Complex closed-source firmware has the potential to be a security nightmare. Let's take for example the possible security and privacy implications of: Intel ME firmware in Intel processors (and AMD equivalent: PSP) the firmware of the cellular baseband in most smartphones the Spectre and Meltdown microcode bugs the fact that a computer BIOS or an SSD firmware can be overwritten with a malicious copy (or could already have a backdoor from the vendor). To avoid these dangers, one answer could be to rely on Open-Source firmware, or at least on closed source firmware as simple as possible, to greatly reduce the attack surface. [ for example, from this answer we see that the firmware of the Raspberry Pi is quite simple, and that it is written on unchangeable ROM: https://security.stackexchange.com/...pi-vulnerable-to-injection-beyond-the-sd-card ] With this in mind, can we come up with a list of hardware with a relatively small attack surface ? examples: - some laptops can be re-flashed to have open-source BIOS (see Libreboot) and/or to partially remove Intel ME (see ME_Cleaner). - old AMD processors (before about 2012) don't have PSP. - processors without out-of-order-execution are immune to Spectre/Meltdown (e.g. ARM Cortex-53, Intel Atom until Silvermont). - single board computers (raspberry PI, Odroid, etc..) might be a good choice as they tend to have basic firmwares, and those firmwares might even be unchangeable (stored on real ROM). Any similar ideas/information ?
Just because open source potentially has more "fresh" eyes looking at the code, that does not mean it cannot be malicious. And while I agree more complexity invites more bugs and other issues, it is not always easy to avoid. Complex sophisticated hardware often requires complex sophisticated firmware to function properly and optimally. Yes, single board computers like the Pi and others might be nice - but that is more likely because they hold a smaller market share, thus make a smaller target (with less rewards) for the bad guys. The problem there is those basic computers are incapable of performing many of the tasks computers users want or need their computers to do. The best option is to buy major brands. Keep the system current. Use a decent anti-malware solution, and don't be "click-happy" on unsolicited downloads, attachments, links and popups.
