0

How feasible is it for an attacker with physical access to a Windows 10 machine to be able to extract the clear text of its UEFI 'system password'? (By which I mean the password requested by UEFI on initiating boot up.)

I understand that it is unlikely to be brute-force guessable in a practical time frame because after 3 failed guesses a system reboot is required. The question is about whether there are more sophisticated means of attack that would reveal its clear text. (Various sites, such as https://1024kb.co.nz/biosefi-password-cracking-update/ claim to be able to do replace the password or to provide a master password - I am only interested in the clear text of the original password itself)

I understand that the UEFI system password is stored in NVRAM. If an attacker went to the trouble of decapping the chip containing the password would it be recoverable?

To be clear, this is not something I am trying to do. I want to find out whether it is theoretically possible that someone could do it to me.

Improve this question
8
  • BIOS passwords are insecure. Only in case if they'll be used for some kind of encryption of an HDD/SDD they could be considered as a serious measure, although I don't know about any such solution. There's a plenty of answers regarding this like this and this
    – montonero
    Commented Apr 26, 2019 at 11:16
  • Thanks, but my question is about whether my UEFI password could be revealed. One of the links you kindly provided deal with approaches which either provide a 'master' password or overide the existing password. The other mainly discusses Self Encrypting Drives which are not relevant to my case.
    – Mike
    Commented Apr 26, 2019 at 11:28
  • .....I know that a BIOS/UEFI password is inadequate to protect a system, and that I should use other measure including, for example, Bitlocker, and I do so. I am interested in the theoretical question about whether my UEFI password itself could be exposed.
    – Mike
    Commented Apr 26, 2019 at 11:30
  • Consider editing your question to more explicitly state you're asking if the password's clear text could be recovered by the attacker. Asking if it can be extracted doesn't fully convey this. Making your title ask that as well would help.
    – I say Reinstate Monica
    Commented Apr 26, 2019 at 11:34
  • @Mike Well, if your main secret is the password itself then most probably nobody will care about its extracting. Much easier to get an access by other means. However, in the past there were utilities that could reveal the password for Award/AMI BIOSes, not sure if they still work.
    – montonero
    Commented Apr 26, 2019 at 11:35

1 Answer 1

Reset to default
0

Definitely. Maybe. It depends.

The actual answer will probably depend on whoever implemented the password protection code in the first place. It is entirely possible that every UEFI system uses a common code base, but is is also possible for every code base to be completely independently written. In which case there will be some true secure motherboards and some "secure" motherboards.

It is possible that they could have simply stored your password as plain text in some area of firmware accessible storage or they could be storing a hashed and salted password using a secure cryptographic algorithm.

Which do you have? Who knows? Probably not even the company you bought the mobo from knows how badly written their code is without having some third party check it.

The thing is that security depends on how much you trust not only your people, but how much you trust the software and hardware you give them too.

If you are trusting your system to a UEFI password then you are essentially putting a padlock on a chain link fence. There are trivial ways around it by simply transplanting components to another system.

You can encrypt the disk, but again with sufficient ingenuity it might be possible to circumvent them with novel methods such freezing memory sticks and transplanting them to other machines where memory is groped for passwords. This was in the news years ago as a potential vector of attack.

So it really depends what your goal is and how much you care about your data. If that particular password is truly that sensitive and important I'd be more worried about a dude hitting me with a wrench to get me to tell it to them directly than them decapping the chip to read it bit by bit.

Improve this answer
3
  • So the answer to my question about whether or not the plain text of UEFI password could be obtained depends in part on the answer to another two questions, which are 1) whether or not all UEFI systems are alike. If they are not alike, then I cannot rely on the plain text not being revealed because who knows what each implementation looks like. 2) On the other hand, if UEFI specifications require that all implementations are alike, then it what is the means by which the UEFI password is protected? Does anyone have any insight into either questions (1) or (2)?
    – Mike
    Commented Apr 26, 2019 at 12:42
  • @Mike Given that "how to make our chipsets work" is likely to be something that the chipset manufacturer does then chances are there is a common codebase at least for each chipset. Perhaps even across chipsets. That leaves you with major chipset suppliers like AMD and Intel and a few random third parties who make custom chipsets. After that there is the possibility of injecting code to make those chipset platforms work with whatever hardware you've chosen. You're left back at "Maybe" as to whether all systems are similar and how secure they'll be. I stand by the final paragraph of my answer.
    – Mokubai
    Commented Apr 26, 2019 at 13:44
  • @Mike. Current UEFI specifications do not mandate a common codebase or binary image, and are silent about a firmware (what you call a UEFI) password.
    – fpmurphy
    Commented Apr 26, 2019 at 19:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .