0

I bought a second-hand laptop from a stranger. My (totally unjustified) concern is that there might be malware on the device.

According to this answer, there is no easy fix if it's malicious firmware. I don't know how easy it is to implant malicious firmware, so I have no idea if this should be a legitimate concern.

If the malware is on the disk however, that seems to be easier. The laptop I bought has a SATA SSD. Here are the steps I followed :

  1. The laptop came with what looked like a fresh W10 install.

  2. I installed Manjaro with the graphical installer, presumably wiping W10 from the drive.

  3. I then booted again on the Manjaro Live USB and followed the Arch Wiki instructions for a SATA drive to wipe /dev/sda. hdparm -I /dev/sda displayed

    6min for SECURITY ERASE UNIT. 6min for ENHANCED SECURITY ERASE UNIT.

which, according to the best answer here, means that there was no secure erase of the disk, simply a deletion of the "native" (meaning that it's something intrinsic to how the SSD works , not user controlled) encryption key of the disc, as far as I understand.

The question is : if there was any malware on the disk, is that enough to make sure it can never affect me?

I have no understanding of malware and only basic understanding of encryption, so I'm not sure that wiping the SSD encryption key without overwriting the data on it will actually prevent the malware from running.

The Arch Wiki mentions many other options (cat, dd, shred, etc.) to overwrite the disk data, but the most upvoted answer here states that, with an SSD (because of wear leveling), these other options do not actually overwrite the disk, but instead write zeroes/random data to new blocks.

Banjo
  • 3
  • 1

1 Answers1

2

Relax, you're fine!

All of the extreme secure erase and wiping measures are to prevent heroic efforts to recover data you don't want recovered, that's not your concern here.

You simply want to use the drive in a normal fashion. Even if the drive was littered with un-allocated un-wiped malware it wouldn't matter. Normal use makes no attempt to access un-allocated content.

True, it is possible for there to be embedded firmware malware but this is a very high bar that you are extremely unlikely to encounter.

Your efforts are more than sufficient for using the drive.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • Thanks for your answer! Does that mean that un-allocated content cannot "read itself", or be interacted with under normal use, except to be written over? In that case, would it have be sufficient to rely on the "Erase Disk" part of the Manjaro install to un-allocate all of the W10 content? Or was hdparm / ATA Secure Erase necessary? – Banjo Jul 24 '21 at 17:55
  • @Banjo - No, nothing reads itself. For your purposes a simple erase is sufficient. Even a mere *format* after removing the partitions (particularly the boot partition) would be enough but erase makes doubly sure. – user10216038 Jul 24 '21 at 18:33
  • Thanks! Malware prevention is so hard to navigate when you don't know anything about malware :) – Banjo Jul 24 '21 at 18:59