BIOS Security Settings?

['0194358'019438'0194328'01943]

Hello,

does a BIOS password (against BIOS changes), gives a higher system security, or it is more like a security fake and could be easily bypassed?

Should I switch the IME off?

Kind Regards

[Grzesiek Chodzicki]

Usually, the BIOS password can be reset by using a jumper on the motherboard, a dedicated button, or by removing the CMOS battery so it's trivial to bypass. However if one day you notice that the password is gone or that it has changed, that's a good indicator that somebody accessed your pc.

[Nicklaus McClendon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

In Lenovo Thinkpads (mentioning as they tend to be popular for Qubes)
however, the supervisor BIOS password is stored in an EEPROM chip and
cannot be bypassed without digital analysis of the chip itself. So,
more secure against a standard attacker, but by no means secure
against a dedicated one.

- --
kulinacs <nick...@kulinacs.com>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhW4x4ACgkQuXLc0JPg
MlYAeRAApBziRvsaUCGsWbUetc8Z0wEAHhoQrOYU9GdO5/FyRU0QtALMDBcjv/6z
sYc5udhPn9lJoR9Ak65e+BRcR0zjWZ/jrkhan1GSvBV1B+Wma0jUyrLeVImq/gDj
Bn3ZxPsDCWhX5kClAFAa1f+ckUgY8s+ksgpHC4aui/FcJGGBUO7P1KpC3US4MO8+
pBj2E0Aw5pcUqiqfk7MoKpaaGh16IzOyhm5EWkT2xOFTayQJPuMUec1F92N/8ikU
SrVeC0VCCeIDD3DHoeGHa+4fu1+nurmGbwgICwWHRGHqqtdCG+IalUhEMsSF2oa0
oV5IbpvtdevnrE6JSv1AmLMe5w4tUDRryP6MUsd8BQHUwTfxDI9Lxbd9ip1oS2Uh
fog2n7mxgkGqKfx5yY/kAiVWPYBoYp2gNy4K6XzYX0j7eZlHM36K5hQSH0C+FSu1
i/3OonmeBZ3PfOiF+GRw7tT6jq4lLxC0P2fkueiruHDX6hUjGs+qbhQbsjQWtufY
KtPbmo/vR7QWvne4rs2Vcz1b5qgpO4c69MD68Fy0ks+xsbAhZ/WeARfCPGpqHhFR
CMwvEzkWsf/nYnj0+AetiIkJB9dbCUdPeSiwxy1Q5tzgkQii5daRbY15v8igH73l
96fl7Mp96ERzMDEhC7fq2D1K0A7a3YEzQx7e+GiYhIezysy44/g=
=jsc7
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

Some laptops such as dell latitudes/precisions have a "master recovery
password" that is generated from the current serial number of the laptop
(so do thinkpads)
"Cannot be bypassed" - well you could always clip on a eprom writer to
the chip correct? I assume then you could force it to spill.

Entering the password on a latitude/precision then resets the serial
number and you have to re-enter it, you're now thinking that you could
simply do this to make a code that no one knows however on the pre-boot
authentication screen it helpfully provides the current serial number.

BIOS passwords and PBA schemes are simply another layer in security,
ideally you would have both a password and a smart-card so somebody
can't simply do shoulder surfing password recovery and then be able to
steal your laptop. (Most business laptops have a contact-smart card reader).


Yes you should switch off ME, although "Disabled" means something
different to intel than it does to you and me - it isn't really off.
If you do that you will have to blacklist intel_ips kernel module to
prevent log spam of "ME Hung"

There is a project from some coreboot developers that is able to nerf
(not remove) ME from most systems (caution - may brick your mobo - do
not perform without an external eeprom flashing device) although of
course you're still stuck with the proprietary bios and FSP on anything
recent.

[Nicklaus McClendon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I was unaware that the master recovery password existed for Thinkpads
and hadn't been able to find any sort of thing when I searched
previously, I'd be interested to see your source. The official Lenovo
help page suggests that it does not exist.
https://support.lenovo.com/us/en/documents/ht036206#super
You could clip on analysis tools, as I mentioned as "digital analysis
of the chip itself", perhaps analog analysis is more correct in this cas

e.

- --
kulinacs <nick...@kulinacs.com>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhW8ZAACgkQuXLc0JPg
MlZbnQ/9Eoc7DwTp66EaV+tOWNaCKvaP5C1x3N8ObSlvUMxn/Lphl3chrgA5yrbW
zwMhnZrBPjpzL4a7WHcAg/1tAOoo+zX1yQLXttO8TqAnnthJMgBdd0RA5fBCAccu
KAFrwqQB8y/7m1ZQtSzA+pd/JXuStqfI6Z8NXybU1BaOWq0/HMaJeplPj5ch6ZtV
4/vB7Ox9ot92QULLIbEKpBcmnBT9hSKdfSHI+LdBBZK25oYK7E8YuGe4EwPyqvYj
EFz/tKBEKAq+gvsTb7qj0L8ZyCHUSRF3YxXfTfltAaZFFcblywc3DOIEnz/Xi1un
mL/uMgb6ssqAwYUcm2CAUNIBMKhpSroPAi2J88kZq5u/ii7p50Ay+Hg8teXl1cpg
gloWsEIuFtda9O3qt7GEO/CftlX9s47PN/eZz+txZsVLucXjdKcoKy+NUUzClqzC
7RI4aOcddNzUP1Uk2Dvt/cnXuUBSq/+H5L96IhFhI6g6DzzDcZ1I6LOydOrys6bm
cWoUyvvnKEKfdxpEdTIY2aS1MtvJyqV2AZGRIDShQYwNv7v/kG1tCjD8xncUAdrF
RJ7Tvfiqsh4VQRsWmYsbuIVe8bH3s33Q3RMXEj7OXAgPWQy8QyDlwbf6/+Yhaei9
gpeDvwSq99+YyM0uQfWqW+NEIX0Xi1rlcUuIVLf+D/eGo0+qfys=
=nDod
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

Hmm my mistake then (if we trust what superfish lenovo says)
I had recalled someone a few years back telling me that there was one.

BTW It seems there is a ready made tool for resets
http://www.ja.axxs.net/
neato.

[raah...@gmail.com]

it can be bypassed and yes I believe most oem machines have backdoors. I know a trick to bypass my dell desktop with a usb stick. afterwards the bios passwd still prompts. It still errors if you type wrong passwd and works if typing correct one. But if you leave it blank it passes lol

But I feel its still an extra layer of security, for a persistent and advanced attacker it might just mean 10 mins more of their time, but for someone else just being nosey, or if 15 mins is too long, it might mean not getting in at all. As an above poster noted too you could become aware of a change if it happens.

This topic makes me think of all the newly found exploits in grub passwords or some encryption password prompts like on ubuntu. I always feel they are there on purpose. Thinks like hitting backspace 20 times or holding enter down for some seconds. simples of the simplest backdoors going years and years unnoticed. It makes sense they would be undermined cause in so many irc chatrooms they are always being undermined. You are either considered a criminal for wanting measures like this, or naive for wanting something so trivial.

It basically depends on if it is too cumbersome for you to be bothered with or not.