How high is the risk for using laptops with closed source BIOS?

The short answer is “it depends”. What make of laptop (specifically, what chipset) determines how big an issue we’re talking. Also, what’s your threat model matters.

If you lose your laptop, the bios doesn’t really matter, as you can assume the attacker has time to physically remove the hard drive. At that point, you’re counting on whatever drive encryption (or file encryption) you have. The more troubling situation is the “evil maid” attack, where someone has 30-60s of physical access to your machine, can they break in without leaving a trace? With Intel machines, the answer is probably; at least some machines can have malicious code inserted over the ethernet port when the machine first boots. Some machines are more locked down than others (Lenovo Thinkpads, for example, have significant extra security “stuff” included, which makes bypassing the locked bios fairly difficult, even with extended physical access, chip readers, and a soldering iron).

Purism has stripped the Intel Management Engine (IME) of its non-vital components, which probably helps the situation too; I don’t know if anyone has tried to break into one of their machines, but in theory they don’t initialize the network interface preboot.

The situation on AMD is sorta better. The PSP generally doesn’t have access to the NIC, so that avenue of attack is closed from the start. The PSP code is also simple enough that at least one group of independent engineers have dissected the thing and didn’t find anything bad (not finding something != something not being there though). That was for the x370 chipset, I don’t know if anyone has gone to the work of doing the same for the later revisions. On the other hand, it has been demonstrated that an attacker who gains temporary ring-0 access to an AMD system can infect any of several chipsets on the board, which usually requires replacing the motherboard to clean out again.

Anyway, all of the above assumes someone with physical access to the machine. With regard to remote attacks, the risk is quite minimal. There is significant market pressure to deliver performant CPUs, so the odds that silicon space is used for an intentional hardware backdoor is likely slim. The software blob is something of a threat, but the behaviour of the running system needs to be more-or-less as expected (and as mentioned, they can be dissected). On Intel systems, you want to avoid plugging single-nic machines into untrusted wired networks, as in-theory, that opens you up to remote-management exploits, but otherwise you’re probably fine.

Oh, and as a side note, having the firmware open source (but authored by an untrusted company) doesn’t perfectly block this class of attack. If they include undocumented opcodes, those can change the mode of the CPU sufficiently to sneak a backdoor through, even if the source code is readable. That’s not to say having the source code is bad, just that it isn’t a “magic bullet”.

I wonder why no one has posted a link to the Libreboot FAQ yet. Those people are real professionals and they know what they are talking about:

https://libreboot.org/faq.html#intel

Quote:

In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can’t be removed, this means avoiding all recent generations of Intel hardware.

Anything with an “Analytics” feature offered to you is highly invasive. If they offer to share an aggrigate of your own information with you, you know they’re using that same information for themselves.

Really, you can’t trust any pc or smart phone provider other than Purism. The manufacturers are almost as bad as the criminal pc or phone crackers. Every one of them except Purism decides for you, which things they want to allow you to have access to on your own device and which things they want to do to give themselves some kind of advantage or future revenue stream from your device.

One new invasive device in this category are the router providers. I recently bought a new router. When I got to the ‘registration’ part of the router set up process, I said to myself “screw that” and finished setting up my new router without registering an account with the router company. The router worked perfectly for three days. Then it quit working. When I tried to log back in to it, my password wouldn’t work. I called the router company’s tech support and it turns out that I had to hard-reset the router back to the factory default state as the only means to get back in. Then I only had one choice, give those mother fu…ers my real e-mail address and verify my user account with the router company using my e-real mail address, or get locked out again three days later. The router setup had easy to activate services if you agreed to a monthly fee to use them. These paid services were things that should be free router settings on your own router if not for the router firmware not allowing them unless you pay a monthly fee. So now, your router is like your smart phone, not really yours. I plan to flash it with DD-WRT as soon as I get time. But there is no way to know when you buy your router, which ones do this to you. Maybe they all do now.

On one hand, Purism’s PureBoot is indeed the best security practice in boot firmware.

On the other hand, there are other freedom-respecting laptops on market, even better ones, certified by the Free Software Foundation.

The “Respects Your Freedom” certification program encourages the creation and sale of hardware that will do as much as possible to respect your freedom and your privacy, and will ensure that you have control over your device.

https://ryf.fsf.org/categories/laptops

The problem with them is that they are very old and slow devices.

Update: there are definitely also freedom-respecting routers: https://ryf.fsf.org/categories/routers.

not quite > https://www.thinkpenguin.com/catalog/wireless-networking-gnulinux
the more dangerous one is the firmware of cellular modems and specifically those where the cellular modem is on the same SOC as the main CPU …

not sure about this one though > https://www.thinkpenguin.com/gnu-linux/usb-4g-lte-advanced-modem-gnulinux-tpe-usb4glte

This is good information fsflover and reC. Thanks for the good information.

This.

Having a manufacturer-backdoored BIOS is an easy way of getting a persistent compromise though - without the difficulties of trying to bypass digitally signed everything.

Extremely difficult to answer as it depends on an individual’s circumstances.

How powerful are your enemies?

One observation I would make is that typically the BIOS is at the start of the trusted boot path. If you can’t verify the BIOS then you really can’t verify anything that comes afterwards. So it is important, to be confident that the BIOS is defect free.

or the better question would be “how powerful are YOU ?”
that is because we know that the powerful fish usually are after the ones that are in the same league (or very close) or after those that pose a threat … now posing a threat as an individual is HARD but in large numbers that changes somewhat …

one might ask : out of the billions of people IOT-ed already … how many are capable of posing a threat ? not too many statistically speaking but if you had a way to monitor in bulk then that would be an even greater achievement since you would not have to worry about “how many” in the first place but simply TARGET with precision …

the solution for EVERYONE that has a choice and the BUCK to make it happen would we to simply not take ANY chances with ANYTHING closed-source and simply go for peace of mind …

Nah, there are a handful of router companies which either ship with OpenWRT, or make it easy to install. Personally, I point people to the TP-Link series (Archer A7 or C7, the C5 should work, but the A5 didn’t a few months ago). If you need more than gigabit, it gets a bit trickier.

how does NETGEAR compare to tp-link ? i have one of their non-monitored switches (5 port - small)
for a small 2 room residence and a few wired terminals that should be enough no ?

router seems like overkill unless you need to establish a radio network connection …

10(ish) years ago, Netgear was my go-to recommendation. I don’t know of any netgear box produced in the last… 5 years… which supports OpenWRT easily (as in, download the right OpenWRT image and drag/drop it into the firmware update box on the router’s web interface). I believe there are a few Netgear boxes which you can get OpenWRT running on through more invasive means (including JTAG programming or similar).

With regard to dedicated router and separate modem: modern protocols (V-DSL, DOCSIS, and similar) are not well documented, and typically implemented in silicon (as they really require an ASIC to push the speeds they get over the physical lines they have). For the most part, attempts to get those ASICs working on OpenWRT or similar have been… temperamental at best. At the very least, they end up needing both a firmware blob and a blob kernel driver, which significantly degrades the trustworthiness of the system. If you are buying equipment up front (which you should do if you think you’ll want the service more than about 3 months), you can buy a dedicated just-a-modem, plus a TP-link or similar device, for about the same price as a slightly higher end all-in-one modem. Considering that the TP-link half goes with you across ISPs and is likely to continue to function for as long as the speeds it can manage are good enough for you, you’re money ahead this route the moment you switch services and get a new dedicated dumb modem.

I’m not 100% sure what you mean by this but …

The assumption is that basically everyone these days has a smartphone; smartphones don’t offer wired networking; so you need WiFi.

Hence whatever you are doing in the switch won’t be adequate to control your network unless you have a dedicated Wireless Access Point (and disable the WAP in your router) - which is by no means impossible but does add to the cost.

i agree that IS the assumption …

The question is quite vague since you don’t say “the risk of what”.

But nowadays I keep being told that it’s OK to make all your life’s information public because if you have done nothing wrong then you have nothing to hide.
The corollary is that it is accepted wisdom that if you hide something, then you are presumed guilty of something.

I don’t agree with this point of view, but I think it’s good practice to return this point of view to the tech giants which try to impose it on us: why do manufacturers need to hide the BIOS’s source?

or any other source code for that matter … and the most dangerous thing for end-users is proprietary Java-Script code that can basically load a huge number of things that can Rick-Roll you to death …

The practical answer is “the ‘IP’ laws”. See, for some stupid reason, you can get a software patent for an idea, such as putting a “one click order” button on a website. For something as complex as a modern computer BIOS, there are literally hundreds of patented parts to it. And the thing is, independent development is not a reliable defense against patent infringement, so even if a company just locked their devs in a room with the hardware and no outside contact, they could still get sued over patent infringement. (Nor is it simple to verify that you’ve worked around or licensed all patented parts, as there is no one central repository to check (international treaties are a B), and sometimes non-obvious patents apply). If they don’t release the source code (while XORing parts of the code together), they can run the cost of proving patent infringement up, while not really making life more difficult for their own people.

Actually, a lot more of the BIOS is FOSS than you think.
Anyone can download the spec for UEFI:

AMI, Award and Phoenix (the three major BIOS/UEFI manufacturers for PCs) can all use Intel’s reference code, but none of them release their source code, so it is hard to know how much they use.

they aren’t required to do so by the license then i assume … it’s a very permissive license no ?

Yes, its very permissive.
Tianocore EDK2 has a BSD-style license:

By the way, its 2.2 million lines of code, and I bet that AMI, Award and Phoenix do use a lot of it, since it would be a lot of work to reimplement UEFI.

how many EXTRA lines would need to be hidden among those 2.2 million visible in the source to make a successful/hidden infiltration possible ? not many i would imagine in comparison to the ones that already do the functionality work …