Date: Tue, 3 Nov 1998 13:22:20 -0600 From: Paul L Schmehl To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: BIOS Backdoor Passwords I've been out of the office since posting the comments about the ineffectiveness of BIOS passwords, and I returned to find (to my surprise) numerous requests for information about this. Rather than respond to each individual's request, I'll post the information here. If someone has further questions after reading this, feel free to email me personally, and I'll attempt to respond to you individually. (IOW, I am not responding to those of you who emailed me prior to this post. You will have to email me again if you want personal assistance.) Most BIOS manufacturers have backdoor passwords. These are not OEM backdoors, but BIOS backdoors. They aren't publicized (for obvious reasons), but any experienced PC hardware technician is aware of them. (And so are a number of students/hackers/crackers/etc.) For example, AWARD BIOS can normally be "cracked" with AWARD_SW, AWARD_PW or j262 (these are all case sensitive.) AMIBIOS and Phoenix also have backdoors I'm aware of. (I'm sorry, I've forgotten them now - no point in remembering something which only points out the obvious - don't rely on BIOS passwords if security is important to you.) I should point out here if protecting the BIOS from tampering (in student computer labs for example) is important to you, by all means use them. Just don't be foolish enough to think *some* students won't know how to enter and alter the BIOS to their liking. As with all locks, BIOS passwords will keep the honest people out but provide no protection against dishonest ones. As far as URLs for the info, a search for "BIOS passwords" will reveal all you need to see to convince you of the ineffectuality of depending on BIOS passwords to protect your systems. Not only is the information freely available, but there are many cracker programs designed to break in to the BIOS of any system. I shouldn't have to point out the obvious - if it's on the web, your users know about it, and some will use it. Here's a few URLs to get you started: http://www.hedgie.com/passwords/bios.html http://hem.passagen.se/unaxor/cracking.html http://www.voicenet.com/~raze/files/textfaq/pchack.txt http://www.geocities.com/Area51/Zone/6430/cracking.html