Cybersecurity experts from New Zealand company CyberCX in detail described and demonstrated a surprisingly easy way to bypass the BIOS password on older Lenovo laptops. By closing two contacts on the EEPROM circuit with a conventional screwdriver, you can enter the BIOS and disable password entry in the settings.
It should be noted that the Lenovo laptops used in the demonstration have already been discontinued – these were the ThinkPad L440 models (released in Q4 2013) and the ThinkPad X230 (Q3 2012). But laptops of other models and brands can also be affected if the BIOS password is stored on a separate EEPROM chip.
The CyberCX experts thought about the following problem: Some good used laptops have to be sold for parts because of a password protected BIOS if those passwords were somehow lost. After analyzing the documentation and some research articles, they found that with their Lenovo laptops in particular, the following sequence of actions solves the problem:
- Find the desired EEPROM chip.
- Find SCL and SDA contacts on it.
- Close the SCL and SDA contacts in time.
Sometimes the marking helps to find the correct EEPROM chip – in the case of the Lenovo ThinkPad L440 this is L08-1 X, although not always. The contacts are almost close together, so you can really close them with an ordinary screwdriver. In addition, when entering the BIOS, you can change all the options, and the most suitable time for manipulation is not very rigid, and some freedom of action remains. However, if you do this right after turning on the computer, nothing will come of it – you will have to wait a little longer.
The technology could work with other models, even with other manufacturers, say the authors of the study. However, some modern systems with BIOS and EEPROM combined in a single package and housed in SMD (surface mount device) technology are more difficult to crack using this technique – an “off-chip attack” is required. And to really protect your laptop, it’s best to use full disk encryption. CyberCX indicated that they want to continue the study: probably try to read the password from the EEPROM or hack other machines with a screwdriver.