BIOS and BIOS Extension Security and Mitigation

What is BIOS security? Why enable it? What else can be done to protect publicly accessible machines and take home company laptops?

A frequently overlooked topic in computer and network security is the hardening of BIOS access. Numerous resources are focused on Operating System level access: administrator accounts, account group levels, firewalls, etc. But all of this can be bypassed if someone has access to the system BIOS. This allows an attacker unrestricted access to the base level configurations of the hardware, all before the Operating System is even loaded. This can usually be accessed by anyone with the physical ability to force a computer restart (ex: holding the power button).

With BIOS access, the user can change many hardware and networking settings that can be particularly damaging. They can change the boot order and settings to allow for booting from a USB drive, which can be used to boot into live Operating Systems such as Kali Linux. The user can also change settings related to peripheral devices connected to the machine, and network interface cards.

This is why a BIOS password should be implemented on all machines that can physically be accessed.

But we must not stop there. One issue in particular that is making headlines this week involves a threat against most corporate laptops running Intel hardware. The reason this one is particularly worth noting is that a BIOS password alone will not mitigate this attack.

The issue exploits Intel’s Advanced Management Technology (AMT) BIOS extension. This is a hardware based remote management tool, which allows IT staff remote access to company laptops. This function connects to the remote server at boot. Since this happens before the Operating System startup, no amount of OS level encryption or security will mitigate this attack. While the BIOS password may be strong on the system, AMT extension access is independent.

A lot of companies implement this leaving the default connection information as ‘admin.’ An attacker with momentary physical access to the machine can force a restart, and hold Ctrl+P to access the menu. After logging in with ‘admin,’ they can program AMT to connect to their own server instead of the company’s remote server. And in a matter of minutes, they have now set themselves up to have remote administrator access to the company laptop.

Stories like this remind us to constantly review our security practices, and not get “tunnel-vision” looking at the practices that we are implementing. While focusing on obvious threats, and implementing network security and Operating System level security, we need to remember the physical hardware security of any publicly accessible devices, including “take home devices” that are used by company employees.

Leave a Reply

Your email address will not be published. Required fields are marked *