doesn’t really matter, as you can assume the attacker has time to physically remove the hard drive. At that point, you’re counting on whatever drive encryption (or file encryption) you have. The more troubling situation is the “evil maid” attack, where someone has 30-60s of physical access to your machine, can they break in without leaving a trace? With Intel machines, the answer is probably; at least some machines can have malicious code inserted over the ethernet port when the machine first boots. Some machines are more locked down than others (Lenovo Thinkpads, for example, have significant extra security “stuff” included, which makes bypassing the locked bios fairly difficult, even with extended physical access, chip readers, and a soldering iron).
Purism has stripped the Intel Management Engine (IME) of its non-vital components, which probably helps the situation too; I don’t know if anyone has tried to break into one of their machines, but in theory they don’t initialize the network interface preboot.
The situation on AMD is sorta better. The PSP generally doesn’t have access to the NIC, so that avenue of attack is closed from the start. The PSP code is also simple enough that at least one group of independent engineers have dissected the thing and didn’t find anything bad (not finding something != something not being there though). That was for the x370 chipset, I don’t know if anyone has gone to the work of doing the same for the later revisions. On the other hand, it has been demonstrated that an attacker who gains temporary ring-0 access to an AMD system can infect any of several chipsets on the board, which usually requires replacing the motherboard to clean out again.
Anyway, all of the above assumes someone with physical access to the machine. With regard to remote attacks, the risk is quite minimal. There is significant market pressure to deliver performant CPUs, so the odds that silicon space is used for an intentional hardware backdoor is likely slim. The software blob is something of a threat, but the behaviour of the running system needs to be more-or-less as expected (and as mentioned, they can be dissected). On Intel systems, you want to avoid plugging single-nic machines into untrusted wired networks, as in-theory, that opens you up to remote-management exploits, but otherwise you’re probably fine.
Oh, and as a side note, having the firmware open source (but authored by an untrusted company) doesn’t perfectly block this class of attack. If they include undocumented opcodes, those can change the mode of the CPU sufficiently to sneak a backdoor through, even if the source code is readable. That’s not to say having the source code is bad, just that it isn’t a “magic bullet”.
I wonder why no one has posted a link to the Libreboot FAQ yet. Those people are real professionals and they know what they are talking about:
https://libreboot.org/faq.html#intel
Quote:
In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can’t be removed, this means avoiding all recent generations of Intel hardware.
Anything with an “Analytics” feature offered to you is highly invasive. If they offer to share an aggrigate of your own information with you, you know they’re using that same information for themselves.
Really, you can’t trust any pc or smart phone provider other than Purism. The manufacturers are almost as bad as the criminal pc or phone crackers. Every one of them except Purism decides for you, which things they want to allow you to have access to on your own device and which things they want to do to give themselves some kind of advantage or future revenue stream from your device.
One new invasive device in this category are the router providers. I recently bought a new router. When I got to the ‘registration’ part of the router set up process, I said to myself “screw that” and finished setting up my new router without registering an account with the router company. The router worked perfectly for three days. Then it quit working. When I tried to log back in to it, my password wouldn’t work. I called the router company’s tech support and it turns out that I had to hard-reset the router back to the factory default state as the only means to get back in. Then I only had one choice, give those mother fu…ers my real e-mail address and verify my user account with the router company using my e-real mail address, or get locked out again three days later. The router setup had easy to activate services if you agreed to a monthly fee to use them. These paid services were things that should be free router settings on your own router if not for the router firmware not allowing them unless you pay a monthly fee. So now, your router is like your smart phone, not really yours. I plan to flash it with DD-WRT as soon as I get time. But there is no way to know when you buy your router, which ones do this to you. Maybe they all do now.
On one hand, Purism’s PureBoot is indeed the best security practice in boot firmware.
On the other hand, there are other freedom-respecting laptops on market, even better ones, certified by the Free Software Foundation.
The “Respects Your Freedom” certification program encourages the creation and sale of hardware that will do as much as possible to respect your freedom and your privacy, and will ensure that you have control over your device.
https://ryf.fsf.org/categories/laptops
The problem with them is that they are very old and slow devices.
Update: there are definitely also freedom-respecting routers: https://ryf.fsf.org/categories/routers.
not quite > https://www.thinkpenguin.com/catalog/wireless-networking-gnulinux
the more dangerous one is the firmware of cellular modems and specifically those where the cellular modem is on the same SOC as the main CPU …
not sure about this one though > https://www.thinkpenguin.com/gnu-linux/usb-4g-lte-advanced-modem-gnulinux-tpe-usb4glte
This is good information fsflover and reC. Thanks for the good information.
This.
Having a manufacturer-backdoored BIOS is an easy way of getting a persistent compromise though - without the difficulties of trying to bypass digitally signed everything.
Extremely difficult to answer as it depends on an individual’s circumstances.
How powerful are your enemies?
One observation I would make is that typically the BIOS is at the start of the trusted boot path. If you can’t verify the BIOS then you really can’t verify anything that comes afterwards. So it is important, to be confident that the BIOS is defect free.
or the better question would be “how powerful are YOU ?”
that is because we know that the powerful fish usually are after the ones that are in the same league (or very close) or after those that pose a threat … now posing a threat as an individual is HARD but in large numbers that changes somewhat …
one might ask : out of the billions of people IOT-ed already … how many are capable of posing a threat ? not too many statistically speaking but if you had a way to monitor in bulk then that would be an even greater achievement since you would not have to worry about “how many” in the first place but simply TARGET with precision …
the solution for EVERYONE that has a choice and the BUCK to make it happen would we to simply not take ANY chances with ANYTHING closed-source and simply go for peace of mind …
Nah, there are a handful of router companies which either ship with OpenWRT, or make it easy to install. Personally, I point people to the TP-Link series (Archer A7 or C7, the C5 should work, but the A5 didn’t a few months ago). If you need more than gigabit, it gets a bit trickier.
how does NETGEAR compare to tp-link ? i have one of their non-monitored switches (5 port - small)
for a small 2 room residence and a few wired terminals that should be enough no ?
router seems like overkill unless you need to establish a radio network connection …
10(ish) years ago, Netgear was my go-to recommendation. I don’t know of any netgear box produced in the last… 5 years… which supports OpenWRT easily (as in, download the right OpenWRT image and drag/drop it into the firmware update box on the router’s web interface). I believe there are a few Netgear boxes which you can get OpenWRT running on through more invasive means (including JTAG programming or similar).
With regard to dedicated router and separate modem: modern protocols (V-DSL, DOCSIS, and similar) are not well documented, and typically implemented in silicon (as they really require an ASIC to push the speeds they get over the physical lines they have). For the most part, attempts to get those ASICs working on OpenWRT or similar have been… temperamental at best. At the very least, they end up needing both a firmware blob and a blob kernel driver, which significantly degrades the trustworthiness of the system. If you are buying equipment up front (which you should do if you think you’ll want the service more than about 3 months), you can buy a dedicated just-a-modem, plus a TP-link or similar device, for about the same price as a slightly higher end all-in-one modem. Considering that the TP-link half goes with you across ISPs and is likely to continue to function for as long as the speeds it can manage are good enough for you, you’re money ahead this route the moment you switch services and get a new dedicated dumb modem.
I’m not 100% sure what you mean by this but …
The assumption is that basically everyone these days has a smartphone; smartphones don’t offer wired networking; so you need WiFi.
Hence whatever you are doing in the switch won’t be adequate to control your network unless you have a dedicated Wireless Access Point (and disable the WAP in your router) - which is by no means impossible but does add to the cost.
i agree that IS the assumption …
The question is quite vague since you don’t say “the risk of what”.
But nowadays I keep being told that it’s OK to make all your life’s information public because if you have done nothing wrong then you have nothing to hide.
The corollary is that it is accepted wisdom that if you hide something, then you are presumed guilty of something.
I don’t agree with this point of view, but I think it’s good practice to return this point of view to the tech giants which try to impose it on us: why do manufacturers need to hide the BIOS’s source?