Security Researchers Discover BIOS Password Bypass On Lenovo Laptops
If you’ve ever run into an issue with your BIOS, whether you dialed in a bad overclock or tweaked some settings you shouldn’t have, you might have had to reset it. Some motherboards are designed with this in mind, offering a physical button you can hit to reset or flashback the BIOS. If that is not the case, though, you would have to get in and reset settings in BIOS or pull the coin battery and wait a bit for it to reset. However, even that is not foolproof, especially if you must reset a BIOS password you inconveniently forgot or inherited the device and never knew it to begin with.
Funnily enough, the researchers and IT folks over at CyberCX ran into this latter problem and tried to pull the battery. Sadly, this did not work as the password was found to be saved to non-volatile memory, so even with power loss, the password was retained. Thankfully, an older vulnerability was used for inspiration wherein if the Erasable Programmable Read-Only Memory (EPROM) could be intercepted or interrupted, the BIOS password could potentially be bypassed. EPROM would typically be reset using exposure to ultraviolet light, but modern devices use Electrically Erasable PROM (EEPROM) that can be reset with an electrical signal.
After tearing down the locked-out Lenovo laptops, the researchers found the EEPROM to tinker with. As with older exploits, you can just “[jam] a small screwdriver across the SCL and SDA pins to short them until entering the BIOS.” Of course, the password would still be stored, so you would have to change it, but this process gets you in the door.
In addition, though the researcher here specifically targeted a Lenovo machine, this crude hack could theoretically work with just about any laptop on the market, and not just Lenovo.
While not everyone will have to run through this process, anyone could follow the tutorial if they run into a BIOS password issue, whether they buy a second-hand laptop or have one passed down at work. We wouldn't fuss about this too much from a security perspective, either. Once a bad actor has physical access to your device, it is usually game over already anyway.