Security is always only as strong as its weakest link. While many guidelines exists to secure various operating systems, there is considerably less options available on how to secure the low-level components of a PC, although these can equally be compromised in order to obtain full control over a machine. For your desktop and notebook computers, BIOS passwords can add an extra layer of security. They are used to either prevent a user from changing the BIOS settings or to prevent the computer from booting without a password.

BIOS Layout

The motherboard inside every PC would not do anything if there were not a special program that takes control after the PC is switched on. This program is called the BIOS (Basic Input/Output System). Practically all systems access to the BIOS configuration utility [program] can be controlled by a BIOS password. Once this password is set, the configuration of the computer cannot be changed without knowledge of this password. On almost all systems the BIOS password information is stored in the CMOS—RAM (Complementary Metal-Oxide Semiconductor - Random Access Memory).

Important tasks of the BIOS are to perform a power up test of hardware components and memory, to initialize hardware and finally to search for an operating system that can be booted. For doing so it loads the first sector of the hard disk into memory, performs a short validity check and executes the code contained in this block. Depending on the type of operating system there may be further steps involved, but essentially this code loads the operating system and passes control to it.

Every computer manufacturer does not bring out their proper BIOS. Usually they buy the BIOS from specialized companies such as AMI, AWARD or PHOENIX. The consequence is that there are not so many different BIOS types out there as one might believe.

Accessing the BIOS

If the monitor is on when your computer is first turned on, you will see your BIOS in action (unless the computer's manufacturer has decided to have the BIOS display the company's logo instead). At the bottom or top of the screen you may see instructions such as "Press DEL to access setup." If you press the keys given in the instructions, you will see a screen with a DOS-like interface. This is the first screen of your computer's BIOS program.

Depending on the computer and BIOS manufacturer, the keystrokes needed to access the BIOS setup will vary. They are almost always F2, F10, or the DEL key. You should consult the computer manual for specific instructions on accessing and using the BIOS setup.

The Threats

Initially the BIOS begin taking control of the system and selects which operating system is started. For this purposes it maintains a parameter, usually called the boot order, which determines whether the operating system will be loaded hard disk, CD-ROM or in some cases also from the network.

If an attacker succeeds to change this parameter in such a way that software provided by him is executed, rather than the installed operating system, there is no more other way to protect the system from being compromised. The carefully designed secure standard build with its restricted permissions or registry keys or a refined password policy will not help in such a case.

Typically an attacker would boot the system from a selected media that contains software to either change the system’s administrator or root password, to extract password information for an offline password attack or to directly access data on the hard disk. The attacker might also install backdoors or Trojans in order to be able to access the system again later or to further extend access to other systems.

This is feasible for any machine, including servers and workstations. It should be noted that, however, that for this attack physical access to the computer is required. Assuming adequate physical protection of servers, this means that workstations are particularly exposed. How many organizations do have a policy to lock all doors during absence? How tight is physical building security in reality? What about insiders?

One might think that protection of workstations is not too important. Maybe one compromised workstation does not matter too much. Wrong! One single workstation can be used as launch pad for further attacks and it is normally easy for the attacker to extend access:

• Key logging programs will record passwords to the domain, servers and applications used on the compromised workstation.

• Sniffing may be used to extract password information that is passing by on the same network segment.

So how can BIOS access control be by-passed? We assume of course that a password has been set in the first place and the boot order is correctly set! Basically we distinguish between four different methods.

1. Use of backdoor passwords.

2. Cracking the BIOS password.

3. Deleting the contents of the CMOS RAM by software.

4. Deleting the contents of the CMOS RAM by hardware.

In the following part we will discuss each of these possibilities in more detail.

Backdoor Passwords

It may be hard to believe, but many BIOS manufacturers built in backdoor passwords in their products. Even worse, many of these passwords are easy to guess, such as the name of the BIOS manufacturer. Extensive lists of known backdoor passwords are available on the Internet and inside of the software BIOS.

The following non-comprehensive list gives an idea on the BIOS passwords that can be used to bypass BIOS password protection on the older computers.

Award-BIOS: 589589, 589721, Award, AWARD, AWARD SW, AWARD?SW, AWARD_PS, AWARD_PW, AWARD_SW, j256, j262, J256, J262, J64, q_l27&z, ALFAROME, BIOSTAR, BIOSSTAR, award.sw, award sw

AMI-BIOS: Ami, AMI, AMI_SW, AMI?SW, AMI SW, AMI?PW, A.M.I., oder , Oder, PASSWORD, amipswd, AMIPSWD, AMIAMI

Phoenix-BIOS: BIOS, CMOS, phoenix, PHOENIX

Others: aLLy, awkward, BIOSTAR, CONDO, HLT lkwpeter, lkw peter, LKWPETER, SER, setup, SKY_FOX, Sxyz, Syxz, SZYX, Wodj, merlin, Compaq, central, iwill, bell9, Toshiba, admin, BIOS, Dell, Posterie

Normally BIOS manufacturers use the American keyboard layout. This has to be taken into account when entering BIOS passwords on international keyboards. For example on a German or Italian keyboard AMI?SW has to be typed in order to be accepted by the BIOS as AMI_SW. BIOS passwords normally are case sensitive.

It seems, however, that on modern systems these known backdoor passwords work less and less often. Tests carried out on PCs with Award BIOSes from 1997 or later had the result that none of the well-known passwords worked, which is good news.

Cracking BIOS Passwords

Almost all BIOSes store their password information in the CMOS RAM. The days of BIOS password storage in clear text seem to be over; modern BIOSes store their passwords in hashes. Unfortunately these hashes are of low quality and short. Award for example calculates only a 16 bit hash, which means that there are numerous collisions and many different passwords will produce identical hash values.

This makes password cracking a relatively easy task. Cracking programs do exist for all major BIOS manufacturers. The probably most powerful programs are CmosPwd and BIOS, which support several platforms and algorithms.

Tests with both programs show that successfully cracking BIOS passwords is a matter of seconds or minutes at most. BIOS also offer the brute force option. During a test this function offered more than thousand valid passwords for an Award BIOS that all produced the given password hash in the CMOS RAM. With this program it is also possible to restrict brute forcing to numbers only, which results passwords that will work independently from the keyboard layout.

It has to be noted that a password cracking attack requires that the attacker has already gained access to the machine before, in order to be able to run the cracking program, which then will read the contents of the CMOS RAM. A mitigating factor, but this is where the problem of commonality comes into play: It is very difficult to manage a good company-wide password policy for BIOS passwords. Therefore chances are that many machines will share the same BIOS passwords and that this password is never changed on a given PC. It will take only one single workstation to which the attacker manages to gain temporary access by any method, in order to break defence for a large number of stations.

Erasing CMOS RAM by Software

If the methods explained above do not work, an attacker will probably try to erase the contents of the CMOS RAM. On most systems this step will delete all BIOS settings including the BIOS passwords and will reset the values to a factory preset. All that needs to be done then is to enter the BIOS configuration utility after a reboot and to set the boot order to boot from a diskette with tools for changing or removing the operating system’s password. Erasing the CMOS can be achieved by a few simple commands in the DOS tool DEBUG

debug
o 70, 2E
o 71, 0
q

There do exist also slightly different variants of these commands, as found e.g. in, but the principle always remains the same: these commands write to the I/O ports 70 and 71, which is how to access the contents of the CMOS RAM, in order to invalidate its checksum. This causes the computer to reset the CMOS RAM to default values with no password set at the next reboot. For those who do not want to deal with DEBUG, dedicated tools for that purpose are also freely available on the Internet. Again, also for deleting the contents of the CMOS RAM by software, an attacker must have gained or been granted access to the computer before.

Erasing CMOS RAM by Hardware

If an attacker does not have the possibility to run a program on the target machine, he has another option. This can be done by accessing the computer’s motherboard by opening its case and to erase the CMOS RAM by hardware. Most motherboards do have a jumper for exactly that purpose, which is us usually located close to the clock chip and bears a name such as CLRTC, Clear CMOS or PWRD. Normally the procedure to follow is described in the motherboard’s manual. Depending on the hardware this may involve to short-circuit the jumper for a few seconds, or to set a jumper and to briefly switch on the computer.

If a motherboard does not offer such a jumper, an option is to remove the buffer battery for the CMOS RAM chip, which may require unsoldering it. The battery must be kept disconnected for an hour or longer in order to erase the contents of the chip including the password settings. Finally there is the method of short-circuiting specific pins on the clock chip itself. This is of course dependent on the chip used on the motherboard.

Steps to Reset BIOS Password

There comes a time in every System Administrator's life when s/he forgets a password. Forgetting a BIOS password means one of two things: either you won't be able to access the BIOS Setup program any longer to make changes, or worse - you will not be able to boot the PC.

Fortunately, computer manufacturers have given us a way out. All it takes is a little fortitude. Here's how to do it:

1. Find the computer manual. Note: Save time, and leave your ego at your desk. Find the manual and take it with you!

2. Collect an anti-static wrist strap and a screwdriver, and head for the computer in question. An anti-static wrist strap is a clever device that painlessly grounds you while you are working on the bowels of the computer. If you are not grounded, a single spark of static electricity could ruin the computer. You can also ground yourself by touching a piece of metal before beginning, but erring on the side of caution and using a wrist strap is best.

3. Open the computer, and ground yourself using the anti-static wrist strap.

4. Using the manual for reference, locate the method for resetting the BIOS. This can be done in either of two ways.
   i) Locate the computer's CMOS battery and remove it. It sometimes takes a surprising amount of pull to dislodge it; some also have small metal clips holding them in place that need to be slid out of the way first.
   ii) Some computers don't have a CMOS battery. Their BIOS is reset by moving a jumper (a little piece of plastic that makes a connection between two pieces of metal sticking out from the motherboard) from one position to another and then booting the computer. After the computer is booted this way, the BIOS is reset, but you must remember to replace the jumper back to its original location.

5. Boot the computer, and run the BIOS Setup program.

6. Reset the password, and this time, remember the password instead of going through all the above steps again!

Other Possibilities

For some specific computers further methods [bypassing BIOS password] do exist. Listed below is some of the ways through which BIOS passwords can be compromised. Due to security reasons, the listed methods are applicable only for older computers and not the latest types.

• Some Toshiba notebooks reset the BIOS password when a special keydiskette is in the floppy drive during start-up.

• Some Toshiba notebooks remove the BIOS password when a special loopback device is connected to the parallel port during start-up.

• If the PC has at least one ISA slot, an extension card with an EPROM containing a CMOS erasing routine can be inserted. This routine would then be executed as BIOS extension at the next reboot and erase the CMOS RAM.

• If the computer does not enforce a reboot after a certain number of failed authentication attempts, BIOS passwords could also be brute-forced by a second computer connected to the keyboard port simulating a keyboard entering passwords. The collision of hashes for different passwords due to the short hash values used will make this faster than it needs to be.

• Some (probably old) BIOSes skip the password check if either a specific key is pressed during boot (candidates could be Left-Shift, Ins, Del, F1) or both mouse buttons are held down at the same time during boot.

Finally, why should an attacker bother to crack the BIOS, if he can gain physical access to the interior of a computer? In this case he might just remove the hard disk altogether, connect it as secondary disk to his home computer (with the BIOS set to auto-detect) and access all data on the disk including password hashes.

Countermeasures

Now that we understand what attackers could do, let us discuss what the countermeasures are that could also be applied in a corporate environment.

• BIOS passwords shall be used on every computer in an organization in order to protect access to the BIOS configuration utility. In a corporate environment it may be unrealistic to have different BIOS passwords for every computer and to regularly change these passwords on all systems, but as a minimum the BIOS passwords assigned to new machines during installation shall be changed regularly. A possible scheme could be to change the password assigned to newly installed machines every quarter. If the inventory records the installation time of every computer and a history of BIOS passwords are kept in a secured list, it will always be possible to determine the correct password for a given computer.

• BIOS passwords used for critical systems shall be different from those used on less critical and less protected systems.

• All computers shall be set to only boot from their hard drives.

Of course this still cannot guarantee perfect security, but if implemented, these measures will reduce the probability of a compromise through the BIOS considerably.

A Brief Conclusion

BIOS security must be taken seriously. As a principle security is always only as strong as the weakest link. If the BIOS are not secured properly, it is not only this single machine and the data it holds that is at risk, but actually the complete network. Countermeasures can largely mitigate the risk, although total elimination is impossible.

DISCLAIMER

This article is intended for IT Professionals and systems administrators with experience servicing computer hardware. It is not intended for home users, hackers, or computer thieves attempting to crack the password on a stolen PC. Please do not attempt any of these procedures if you are unfamiliar with computer hardware and advance system BIOS functions. Please use this information responsibly. Fanatic Media is not responsible for the use or misuse of this article, including loss of data, damage to hardware, or personal loss.

—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Software Security. He has an active interest in designing security algorithms for securing softwares. He can reached at infosecurity@fanaticmedia.com