11

I have become quite a password-obsessed individual. I password-protect my HDDs, my files, and now even the BIOS/EFI on the various systems I own.

But I have discovered that if you forget your BIOS password, it is easy (enough) to simply reset it/disable it via physical access to the insides of the machine, or in some cases like the EFI of modern Apple hardware, Apple can even override it via some 'master key' overriding code if they want to, without even needing to reset it at the physical hardware level (which is pretty disturbing).

So, with this in mind, what use is a BIOS/EFI password then?

What threat model is it effective against, and are additional measures (like storing the laptop in a safe/locking the desktop case with a key/padlock/combination lock, and maybe some robust 'intrusion detection' notification or logging system) recommended to make this extra password more worthwhile every time you restart your computer?

Is it a little bit like the lock on the front door of the house, still having its place even though the glass window right next to it can be smashed by a determined burglar who wants to get in anyway?

Community
  • 1
connor
  • 111
  • 3

3 Answers3

6

A BIOS/EFI password can only be considered effective because of security by obscurity. An attacker can easily override the BIOS password with only keyboard and power button access with something like this, or via physical access to the internals of the PC.

What use is it, then? Well, it makes you feel secure, but it really only deters people who don't know how to bypass it, though all you really need is a key generator, and that's even open source. I mean, built-in backdoors with open-source key generators can't possibly be secure. It's only because it's not common knowledge that it still exists.

So it's not as much of a deterrent as a lock on the front door of a house, maybe more of a sign that says "beware of dog," since it doesn't really take much effort to bypass on most systems, but just like the sign, the thought of a cute poodle won't deter anyone who goes to the effort of trying to break in.

If you're already encrypting your hard drive and again your files, then that's about as secure as you can reasonably get. Even if there was no way to easily circumvent BIOS passwords, an attacker could easily swap hard drives to gain access to data, assuming they had physical access.

Cyrus Roshan
  • 521
  • 3
  • 8
  • 1
    what of an office or public computer where the user has no direct physical access? – schroeder Apr 07 '15 at 00:05
  • 1
    @schroeder I've had success using bios-pw.org for all of the laptops that I've tried it with, and it supports most vendors IIRC. It's basically just a master password that you can type in after you find the error code that the bios gives you after too many incorrect attempts. – Cyrus Roshan Apr 07 '15 at 00:10
4

Software cannot protect against physical attacks. Security requires a layered approach. Most cases have the ability to put on a physical lock. More secure systems cases can also hide the cable connections and prevent changing keyboards, or other peripheral connections.

The BIOS/boot password is only one part of a greater security plan for a system. It's also possible to use evil maid attacks against full disk encryption- however, that still requires an advanced adversary with the physical access and the ability to be stealthy enough to hide that they did the physical access.

Furthermore, if someone disables the password mechanism, that is not the same as them guessing the password. The adversary may be interested in one time access, but in many cases they do not want the victim to know they were attacked. Removing the BIOS password in most cases clears it, so its not possible to just flip a switch and turn it back on. When the victim goes to boot again, the victim will see that someone has compromised the system and this may then result in countermeasures making future access by the adversary more difficult.

Smashing glass (as in your front door example) is not reversible, makes a mess, and is noisy. In some cases this does not matter. However, encryption/passwords are generally still useful even though they will often fail a rubber hose attack.

Eric G
  • 9,691
  • 4
  • 31
  • 58
1

Another usage of passwords in firmware: UEFI has a network stack, and to do PXE it may use authentication (CHAP?). IPSec is also available. So some network usage of UEFI will require a login/password. UEFI has a User Identification driver model, and UEFI 2.5 also added smartcard driver models. HTH, Lee http://firmwaresecurity.com/feed

Lee Fisher
  • 114
  • 2