Should I worry about CPU and GPU malware when buying on eBay?

[Stoodioratt]

I looked for some info on this, but haven’t really found anything...maybe that answers my question, lol

But...

I have a early 2009 4,1 2.26 GHz 8 core Mac Pro. I’m upgrading the CPUs and graphics card.

I bought CPUs as an “upgrade kit” so I wouldn’t have to delid. I also bought a GTX 980 gpu that’s was flashed for Mac to have a boot screen.

Both sellers (eBay)had high number 100% feedback.

Is it likely that people are putting malware on these?

Am I paranoid?

Can I protect or test the pieces?

Is there safeguard in place that I’m not aware of?

Appreciate any help/wisdom/schooling.

 

[Longkeg]

You’re probably being a little bit paranoid... but you never know.

It seems like a lot of effort for a very small return. Think about it. Is somebody really going to take the time to flash malware onto individual hardware components to exploit a very small collection older machines? Upgrades such as you describe are not that common. Most people just buy new devices. There are much easier ways to hack computers.

 

[Stoodioratt]

Thanks.

I would tend to agree with you, seems like a lot of hassle not to mention the direct link back to where it came from but wanted to ask the community before I potentially did something dumb.

 

[Fishrrman]

Questions:
"Is it likely that people are putting malware on these?
Am I paranoid?"

Answer:
Yes.

 

[v3rlon]

You cannot put malware on a a CPU for Mac/PC. That just won't work.
I haven't heard of any being deployed through the GPU firmware either. I would worry more that it spent time in a slaving in a cryptocurrency mine before being sold. Or, do you meet the power requirements?

Now, to flash a 2009 to 2010+ so you can use HDMI audio and stuff, there is a program that might be downloaded, USB, or what have you. If you are concerned, go right to the source and download it yourself. There are numerous threads here at MacRumors alone. I'd post a link, but why should you trust me more than the guy you are paying to deliver a product to you?

 

[GGJstudios]

Is it likely that people are putting malware on these?

mal·ware
ˈmalwer/
noun
COMPUTING
software that is intended to damage or disable computers and computer systems.​

By definition, there is no such thing as malware on a CPU or GPU, which is hardware. The only macOS malware in the wild is avoidable by being careful what software (not hardware) you install.

Am I paranoid?

Not so much paranoid as somewhat uninformed.

 

[ActionableMango]

mal·ware
ˈmalwer/
noun
COMPUTING
software that is intended to damage or disable computers and computer systems.​

By definition, there is no such thing as malware on a CPU or GPU, which is hardware. The only macOS malware in the wild is avoidable by being careful what software (not hardware) you install.

I don't think OP should worry, but your premise is incorrect. Most (all?) modern computer hardware also have onboard firmware, which is programmable software. And while I'm personally not aware of any malware in a CPU or GPU, malware has been used in "hardware" like a motherboard and a hard drive.

Indeed there is even a proof of concept for firmware malware on Macs that Apple had to provide a security update for.

 

[bsbeamer]

If buying individual parts for 4,1 or 5,1 personally would not be too concerned. Try to stick with sellers that specialize as Apple resellers, or build custom BTO 4,1/5,1 machines if you can. If buying whole machines for parts, would suggest immediately taking all drives out and wiping them at the top level.

Look for lots of eBay feedback over years, not just a 100% rating. I'd trust a seller with a negative comment or two that has been around for awhile and remedies the situation more than a 100% feedback rating.

Places like OWC are expensive, but reasons like this concern are why some people buy from them...

Apps like Little Snitch may help ease your mind, but that is only really at the OS level. You'd need to monitor your modem at the ISP level to really check incoming/outgoing connections if you're concerned about malware phoning home, stealing information, or hacking your machine via mining, etc.

Also worth asking, are you upgrading your 4,1 > 5,1 via the usual firmware hack everyone seems to use? If so, that technically could expose you to more risk unless you are writing the code and execution yourself. Make sure you're downloading the authentic version and minimize the risk at that level.

Are you using an EFI modded GPU that is not authentic or stock? Again, technically could expose you to more risk since you do not know what was done to it. You could consider purchasing a brand new GPU directly from NVIDIA or AMD to minimize that risk.

 

[Stoodioratt]

Also worth asking, are you upgrading your 4,1 > 5,1 via the usual firmware hack everyone seems to use? If so, that technically could expose you to more risk unless you are writing the code and execution yourself. Make sure you're downloading the authentic version and minimize the risk at that level.

I am and was concerned about that as well.

Are you using an EFI modded GPU that is not authentic or stock? Again, technically could expose you to more risk since you do not know what was done to it. You could consider purchasing a brand new GPU directly from NVIDIA or AMD to minimize that risk.

Yes it's a GPU that has been modded. That concern was the reason for the initial post.

Prob should have bought the OWC choice, but I was tempted by th more powerful GTX 980 for $50 more.

 

[ActionableMango]

I was tempted by th more powerful GTX 980 for $50.

Y'all got any more of those $50 GTX980s???

 

[Stoodioratt]

Y'all got any more of those $50 GTX980s???

Lol...i meant $50 more. Good catch!

 

[bsbeamer]

If you're truly concerned about the GPU, would suggest to stick with stock non-modified GPUs. GTX 10XX series work fine in Mac Pro 4,1 & 5,1 with the right power cables, or find an authentic EVGA GTX 680 Mac Edition if you need EFI, or make one of the newer AMD cards work.

NVIDIA directly sells the Founders Edition cards without markup when they are in-stock:
https://www.nvidia.com/en-us/geforce/products/10series/geforce-store/

 

[GGJstudios]

I don't think OP should worry, but your premise is incorrect. Most (all?) modern computer hardware also have onboard firmware, which is programmable software. And while I'm personally not aware of any malware in a CPU or GPU, malware has been used in "hardware" like a motherboard and a hard drive.

Indeed there is even a proof of concept for firmware malware on Macs that Apple had to provide a security update for.

Firmware is not hardware. It is software.

firm·ware
ˈfərmwer/
noun
COMPUTING
permanent software programmed into a read-only memory.​

 

[ActionableMango]

Firmware is not hardware. It is software.

firm·ware
ˈfərmwer/
noun
COMPUTING
permanent software programmed into a read-only memory.​

Well no ****, that was my entire point. Graphics cards have firmware, which is software, which is why they can have malware.

 

[GGJstudios]

Well no ****, that was my entire point. Graphics cards have firmware, which is software, which is why they can have malware.

Malware doesn't affect hardware, only software, which is what I originally stated. There is no malware in the wild that can affect Mac CPUs or GPUs.

 

[ActionableMango]

Malware doesn't affect hardware, only software, which is what I originally stated.

Actually, you said this:

By definition, there is no such thing as malware on a CPU or GPU, which is hardware. ​

You can't really say GPUs cannot have malware by definition due to them being hardware, since they are in fact both hardware and software. Even CPUs have software on them, called microcode, which can also be changed by an updater.

 

[Stoodioratt]

The seller I bought the GPU from on eBay has been around for 7-8 years selling theses cards (may or may not be someone known around here). I feel pretty solid about it. Prob just gonna go for it. Thanks for all the help here.

 

[orph]

unless your on a NSA list in America or something your safe.
https://www.cnet.com/news/nsa-planted-surveillance-software-on-hard-drives-report/
https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/

NSA been sticking stuff on the arm chips or usb controller chips etc

there's been a few story's about this but no no one will do it to you as your not worth there time.
but id think twice about buying a "pre in stalled os drive" (HD/SSD) from ebay (or any dogy copy of windows from somewhere like ebay)

but yes buying a used CPU/GPU is fairly safe and most the time if there was to be anything it will be targeted at windos so may not even work in osx.

your more likely to be sold a GPU thats been mining 24/7 for a few years at 80c than being spied on

ps but dont worry china will spy on you too
https://www.engadget.com/2017/11/30/homeland-security-claims-dji-drones-spying-china/
etc

 

[Mockletoy]

If the NSA were going to put some sort of super-advanced custom badness into GPU's, I'm pretty sure they wouldn't be interested in selling them to randoms folks on the internet. They'd be doing everything they could to get those GPU's into the hands of specific juicy targets.

What you're worried about, even if it were possible, would entail a great deal of effort and time on the part of the perpetrator, and to what end? To infiltrate some old, nearly-obsolete Mac owned by some nobody they have no interest in?

When someone like you or I messes around with a video card's BIOS, there is an extremely limited set of options available to us. The end result of tweaking those options is the same firmware with difference options set. It'll either work or it won't work, but changing a GPU's BIOS to do new and interesting things the manufacturer never intended it to do, and having the card still appear to work normally in all other respects, that sounds like science fiction to me. Doing it to a CPU seems even more problematic.

 

[orph]

well i meant it as a half joke, it' is possible but no wont happen relay.

what they do is stop your post on the way to you and then add there special touch then get it sent on, there's no way to tell but it wont happen to you, your more likely to install malware yourself

i think the intel spectre bug may let some one install something on to the cpu.

but no wont relay happen unless your a dater center or trump etc