46

I'm looking into ways of hardening a computer's security. One of the things is the BIOS.

Does adding a password to the BIOS prevent malware from infecting it?

I have seen this article: Protecting the BIOS from malware but it doesn't mention about passwords.

Any information on this is greatly appreciated.

user148283
  • 493
  • 1
  • 4
  • 7
  • Many, many years ago I had a short program written in QBASIC that reset the BIOS password from the command prompt. I don't think the security has improved much since then, although it's possible that UEFI provides some magic. – pjc50 Mar 06 '17 at 09:49
  • BIOS passwords do protect against one sort of malware. The sort which is installed by a person with physical access to the computer, by booting off a CDROM or memory stick. (One might also regard network sniffers booted off CDROM or USB as malware ... certainly hostile! ) – nigel222 Mar 08 '17 at 12:22

4 Answers4

60

Absolutely not. The BIOS password is only an authentication mechanism presented when the system boots or when a manual change to the configuration is made during boot. Malware which overwrites the BIOS typically does so by writing over SPI, the interface which the BIOS resides on. If malware gets enough privileges to write to SPI, and your BIOS does not set the proper lock bits that deny access to this interface at runtime, then it is game over. The contents of your BIOS flash chip can be modified completely, including the contents which execute the password authenticating code.

The only two ways to ensure malware cannot overwrite the BIOS is either to:

  1. Have a BIOS which properly sets all the lock bits at boot, and the only way to make sure of that is to use the chipsec framework and understand the results it gives

  2. Use a system which supports BootGuard, an Intel feature in some newer CPUs which causes the chipset to verify the BIOS itself before loading it, ensuring that it can only boot from a BIOS signed with an OEM signing key. This should prevent malicious BIOSes from running (as well as 3rd-party, open-source BIOSes like Coreboot and Libreboot).

forest
  • 65,613
  • 20
  • 208
  • 262
guest
  • 506
  • 4
  • 4
  • 3
    I certainly doubt that `chipsec` is the **only** way. Also, UEFI/BIOS don't *reside on* SPI, SPI is simply a popular interface for flash memory access. And SPI is not a single instance, modern PCs have several SPI interfaces, including those normally accessible by the user (SD card reader for example). – Dmitry Grigoryev Mar 06 '17 at 15:54
  • You could use a ROM BIOS for example. – OrangeDog Mar 06 '17 at 16:56
  • 4
    "ensuring that it can only boot from a BIOS signed with an OEM signing key" - until the OEM's private-key gets leaked, and the chipset's verification code is likely baked-in to their firmware so once that's out you cannot trust your computer ever again. – Dai Mar 06 '17 at 18:54
  • 1
    The verification code is in the chipset, and the public key for the signing key is burnt into the PCH. But you're right, it can be leaked or stolen, so BootGuard is absolutely not a silver bullet. – guest Mar 06 '17 at 23:04
  • So what is the plan for open source BIOSes? – bright-star Mar 07 '17 at 06:16
  • 2
    @bright-star: probably use systems with disabled BootGuard (and hope no viruses bother infecting it...) or maybe try to get a shim bootloader signed, similar to [UEFI shim](https://github.com/rhinstaller/shim). – Igor Skochinsky Mar 07 '17 at 13:26
  • Using a PBA (pre-boot-authentication) image on a self-encrypting drive is a much better solution than a BIOS password. Since the PBA image is booted *after* BIOS, would it negate the effect of a malicious BIOS? – Caleb Reister Apr 05 '17 at 17:44
  • No. A malicious BIOS could still compromise a system with pre-boot authentication. All it has to do is keep executing code that does "evil stuff"(tm), and wait until you put in your password. Once you do that, all the data is unencrypted, as far as the system is concerned. – anon Sep 11 '17 at 08:21
  • @anon You can use a TPM to provide measured boot, which can provide tamper evidence or all the system's firmware and configuration. – forest Dec 13 '17 at 06:08
5

BIOS passwords offer absolutely no protection against viruses. Its just there to slow people down who are trying to use your computer without your permission. Most computers have a "bios password ignore" or "bios password reset" jumper somewhere so its not even that secure. Might slow someone down maybe 5 minutes.

The blanket recommendation is to get a good antivirus program and let it hog your cpu in the background. That's not what I do. The problem with antivirus programs is that they are generally no good for viruses that are not in their database. Likewise, when a new one comes out, several thousand people usually get infected until the antivirus people can update their database. Then don't get me started on mutating viruses.

The simplest thing to make it really hard for viruses to infect your computer is to create a user with limited privileges and use that, rather than admin. That way, if you get tricked into loading a virus, it doesn't have enough system privilege to do any real harm. Just don't let them con you into entering the admin password when you weren't really doing anything that would call for it.

DennisH
  • 51
  • 1
  • 3
    "Might slow someone down maybe 5 minutes." It's a lock to keep honest people honest. Also, depending on the environment, opening a computer (which could be locked additionally with... a lock!) can raise attention at a different level than somebody appearing to just use the computer. – rackandboneman Mar 06 '17 at 17:22
  • 2
    @rackandboneman I find it amusing when people spend $300+ on a nice front door lock while there is a thin sheet of glass right next to the door. – Mathemats Mar 07 '17 at 04:53
  • Oh, all that matters is what the insurance mandates in these cases? – rackandboneman Mar 07 '17 at 08:55
  • BIOS passwords *do* protect against malware ... of the type which might be installed by an untrustworthy employee with physical access to the hardware in question, by booting off a CD or USB stick to modify the hard drive. – nigel222 Mar 08 '17 at 12:19
2

The short answer is no. Setting a password on the BIOS will protect your computer from Physical access (Though that could possibly be bypassed as well).

To protect against malware infection I suggest two things:

  1. Install an Anti-Virus and keep it up to date

  2. Setup a backup solution to backup your data daily (This will help you to quickly recover in case you had an infection that your AV couldn't prevent)

Mico
  • 387
  • 4
  • 17
0

Any mechanism (eg mainboard jumpers on certain platforms, jumper-controlled Dual Bios....) that would be capable, when enabled, of making a Windows or DOS-based BIOS update tool either fail or fail to have an irreversible effect will help. Anything else will not.

rackandboneman
  • 975
  • 4
  • 9