Researchers Bypassed BIOS Password on Lenovo Laptops

CyberCX’s cyber security experts have recently unveiled a way to consistently bypass the security of older Lenovo Laptops with BIOS locked, raising severe security issues among users.

One of the executives at the company elaborated on a simple method using a regular screwdriver to connect specific pins on an EEPROM (Electrically Erasable Programmable Read-Only Memory) chip, allowing users to gain unrestricted entry into the BIOS.

EHA
8 pin

After that, a quick analysis of the BIOS settings screen was needed to deactivate any BIOS password.

Moreover, the BIOS password bypass demonstrations conducted by CyberCX were done on several Lenovo laptops that were no longer actively used.

hardware

BIOS Password Bypass

It has been discovered that these laptops’ BIOS has a vulnerability due to the EEPROM being separate from the primary BIOS chip.

Lenovo laptop motherboards use an 8-Pin TSSOP (Thin Shrink Small Outline Package) for the EEPROM.

Security analysts can distinguish various SOP, TSSOP, and TMSOP-8 packages by carefully observing each chip on the laptop motherboard.

While communication via the Inter-Integrated Circuit (I2C or I2C) protocol is how the EEPROM operates.

tssop

Researchers used this information on a Lenovo laptop to identify the BIOS EEPROM.

Then proceed with an attack targeting the pins that we have mentioned below to exploit or disrupt the communication:-

  • Serial Clock (SCL) pins
  • Serial Data (SDA) pins

Here below, we have mentioned the laptop models that the security researchers use in this analysis:-

  • Lenovo ThinkPad L440 (launched Q4 2013)
  • Lenovo ThinkPad X230 (launched Q3 2012)

The following sequence of actions should be performed to accomplish a successful attack on the BIOS password of a Lenovo L440 laptop:-

  • Locate the correct EEPROM chip. 
  • Locate the SCL and SDA pins. 
  • Short the SCL and SDA pins at the right time. 

The Lenovo L440 had three chips that partially met the package and pinout criteria experts were interested in.

To quickly identify if the chip is eligible, experts searched for the following two things:-

  • The serial number
  • The word EEPROM
eeprom

By inspecting chips that appear promising on the mainboard and researching their series numbers, it is possible to pinpoint the correct EEPROM to target eventually.

thinkpad

For the ThinkPad L440, the chip is typically labeled as L08-1 X, although this may not always be right.

By placing a screwdriver tip between two of the chip’s legs, you can easily short the pins of the L08-1 X chip.

The experts initiated the laptop and utilized an advanced method known as the “elite” technique.

While this technique involves forcefully bridging the SCL and SDA pins with a small screwdriver to create a short circuit, which enables them to gain access to the BIOS.

Next, the primary task is to link the SCL and SDA pins with an oscilloscope.

Observing the communication between the BIOS and the EEPROM during the booting process becomes possible once the appropriate pins are connected to the oscilloscope.

bios and eeprom

Data transmission can occur solely when the bus is available and not in use. In addition to the “Bus not Busy” condition, the data and clock lines stay high.

Under the start and stop mechanism, the following things will happen in sequence:-

  • BIOS would perform a start command.
  • Send the data.
  • Lastly, send a stop signal to signify the end of a communication.

At this point, the BIOS needs a start signal. Otherwise, the laptop won’t start. That is why it is not possible to directly connect the pins before starting up the computer.

data transmission

It is important to note that when reading the oscilloscope, the yellow line represents SCL (Clock), and the purple line represents SDA (Data). 

Additionally, contributing to the intricacy, certain BIOS variations incorporate the TPM or utilize encryption or hashing algorithms to secure the BIOS password.

Reading the data from the EEPROM is now entirely possible, and the bypass currently functions.

Prevention For Lenovo Laptops

First of all, this entire process requires complete physical access, and even it potentially requires a few hours at least.

But, here below, we have mentioned some preventive measures that the experts offer:-

  • Make sure to perform full disk encryption with a Passphrase and TPM.
  • To increase the difficulty, manufacturers may consider integrating the BIOS and EEPROM packages into a single SMD (Surface Mount Device).

Implementing the above-mentioned preventive measures will help you secure your old laptop.

This requires conducting a chip-off attack to intercept the communication similarly.

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.