The Importance of Setting Up Passwords for BIOS/UEFI (Start-Up Subsystems) on Windows/PC, Especially in Light of Malicious Actors’ Research into Attack Vectors against These Subsystems

By Paul F. Renda

January 19, 2024

A personal computer’s Basic Input/Output System, Unified Extensible Firmware Interface (BIOS/UEFI) has always had the option to set up a password to protect the PC boot and its subsystem from unauthorized changes [1]. However, in most cases, this password is never set up. Today, there is a greater urgency to do so. The reasons have to do with the Trusted Platform Module (TPM) on Windows-based PCs as well as foreign adversaries researching attack vectors against the subsystems in question. The Malicious Actors so far have been from China and North Korea [2, 3]. An excerpt from an abstract of the article: UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities. “Described breaches in UEFI and Intel Management Engine could possibly lead to the invention of 'invulnerable' malicious applications” [4].   

BIOS stands for “basic input output system”; it is an ancient PC subsystem. It was created in 1975 by Gary Kendall for the control program/monitor operating system [5, 6]. It was so successful as a subsystem that it became part of Microsoft’s Disk Operating System (MS DOS). When you turn the PC on, the BIOS initiates something known as a power-on self-test to check the hardware of the personal computer [7]. The BIOS also identifies the master boot record, which is the information to boot up the PC’s operating system. A PC subsystem that is almost 40 years old has its limitations. It can only run in 16-bit mode, and it can only boot from drives of 2.1 terabytes or less. Furthermore, it cannot support a Graphical user interface (GUI) [8]. A new boot-up system was called for, which is why the UEFI was developed.

UEFI stands for “extensible firmware interface specifications.” It was developed in 2007 by Intel, Advanced Micro Devices, Microsoft, Dell, and other PC manufacturers, soon becoming the industry standard [9]. The UEFI can support nine zettabytes and a much faster boot time; more importantly, it can create a secure boot. With it, the boot subsystem is signed with a digital certificate. The UEFI can run in a 32-bit or 64-bit mode, so it can support a GUI, which makes it much more user-friendly than the BIOS. Both the BIOS and UEFI have two levels of password [10]. The first is a system-level password to boot up the operating system. The second password is used to update or change the BIOS/UEFI. If these passwords are not set up the system will boot up and anyone can make changes to the BIOS/UEFI.

Dell laptop without a system password set Image: Paul F. Renda

Only tech support should have access to the ADMIN password for a company or government-owned laptop. The system and admin passwords should be different.

Dell laptop without an ADMIN password set Image: Paul F. Renda

The passwords for the BIOS and UEFI are important, especially in the case of laptops, which are transported to different locations and for which it is hard to arrange physical security. An unauthorized user could get hold of the laptop and set up the BIOS/UEFI system and admin passwords, thereby locking out the authorized user. On some laptops, you only have to turn on the machine and press the F2 key, which will get you into the BIOS or the UEFI subsystem.

Desktop systems support these passwords, but on a desktop computer, it is much easier to reset the BIOS/UEFI password than on a laptop. On most desktop computers you have to remove the BIOS/UEFI battery or short out the chip. The exact procedure is available from the manufacturer of the motherboard. 

Another security feature of the UEFI is known as the Trusted Platform Module (TPM). This module is used to sign the secure subsystem (the UEFI), and it can be turned on or off in the UEFI. The default on Dell and Acer laptops is TPM on. I have not surveyed all laptops on the market. 

To understand the importance of the TPM, you first have to review the security role of digital certificates in contemporary information technology. If you log on to a new website, you will see that it was signed by a digital certificate. Depending on what type of browser you use, you will be able to see whether that certificate is valid. The certificate is signed by the certificate authority [11]. The owner of that website fills out a certificate signing request (CSR) [12]. This request will include the website's name and other information to validate that website. Thanks to this system, you can know whether you are logging on to the website you want and not a malicious site. If you want to do a software update from Microsoft or another major software vendor, there are also mechanisms to verify that the update has been signed by its creator and that it is not malware. The TPM [13] provides the same kind of security for updating the UEFI subsystem on a laptop or desktop computer. Before the TPM came into existence, there was no way to sign the BIOS or the UEFI subsystem update.

Before the implementation of TPM(on) and an admin password has been set up, malware could update the BIOS/UEFI, and malicious software or rootkit could be installed. Malware on the on the BIOS/UEFI is not scanned by Malware detectors. These detectors only scan the hard drive and solid-state drive. This malicious software could slip through the defenses that are set up on the internet side of a company or government internal network. However, even if the malicious does not slip through the defenses on the internet, all you need is physical access to the computer and the thumb drive. This assumes that no system or admin password has been set up.

Very few commercially available malware scanners can scan the BIOS/UEFI chip. If you have malware on your PC, the best practice is to reformat the drive and reinstall the digitally signed software. This will not work if the malicious software is installed in the BIOS/UEFI. In that case, you have a perpetual infection problem. Several types of malware that infect the BIOS/UEFI have already been discovered; one of the more infamous ones is called Moon Bounce [14]. “Kaspersky has attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012. In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors“ [15].

The passwords for the BIOS and UEFI are important, especially in the case of laptops, which are transported to different locations and for which it is hard to arrange physical security. An unauthorized user could get hold of the laptop and set up the BIOS/UEFI system and admin passwords, thereby locking out the authorized user. On some laptops, you only have to turn on the machine and press the F2 key, which will get you into the BIOS or the UEFI subsystem.

Trusted Platform Module from a Dell laptop turned on Image: Paul F. Renda

Attacks against these initial subsystems have been detected as early as 2015. In 2015 there was a leak by the hacking team where the source code of a UEFI bootkit called VectorEDK was found in the leaked files [16]. 

In my next article, I will describe some of this malicious software and some of the actors creating it. 

References

[1] https://www.compuhoy.com/how-many-types-of-passwords-can-you-set-inside-bios/

[2] https://securelist.com/mosaicregressor/98849/

[3] https://securityboulevard.com/2020/10/mosaicregressor-chinese-uefi-bootkit-snoops-on-north-korean-foes/ 

[4] https://firmwaresecurity.com/2018/05/04/fruct20-uefi-bios-and-intel-me-attack-vectors-and-vulnerabilities/ 

[5] https://www.tech-faq.com/bios.html

[6] https://www.thehindubusinessline.com/opinion/columns/bios-is-history-long-live-bios/article22258151.ece

[7] https://www.geeksforgeeks.org/what-is-postpower-on-self-test/ 

[8]https://support.lenovo.com/us/en/solutions/ht074045-the-boot-drive-is-limited-to-2tb-when-legacy-operating-system-is-used-thinkserver-rd530-rd630 

[9] https://www.techtarget.com/whatis/definition/Unified-Extensible-Firmware-Interface-UEFI 

[10] https://www.dell.com/community/Laptops-General-Read-Only/system-vs-administrator-password-in-BIOS-settings/td-p/4599673 

[11]https://www.ssl.com/faqs/what-is-a-certificate-authority/#:~:text=A%20certificate%20authority%20(CA)%2C,the%20issuance%20of%20electronic%20documents 

[12] https://www.globalsign.com/en/blog/what-is-a-certificate-signing-request-csr 

[13] https://ieeexplore.ieee.org/document/5735084 

[14]https://www.tomshardware.com/news/moonbounce-malware-hides-in-your-bios-chip-persists-after-drive-formats#:~:text=MoonBounce%20Malware%20Hides%20In%20Your%20BIOS%20Chip%2C%20Persists%20After%20Drive%20Formats,-News&text=It%20can%20be%20installed%20remotely%2C%20too.&text=A%20new%20type%20of%20malware,or%20format%20your%20hard%20drive 

[15] https://usa.kaspersky.com/about/press-releases/2022_kaspersky-uncovers-third-known-firmware-bootkit 

[16] https://borncity.com/win/2020/10/06/mosaicregressor-wenn-malware-im-uefi-kommt/ 

About the Author

Paul F. Renda has spent over 30 years in information security. He has spoken at a number of above-ground and below-ground hacker conferences. He studied physics and math at Queens College and the University of Houston, and he has worked as a system administrator for IBM Z/OS and Linux systems. He was also recruited (recruited is a nice, friendly way to put it) by the FBI/NYPD Joint Terrorism Task Force to provide open-source high-impact information. The Russian Federation and the Department of Defense also wanted to become Paul’s friend. He declined the friendship overture from the Russian Federation.