Flashing BIOS/UEFI without loading BIOS/UEFI

Hello,

I have an Acer laptop that I suspect may have malware infected in its BIOS/UEFI firmware. It certainly appears to have been hacked somehow, and since I have not taken care to secure physically the machine when away from it, I believe that I can't rule out the possibility of malware being in the BIOS/UEFI firmware.

I don't want to turn on the machine in its present state, as if there is malware in the BIOS/UEFI firmware, this would pose a security risk (since the BIOS/UEFI is the first thing to run). So firmware flashing utilities that require an OS to be running, or even just the BIOS/UEFI to have been initially run, appear to be useless so long as the BIOS/UEFI firmware is in its current state.

What I effectively want to do is treat the laptop as though it has been 'bricked' at the BIOS/UEFI firmware level, and then from that starting point, to reinstall the firmware.

Reading on the internet, it appears there is a chance that I might be able to reinstall the firmware without running the present BIOS/UEFI (that could have malware in its firmware) by using something known as a BIOS Recovery jumper. USB devices for flashing and reprogramming BIOS/UEFI firmware also look as though they might be useful for my circumstances.

------------------------------------------------------------------------

Can anyone at all help with this? I also need to know of a secure site from which I can download any required files.

Thanks,

Edited the content to hide personal information

Laptop spec.:Acer Extensa 2511 laptop

Accepted answers

All comments

MarkJFernandes

billsey said:

Yeah, Intel AX201 WiFi 6/Bluetooth 5.0 IIRC. The issue with rewriting both the CMOS and EFI sections is the signing needed for them to show as valid. MS assigns those to tested loads so it's very unlikely that a bad guy will get it right. The work around for that is for the bad guy to disable that functionality in their version and basically replace everything with the custom version. Needless to say a lot of that requires knowledge of the hardware involved, so a version for each model type. It's always possible that someone could do that, ut as I was saying before it's very unlikely for someone to do it unless there's a big potential for gain at the other end. Malware isn't typically created just to see it spread, it's created in order to bring some type of gain for the creator. That might be access to private data for resale, such as credit card info and passwords, access to the hardware in order to form a portion of a botnet, so they can extort funds from website owners, or encryption of data to extort fund from the machine owner. Each of those require some threshold of potential return on investment to offset the effort used in creating the malware package. For something as targeted and detailed as you are describing there would have to be a significant return... Now you might have a large enough net worth or have access to sensitive enough data, but if so you'd be more likely to junk this system and get a new one than to be trying to fix it yourself. I think it much more likely to have been infected with a typical key logger/remote access malware package in the OS than a BIOS attack.
Which antivirus are you running? Have you tried running a scan with an alternate such as Malwarebytes?

Hello billsey, thanks for your insights.

I was running Norton Security. Previously, I think I recall using Malwarebytes. I'm not switching the computer on with the system drive attached because of the chance of malware being in the BIOS/UEFI.

Ideally, I would junk this system, but I'm on too much of a tight budget at the moment. Plus, it is worthwhile to learn how to render such an insecure system secure, just in case I need to do the same again, as well as to help co-workers in regard to securing their systems.

Regarding your analysis of the cost-to-benefit aspect of hacking, I agree with it in part. However, you must take into account the re-usability of attacks. When you say you need to know about the hardware, I'm presuming you mean that you need to know about the BIOS hardware. Given that BIOS hardware is repeated over many computers, such attacks can be highly reusable. Whilst there may not be an advantage in putting in the work to construct the attack just for me, the effort can be made for all the targets in one go, and then to attack me specifically doesn't cost much. There is also the aspect of corruption to consider, in the sense that GCHQ or the CIA may develop the attacks simply because they have the time and money, and then due to corruption, the attacks are leaked out to criminal organisations (such as may happen during the collapse of an empire)—the initial work to develop the attack was never tied to attacking me personally, but ultimately it leads to attacking me personally. One final thing to consider, is that we probably mostly don't have information about many successful attacks. Even if an organisation discovered that they had been attacked, they may feel compelled to cover it up as it can make them look bad.

It's also worthwhile acknowledging that the engineering and science know-how for constructing such attacks is being taught and can also be learnt through self-study of free resources, in poorer under-developed economies (such as in India, which in fact is well known for its corruption). Therefore, it may not be as costly as you are making it out to be.

Thanks,

Edited the content to hide personal information

JackE

If it were mine with your concerns, I'd simply unplug HDD and coax from the wifi card. Then access the BIOS menu cuz I'd first want to take a look at it and poke around the firmware. Then go from there. Jack E/NJ

MarkJFernandes

JackE said:

Please post a phone shot of the BIOS Main & Boot tabs without the HDD if possible. Jack E/NJ

As requested, see phone shots below:

Thanks,

Edited the content to hide personal information

JackE

OK. As long as you're in there, please post phone shots of Info & Security tabs & if available Advanced tab. Press Ctrl+S in each tab just in case their are hidden options buried in there. Jack E/NJ

MarkJFernandes

JackE said:

OK. As long as you're in there, please post phone shots of Info & Security tabs & if available Advanced tab. Press Ctrl+S in each tab just in case their are hidden options buried in there. Jack E/NJ

As requested, see photos below:

Image: https://us.v-cdn.net/6029997/uploads/editor/uk/07rifjzz7dyy.jpg

Image: https://us.v-cdn.net/6029997/uploads/editor/u8/dvjo6g1hcxb5.jpg

There were no hidden options and no Advanced tab.

Thanks,

Edited the content to hide sensitive and personal information

MarkJFernandes

Just been reading about flashing BIOS/UEFI firmware on the internet. It seems that I could probably do what I wanted if there were a JTAG port on the motherboard. Been looking at photos, and looks like there isn't one.

Does anyone know for sure?

Thanks,

Edited the content to hide personal information

MarkJFernandes

Found some BIOS/UEFI information regarding the Extensa 2511G model here. Unfortunately, my model is the one without the 'G' on the end, so this information probably does not fully apply to my laptop.

Was wondering whether maybe some of it does apply though, like the vendor perhaps also being "Insyde Corp." Anyone know?

Thanks,

Edited the content to hide personal information

JackE

BIOS is identical for the G model. The G only signifies a discrete graphics adapter is soldered to the mainboard in addition to the 2511's CPU integrated graphics adapter.

I see nothing that even remotely hints that the firmware has been compromised from the phone shots. Especially from the information tab. It would likely show some weirdness in the SNID & UUID and model descriptors which I don't see.

Trying to flash the BIOS outside of the Windows environment from a minidos bootable USB stick with the BIOS firmware binary carries an even greater risk of adverse side effects or worse--- bricking the machine. It rarely works reliably. It also requires that the BIOS binary be extracted from the Windows v1.31 executable, not always possible. If it were mine, and I was as worried as you seem to be over the firmware being compromised, I would spend ~$100 plus shipping both ways without the HDD to have ACER service re-do the BIOS firmware from scratch. The risk is just too great for essentially disabling the mainboard. Jack E/NJ

Image: https://us.v-cdn.net/6029997/uploads/editor/50/4uo5fhslemd6.jpg

MarkJFernandes

JackE said:

...
I see nothing that even remotely hints that the firmware has been compromised from the phone shots. Especially from the information tab. It would likely show some weirdness in the SNID & UUID and model descriptors which I don't see.
...

Hello JackE,

Thanks for looking into this (sorry about the delay in responding).

You've written that some weirdness in the SNID & UUID and model descriptors would likely be shown in the case that the firmware had been compromised. Whilst not saying this is untrue, is it possible for you to link to some web-page or site at which I could substantiate your claim? Otherwise, could you cite some book I could read for such substantiation? I would have thought that hoax firmware could just reproduce the genuine field values but maybe I'm wrong about this...

Thanks,

Edited the content to hide personal information

JackE

Sure it's possible. But I've already recommended a course of action that I think would best convince yourself that the firmware is clean. Jack E/NJ

aajm

billsey said:

UEFI is essentially a two part BIOS. There's the loader in CMOS that does POST and then tests and loads the EFI portion of UEFI and there's the EFI part that tests the CMOS side and then finishes hardware initialization and starts the OS load. The EFI part is on the drive and can not be loaded if the drive isn't there. The CMOS part is baked into the chipset and only rewritten as part of a EEPROM flash during BIOS updates. One of the things that the EFI does as part is it's startup is to verify the CMOS side of things is still what it's supposed to be. Though it's theoretically possible for malware to rewrite the CMOS to bypass the security checks on the EFI part that would be a big step up in sophistication on the part of the malware writers. Anything that sophisticated is more likely to be a government sponsored package that a bad actor going after even commercial targets. In pretty much all cases they can't rewrite the CMOS part in such a way that the EFI part is also overwritten, and that's the only way malware is going to be loaded before the OS comes up.

Hi Billsey, I believe my computer is hacked on the firmware level too. I've used norton and malware bytes but both didn't pick any issues up. I even disconnected my wifi card and still my computer was somehow being messed around with. There is no financial benefits to gain from the bad actor except for the psychological stress induced. My question is if there is a way to reflash the UEFI BIOS? Because when I try to install it with the Insyde software provided by acer it says that I already have Insyde v1.16 installed on my computer. I have an acer Aspire A515-52.

billsey

Yes, it's pretty easy to rebuild the EFI on the disk, using a correctly signed image. The Insyde portion is the BIOS side of things, and they do something like a checksum when testing to see if it's the same as what's trying to be written, so if yours has somehow been corrupted or modified it would show as newer or older or just plain different. I highly suspect that your firmware is still valid and correct.

What kind of symptoms are you seeing that make you think there's a bad actor active?

MarkJFernandes

billsey said:

Yes, it's pretty easy to rebuild the EFI on the disk, using a correctly signed image. The Insyde portion is the BIOS side of things, and they do something like a checksum when testing to see if it's the same as what's trying to be written, so if yours has somehow been corrupted or modified it would show as newer or older or just plain different. I highly suspect that your firmware is still valid and correct.
What kind of symptoms are you seeing that make you think there's a bad actor active?

Hello billsey,

Read your exchange with aajm. I have a question about the re-installing of the BIOS firmware. You probably don't know the answer to it because you probably have never experienced the situation, but anyway, do you know whether, if I un-solder the firmware chips so as to install blank chips (perhaps with a chip socket), it is fairly straight-forward to reinstall the firmware with a BIOS image downloaded over the internet? Because you were talking about updates with aajm, thought that perhaps you could overcome the problem if the chips were just blank at the beginning of the process.... I'm seriously considering doing something like this, but perhaps I may have to install an open-source BIOS firmware like Coreboot instead (which actually could be better for security in the end).

Thanks,

Edited the content to hide personal information

billsey

The issue, I believe, with flashing from scratch like that is I don't know if any of the BIOS update files are actual chip images, or if the update software reads in binary or compressed images and writes the data from there. To do it with a chip programmer you'd really want bit by bit images of the ROM. If you were going to go a route where you unsoldered the chips you would likely want to program the new ones before soldering them in...

StevenGen

MarkJFernandes said:

Hello,

I have an Acer laptop that I suspect may have malware infected in its BIOS/UEFI firmware. It certainly appears to have been hacked somehow, and since I have not taken care to secure physically the machine when away from it, I believe that I can't rule out the possibility of malware being in the BIOS/UEFI firmware.

I don't want to turn on the machine in its present state, as if there is malware in the BIOS/UEFI firmware, this would pose a security risk (since the BIOS/UEFI is the first thing to run). So firmware flashing utilities that require an OS to be running, or even just the BIOS/UEFI to have been initially run, appear to be useless so long as the BIOS/UEFI firmware is in its current state.

What I effectively want to do is treat the laptop as though it has been 'bricked' at the BIOS/UEFI firmware level, and then from that starting point, to reinstall the firmware.

Reading on the internet, it appears there is a chance that I might be able to reinstall the firmware without running the present BIOS/UEFI (that could have malware in its firmware) by using something known as a BIOS Recovery jumper. USB devices for flashing and reprogramming BIOS/UEFI firmware also look as though they might be useful for my circumstances.

------------------------------------------------------------------------
Can anyone at all help with this? I also need to know of a secure site from which I can download any required files.

Thanks,

Edited the content to hide personal information

Laptop spec.:Acer Extensa 2511 laptop

You can’t have it both ways, you can’t fix a problem if you are not prepared to turn your computer on and with and as you think? BIOS malware is a matter of and to delete the BIOS files and folders: using your file explorer, browse to each file and folder listed in the Folders and Files sections.

Note: The paths use certain special folders (conventions) such as [%PROGRAM_FILES%]. Please note that these conventions are dependent on Windows Version / Language. These conventions are explained here “How to Remove BIOS from Your Computer” here: https://www.exterminate-it.com/malpedia/remove-bios be carefulas doing anything with the BIOS as it cam and will brick your computer and this should be tackled by an experienced technician and/or a person that has extensive experience in BIOS modding and repair, I've got experience in changing BIOS chips and in editing BIOS commands and reflashing but, I take no responsibility to “How to Remove BIOS from Your Computer” from this guide, good luck.

MarkJFernandes

StevenGen said:

MarkJFernandes said:

Hello,
....

I don't want to turn on the machine in its present state, as if there is malware in the BIOS/UEFI firmware, this would pose a security risk (since the BIOS/UEFI is the first thing to run). So firmware flashing utilities that require an OS to be running, or even just the BIOS/UEFI to have been initially run, appear to be useless so long as the BIOS/UEFI firmware is in its current state.

...

Laptop spec.:Acer Extensa 2511 laptop

You can’t have it both ways, you can’t fix a problem if you are not prepared to turn your computer on and with and as you think? ...

I currently have the impression that USB programmers can be used to reprogram BIOS EEPROM firmware chips without the computer needing to be turned on.

Using a USB programmer could have been the way forward. But I realised that all the different firmware chips in the system could potentially have malware back-doors (such as perhaps for the graphics card and for the HDD).

My current thinking is that with a few security precautions, I can safely use the laptop so long as it isn't networked and not otherwise in communication with other devices. I decided that removing the Bluetooth+WiFi card (as JackE instructed to do) was sufficient for ensuring this.

If you want to see some of the ideas behind this security approach, you can read the notes I wrote on the subject here.

Thanks

MF

Quick Links

Top Members

Weekly

Puraw 270

StevenGen 115

poooooooooop69 60

GR08 57

GAMING6698 45

Swift Series Intel^® Evo™

Game Pass

Acer Corner

Gaming on Chromebook

Swift Series Intel® Evo™

Game Pass

Acer Corner

Gaming on Chromebook

Swift Series Intel^® Evo™