Flashing BIOS/UEFI without loading BIOS/UEFI

MarkJFernandes
MarkJFernandes Member Posts: 19

Tinkerer

edited November 2023 in 2020 Archives
Hello,

I have an Acer laptop that I suspect may have malware infected in its BIOS/UEFI firmware. It certainly appears to have been hacked somehow, and since I have not taken care to secure physically the machine when away from it, I believe that I can't rule out the possibility of malware being in the BIOS/UEFI firmware.

I don't want to turn on the machine in its present state, as if there is malware in the BIOS/UEFI firmware, this would pose a security risk (since the BIOS/UEFI is the first thing to run). So firmware flashing utilities that require an OS to be running, or even just the BIOS/UEFI to have been initially run, appear to be useless so long as the BIOS/UEFI firmware is in its current state.

What I effectively want to do is treat the laptop as though it has been 'bricked' at the BIOS/UEFI firmware level, and then from that starting point, to reinstall the firmware.

Reading on the internet, it appears there is a chance that I might be able to reinstall the firmware without running the present BIOS/UEFI (that could have malware in its firmware) by using something known as a BIOS Recovery jumper. USB devices for flashing and reprogramming BIOS/UEFI firmware also look as though they might be useful for my circumstances.

------------------------------------------------------------------------
Can anyone at all help with this? I also need to know of a secure site from which I can download any required files.


Thanks,


Edited the content to hide personal information

Laptop spec.:Acer Extensa 2511 laptop

«1

Answers

  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    >>>It certainly appears to have been hacked somehow,>>>I don't want to turn on the machine in its present state, as if there is malware in the BIOS/UEFI firmware>>>

    How did you determine it appears to have been hacked if you haven't wanted to turn it on in it's present state? How do you know what it's present state is? Can you access the BIOS menu with the F2 cold boot method? Jack E/NJ

    Jack E/NJ

  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited July 2020
    JackE said:
    >>>It certainly appears to have been hacked somehow,>>>I don't want to turn on the machine in its present state, as if there is malware in the BIOS/UEFI firmware>>>

    How did you determine it appears to have been hacked if you haven't wanted to turn it on in it's present state? How do you know what it's present state is? Can you access the BIOS menu with the F2 cold boot method? Jack E/NJ


    The computer appeared to be remote-controlled whilst in Windows. I had suspected that that might be the case, but thought perhaps maybe I was just imagining it. Then one day, there was very clear evidence of it, and then I presumed from that point onwards that the computer had been hacked.

    If I can turn on the computer, and access the BIOS by pressing F2 (or some other key), that still doesn't rule out the possibility that malware is in the BIOS.


    Thanks.
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    >>>The computer appeared to be remote-controlled whilst in Windows. >>>If I can turn on the computer, and access the BIOS by pressing F2 (or some other key), that still doesn't rule out the possibility that malware is in the BIOS.>>>

    True. But Windows isn't a concern right now. The lower level BIOS firmware is the concern. So can you access the BIOS menu with the F2 cold boot method? Jack E/NJ

    Jack E/NJ

  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    JackE said:
    ...So can you access the BIOS menu with the F2 cold boot method? Jack E/NJ 

    I'm not switching the computer on because the BIOS/UEFI could have malware in it. That includes turning it on to access the BIOS menu as that would be triggering the potentially malware-infected BIOS.

    Kind regards,

    Edited the content to hide personal information
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    Shut the router off. Jack E/NJ

    Jack E/NJ

  • billsey
    billsey ACE Posts: 34,101 Trailblazer
    Disconnect your drive. The UEFI BIOS can't load without the drive there, just the CMOS portion of the BIOS. If you have Secure Boot enabled the UEFI can't have been hacked since the image checks will fail. You can enable Secure boot from the BIOS menu without the drive being there. Also, if you boot from a Windows install image then attach the drive using a USB adapter you can wipe the drive completely and reinstall without ever loading the UEFI on it.
    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    I like that too @billsey . MarkJFernandes should be homefree now and free to explore the BIOS menu without fear.    :)   Jack E/NJ

    Jack E/NJ

  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    billsey said:
    Disconnect your drive. The UEFI BIOS can't load without the drive there, just the CMOS portion of the BIOS. If you have Secure Boot enabled the UEFI can't have been hacked since the image checks will fail. You can enable Secure boot from the BIOS menu without the drive being there. Also, if you boot from a Windows install image then attach the drive using a USB adapter you can wipe the drive completely and reinstall without ever loading the UEFI on it.

    The UEFI/BIOS can load even without the drive connected. In fact, there isn't much of a link between the drive and the UEFI/BIOS.

    Reading about Secure Boot on Wikipedia (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot), it seems that it only protects malware in the OS. Since I'm concerned about malware at the BIOS/UEFI firmware level, I don't see how it helps. But even if it did help, I have no idea whether Secure boot is enabled for the laptop.

    In summary, your suggestions mainly concentrate on malware on the internal drive, rather than in the BIOS/UEFI firmware—it is malware in this latter place about which I'm chiefly worried.


    Kind regards,

    Edited the content to hide personal information
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    Please post a phone shot of the BIOS Main & Boot tabs without the HDD if possible. Jack E/NJ

    Jack E/NJ

  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    JackE said:
    Please post a phone shot of the BIOS Main & Boot tabs without the HDD if possible. Jack E/NJ

    Hello Jack,

    Unfortunately, I'd prefer not to switch on the computer even with the HDD disconnected, because of the potential of malware in the firmware. It's possible that my security credentials (such as passwords) have been copied over to the firmware, and that when I turn on the computer, using technologies such as WiFi or Bluetooth, the information will be stolen. I don't have control of my working environment. Not only do I share the space with people who are not in the same business, I also work in a semi-detached property within the reach of the WiFi signals of neighbours. Even if you do not ascribe bad intentions to any of the neighbouring individuals, clandestine 'repeater' technology, that enables the wireless transit of stolen data that is ultimately over long distances, may be present in the environment, without the occupants much knowing about it.

    If I'm able to construct a radio-frequency shield for my computer (which I've been investigating), then I would consider turning it on with the computer in the shield.

    Otherwise, I may decide to lower my security requirements as maybe the risk associated with turning on the computer with the HDD disconnected is not much.


    Thanks,

    Edited the content to hide personal information
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    Remove your RF card. Jack E/NJ

    Jack E/NJ

  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    Yes, that might be possible, but unfortunately I suspect it may be integrated on the motherboard. The Acer support documentation for the laptop doesn't provide much detail about things like the motherboard chipset, etc. I've contacted Acer Support and I'm hoping they might provide me with more technical details on the laptop.

    I suppose I could physically open-up the laptop and try to figure out whether the WiFi and Bluetooth card(s) can be removed. I've opened it up once before. It was a bit of trouble but managed to do it in the end for upgrading the RAM. Still, I would have thought such tech would be integrated as being on-board the motherboard because laptop internal physical space is normally at a premium.

    What do you advise in light of my thoughts?


    Thanks,
    Edited the content to hide personal information
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    What is the full ACER model number A51x-xx, AN5xx-xx, PH3-xxx? ACER makes hundreds of laptop models. Jack E/NJ

    Jack E/NJ

  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    JackE said:
    What is the full ACER model number A51x-xx, AN5xx-xx, PH3-xxx? ACER makes hundreds of laptop models. Jack E/NJ


    Model Name: EX2511

    Part Number: NX.EF6EK.001


    Thanks,

    Edited the content to hide personal information

  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    Wifi is removable m.2 card. Pull two antenna coax connectors off top of card. Remove screw holding card down to mainboard. Card will pop up. Pull it out of m.2 socket. Jack E/NJ


    Jack E/NJ

  • billsey
    billsey ACE Posts: 34,101 Trailblazer
    UEFI is essentially a two part BIOS. There's the loader in CMOS that does POST and then tests and loads the EFI portion of UEFI and there's the EFI part that tests the CMOS side and then finishes hardware initialization and starts the OS load. The EFI part is on the drive and can not be loaded if the drive isn't there. The CMOS part is baked into the chipset and only rewritten as part of a EEPROM flash during BIOS updates. One of the things that the EFI does as part is it's startup is to verify the CMOS side of things is still what it's supposed to be. Though it's theoretically possible for malware to rewrite the CMOS to bypass the security checks on the EFI part that would be a big step up in sophistication on the part of the malware writers. Anything that sophisticated is more likely to be a government sponsored package that a bad actor going after even commercial targets. In pretty much all cases they can't rewrite the CMOS part in such a way that the EFI part is also overwritten, and that's the only way malware is going to be loaded before the OS comes up.
    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    billsey said:
    UEFI is essentially a two part BIOS. There's the loader in CMOS that does POST and then tests and loads the EFI portion of UEFI and there's the EFI part that tests the CMOS side and then finishes hardware initialization and starts the OS load. The EFI part is on the drive and can not be loaded if the drive isn't there. The CMOS part is baked into the chipset and only rewritten as part of a EEPROM flash during BIOS updates. One of the things that the EFI does as part is it's startup is to verify the CMOS side of things is still what it's supposed to be. Though it's theoretically possible for malware to rewrite the CMOS to bypass the security checks on the EFI part that would be a big step up in sophistication on the part of the malware writers. Anything that sophisticated is more likely to be a government sponsored package that a bad actor going after even commercial targets. In pretty much all cases they can't rewrite the CMOS part in such a way that the EFI part is also overwritten, and that's the only way malware is going to be loaded before the OS comes up.

    Thanks for this detailed explanation as to the security mechanisms in place for UEFI.

    I've actually compiled a Wikibooks book on end-user computer security as a result of my security breach, and so what you have written is of even more interest to me in respect of the book.

    Some questions:
    1) You've written that CMOS rewriting combined with EFI rewriting on the same system, for the purposes of malware, is quite unlikely. Can you substantiate your claims? I would have thought that if you could rewrite the CMOS, then you could also rewrite the EFI on the disk, if not in a direct way, perhaps instead indirectly through the CMOS (i.e. the rewritten CMOS proceeds to rewrite the EFI before loading it).
    2) You've made a security analysis as to the likelihood of such attacks. Can you substantiate your beliefs? From where are you getting your information?
    3) I'm supposing that if I disconnected the disk drive, I would still be able to boot a live DVD. How would that then tally with what you are saying about EFI security checks? Surely there would be no EFI security checks in such a scenario?

    Finally, I ordered the laptop from a shop pre-installed with Windows, and never re-installed the OS or installed another OS. I don't recall the laptop being shrink-wrapped when I received it, so the suppliers may have infected malware in both the BIOS/UEFI firmware and any EFI on the disk before I even received it.


    Thanks,

    Edited the content to hide personal information
  • MarkJFernandes
    MarkJFernandes Member Posts: 19

    Tinkerer

    edited September 2020
    JackE said:
    Wifi is removable m.2 card. Pull two antenna coax connectors off top of card. Remove screw holding card down to mainboard. Card will pop up. Pull it out of m.2 socket. Jack E/NJ


    JackE said:
    Wifi is removable m.2 card. Pull two antenna coax connectors off top of card. Remove screw holding card down to mainboard. Card will pop up. Pull it out of m.2 socket. Jack E/NJ



    Thanks, this is great news. I would also like to disconnect the Bluetooth technology from the system. Looking on the internet, it seems that maybe the Bluetooth technology is also on the WiFi card. Can you at all help with this?


    Thanks,


    Edited the content to hide personal information
  • JackE
    JackE ACE Posts: 44,868 Trailblazer
    Yep it's a WIFI+BT combo card. Jack E/NJ

    Jack E/NJ

  • billsey
    billsey ACE Posts: 34,101 Trailblazer
    Yeah, Intel AX201 WiFi 6/Bluetooth 5.0 IIRC. The issue with rewriting both the CMOS and EFI sections is the signing needed for them to show as valid. MS assigns those to tested loads so it's very unlikely that a bad guy will get it right. The work around for that is for the bad guy to disable that functionality in their version and basically replace everything with the custom version. Needless to say a lot of that requires knowledge of the hardware involved, so a version for each model type. It's always possible that someone could do that, ut as I was saying before it's very unlikely for someone to do it unless there's a big potential for gain at the other end. Malware isn't typically created just to see it spread, it's created in order to bring some type of gain for the creator. That might be access to private data for resale, such as credit card info and passwords, access to the hardware in order to form a portion of a botnet, so they can extort funds from website owners, or encryption of data to extort fund from the machine owner. Each of those require some threshold of potential return on investment to offset the effort used in creating the malware package. For something as targeted and detailed as you are describing there would have to be a significant return... Now you might have a large enough net worth or have access to sensitive enough data, but if so you'd be more likely to junk this system and get a new one than to be trying to fix it yourself. I think it much more likely to have been infected with a typical key logger/remote access malware package in the OS than a BIOS attack.
    Which antivirus are you running? Have you tried running a scan with an alternate such as Malwarebytes?
    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.