Whether you forget your password or the used laptop you bought online shipped with a locked BIOS, hacking the password is easy enough. If physical access is unlimited, the process is similar to replacing a watch battery. If taking apart your machine is outside your comfort zone or otherwise infeasible there is a software option.
Most laptop vendors store a checksum of your password in the machine’s FlashROM – a chip that resides on your computer’s motherboard. When an incorrect password is entered three times a ‘System Disabled” message with what appears to be an error code. This counterfeit error code is actually a salted checksum of the BIOS password. Each BIOS vendor has their own salt but the process of cracking the password is basically the same and takes less than 100 lines of Python.
Security Blogger Dogbert provides a library of scripts that hack BIOS passwords for a majority of laptop vendors. Anyone running them will need Python 2.6 or can run packaged Window’s binaries. The scripts are basically brute force dictionary attacks that compute a hash using the vendor’s master salt or serial number. The computed hash is compared to the checksum you received after passing incorrect passwords to your motherboard’s BIOS. When a match is found it is printed to the console.
Some vendors have taken it upon themselves to step up their security. Certain model FSI laptops will withhold the checksum until three separate passwords are entered – i.e. “Show The Password” or “@skD*63 [email protected] $Ml1a23”. Other vendors require key presses (F2/F12) or combinations entered at the correct time.
Hacking the BIOS password can give an attacker low-level access to the machine. For example, once in the BIOS they could change the boot order to prefer a USB drive. From there they can boot an operating system and access the machine’s hard drive as if it were an external drive. They could run analytic tools on the files, search for passwords or personal information, even make a copy of the entire contents of the disk and transfer it to a private lab for further analysis.