CyberCX’s cyber security experts have recently unveiled a way to consistently bypass the security of older Lenovo Laptops with BIOS locked, raising severe security issues among users.
One of the executives at the company elaborated on a simple method using a regular screwdriver to connect specific pins on an EEPROM (Electrically Erasable Programmable Read-Only Memory) chip, allowing users to gain unrestricted entry into the BIOS.
After that, a quick analysis of the BIOS settings screen was needed to deactivate any BIOS password.
Moreover, the BIOS password bypass demonstrations conducted by CyberCX were done on several Lenovo laptops that were no longer actively used.
It has been discovered that these laptops’ BIOS has a vulnerability due to the EEPROM being separate from the primary BIOS chip.
Lenovo laptop motherboards use an 8-Pin TSSOP (Thin Shrink Small Outline Package) for the EEPROM.
Security analysts can distinguish various SOP, TSSOP, and TMSOP-8 packages by carefully observing each chip on the laptop motherboard.
While communication via the Inter-Integrated Circuit (I2C or I2C) protocol is how the EEPROM operates.
Researchers used this information on a Lenovo laptop to identify the BIOS EEPROM.
Then proceed with an attack targeting the pins that we have mentioned below to exploit or disrupt the communication:-
Here below, we have mentioned the laptop models that the security researchers use in this analysis:-
The following sequence of actions should be performed to accomplish a successful attack on the BIOS password of a Lenovo L440 laptop:-
The Lenovo L440 had three chips that partially met the package and pinout criteria experts were interested in.
To quickly identify if the chip is eligible, experts searched for the following two things:-
By inspecting chips that appear promising on the mainboard and researching their series numbers, it is possible to pinpoint the correct EEPROM to target eventually.
For the ThinkPad L440, the chip is typically labeled as L08-1 X, although this may not always be right.
By placing a screwdriver tip between two of the chip’s legs, you can easily short the pins of the L08-1 X chip.
The experts initiated the laptop and utilized an advanced method known as the “elite” technique.
While this technique involves forcefully bridging the SCL and SDA pins with a small screwdriver to create a short circuit, which enables them to gain access to the BIOS.
Next, the primary task is to link the SCL and SDA pins with an oscilloscope.
Observing the communication between the BIOS and the EEPROM during the booting process becomes possible once the appropriate pins are connected to the oscilloscope.
Data transmission can occur solely when the bus is available and not in use. In addition to the “Bus not Busy” condition, the data and clock lines stay high.
Under the start and stop mechanism, the following things will happen in sequence:-
At this point, the BIOS needs a start signal. Otherwise, the laptop won’t start. That is why it is not possible to directly connect the pins before starting up the computer.
It is important to note that when reading the oscilloscope, the yellow line represents SCL (Clock), and the purple line represents SDA (Data).
Additionally, contributing to the intricacy, certain BIOS variations incorporate the TPM or utilize encryption or hashing algorithms to secure the BIOS password.
Reading the data from the EEPROM is now entirely possible, and the bypass currently functions.
First of all, this entire process requires complete physical access, and even it potentially requires a few hours at least.
But, here below, we have mentioned some preventive measures that the experts offer:-
Implementing the above-mentioned preventive measures will help you secure your old laptop.
This requires conducting a chip-off attack to intercept the communication similarly.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…