Why is BIOS insecure on new Windows 8 laptop?

flroots

Member
Member
Messages
30
I just received my new Dell Inspiron 15R-5520 64 bit laptop running Windows 8. It came with a new BIOS that supports both UEFI and Legacy. Compared to the BIOS on my old Dell Inspiron laptop it seems very insecure. I'm referring to access to the boot order. In my old BIOS I could set a password which was necessary for changing the boot order and either enabling or disabling devices within the boot list. Thus one could select the HDD and disable all other devices such as CD/DVD and Flashdrives. The new BIOS includes passwords as well, but they don't restrict access to the boot order and there doesn't seem to be any way to disable devices from the boot list. In the case that my laptop is stolen it's nice to prevent the thief from quickly booting off a CD or flashdrive and accessing all my files, etc. Can anyone explain why the new BIOS removed this seemingly important security feature?
Pete
 

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell Inspiron 15R 5520
    Memory
    8 GB
No big deal because the new UEFI is more secure than you think. You have secure boot enabled and only signed bootloaders can boot no matter the device.

On older BIOS, OK you give only boot access to HDD, but all first and best malware that tries to boot on that HDD will boot because the BIOS doesn't check for signatures. Then you go to Windows desktop but malware that already booted is in stealth mode and you cannot detect it.
 

My Computer

System One

  • OS
    Windows 10 x64
    Computer type
    Laptop
    System Manufacturer/Model
    HP Envy DV6 7250
    CPU
    Intel i7-3630QM
    Motherboard
    HP, Intel HM77 Express Chipset
    Memory
    16GB
    Graphics Card(s)
    Intel HD4000 + Nvidia Geforce 630M
    Sound Card
    IDT HD Audio
    Monitor(s) Displays
    15.6' built-in + Samsung S22D300 + 17.3' LG Phillips
    Screen Resolution
    multiple resolutions
    Hard Drives
    Samsung SSD 250GB + Hitachi HDD 750GB
    PSU
    120W adapter
    Case
    small
    Cooling
    laptop cooling pad
    Keyboard
    Backlit built-in + big one in USB
    Mouse
    SteelSeries Sensei
    Internet Speed
    slow and steady
    Browser
    Chromium, Pale Moon, Firefox Developer Edition
    Antivirus
    Windows Defender
    Other Info
    That's basically it.
No big deal because the new UEFI is more secure than you think. You have secure boot enabled and only signed bootloaders can boot no matter the device. On older BIOS, OK you give only boot access to HDD, but all first and best malware that tries to boot on that HDD will boot because the BIOS doesn't check for signatures. Then you go to Windows desktop but malware that already booted is in stealth mode and you cannot detect it.
Thanks. I've now managed to do a clean install of both Windows 7 and 8 to UEFI/GPT partitions on my new Dell Inspiron 15R-5520 laptop. I've confirmed that the new UEFI BIOS is very insecure. One can simply press F12 during boot up and change boot order to any of the following without having to enter my set password:
a. UEFI with secure boot
b. UEFI without secure boot
c. Legacy without secure boot
As mentioned above, this would have been impossible with my older Dell Inspiron. Also, Windows 7 won't boot with secure boot since the BIOS doesn't recognize it. It will boot with UEFI without secure boot. Also, this article doesn't inspire confidence either:
Pete
 

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell Inspiron 15R 5520
    Memory
    8 GB

My Computer

System One

  • OS
    ME, XP,Vista,Win7,Win8,Win8.1
    Computer type
    PC/Desktop
    Other Info
    Notebooks x 3

    Desktops x 5

    Towers x 4
No big deal because the new UEFI is more secure than you think. You have secure boot enabled and only signed bootloaders can boot no matter the device.

On older BIOS, OK you give only boot access to HDD, but all first and best malware that tries to boot on that HDD will boot because the BIOS doesn't check for signatures. Then you go to Windows desktop but malware that already booted is in stealth mode and you cannot detect it.
Thanks. Secure boot might be good, but no password is required to turn off secure boot or switch to Legacy mode. It's really hard to understand why they would not lock those changes out with a password.
Pete
 

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell Inspiron 15R 5520
    Memory
    8 GB
No big deal because the new UEFI is more secure than you think. You have secure boot enabled and only signed bootloaders can boot no matter the device.

On older BIOS, OK you give only boot access to HDD, but all first and best malware that tries to boot on that HDD will boot because the BIOS doesn't check for signatures. Then you go to Windows desktop but malware that already booted is in stealth mode and you cannot detect it.
Thanks. Secure boot might be good, but no password is required to turn off secure boot or switch to Legacy mode. It's really hard to understand why they would not lock those changes out with a password.
Pete

No problem.

You lock those with the BIOS password. On some models it's called administrator password.
Then you wouldn't be able to enter bios and change stuff only with the password.
 

My Computer

System One

  • OS
    Windows 10 x64
    Computer type
    Laptop
    System Manufacturer/Model
    HP Envy DV6 7250
    CPU
    Intel i7-3630QM
    Motherboard
    HP, Intel HM77 Express Chipset
    Memory
    16GB
    Graphics Card(s)
    Intel HD4000 + Nvidia Geforce 630M
    Sound Card
    IDT HD Audio
    Monitor(s) Displays
    15.6' built-in + Samsung S22D300 + 17.3' LG Phillips
    Screen Resolution
    multiple resolutions
    Hard Drives
    Samsung SSD 250GB + Hitachi HDD 750GB
    PSU
    120W adapter
    Case
    small
    Cooling
    laptop cooling pad
    Keyboard
    Backlit built-in + big one in USB
    Mouse
    SteelSeries Sensei
    Internet Speed
    slow and steady
    Browser
    Chromium, Pale Moon, Firefox Developer Edition
    Antivirus
    Windows Defender
    Other Info
    That's basically it.
No big deal because the new UEFI is more secure than you think. You have secure boot enabled and only signed bootloaders can boot no matter the device. On older BIOS, OK you give only boot access to HDD, but all first and best malware that tries to boot on that HDD will boot because the BIOS doesn't check for signatures. Then you go to Windows desktop but malware that already booted is in stealth mode and you cannot detect it.
Thanks. Secure boot might be good, but no password is required to turn off secure boot or switch to Legacy mode. It's really hard to understand why they would not lock those changes out with a password. Pete
No problem. You lock those with the BIOS password. On some models it's called administrator password. Then you wouldn't be able to enter bios and change stuff only with the password.
Thanks. My BIOS has an admin password, but it has no effect on boot order or which devices which you boot from
Pete
 

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell Inspiron 15R 5520
    Memory
    8 GB
Wait a sec...
Thanks. Secure boot might be good, but no password is required to turn off secure boot or switch to Legacy mode. It's really hard to understand why they would not lock those changes out with a password. Pete

So I said:
No problem. You lock those with the BIOS password. On some models it's called administrator password. Then you wouldn't be able to enter bios and change stuff only with the password.
That fixes it on my machine!

So:
Thanks. My BIOS has an admin password, but it has no effect on boot order or which devices which you boot from
Pete

Boot order is launched out of the BIOS and that's normal not to be affected.
Depends on machine and manufacturer as well.


You should be able to stop the boot order (from the bios) from being initiated.
But here also: some manufacturers allow it, other don't.
And most laptop BIOSes are all locked and redistricted (I got some of those here).

However secure boot will stop all unsigned boot-loaders whatever you choose from the list. :)

Cheers
Hopachi
 

My Computer

System One

  • OS
    Windows 10 x64
    Computer type
    Laptop
    System Manufacturer/Model
    HP Envy DV6 7250
    CPU
    Intel i7-3630QM
    Motherboard
    HP, Intel HM77 Express Chipset
    Memory
    16GB
    Graphics Card(s)
    Intel HD4000 + Nvidia Geforce 630M
    Sound Card
    IDT HD Audio
    Monitor(s) Displays
    15.6' built-in + Samsung S22D300 + 17.3' LG Phillips
    Screen Resolution
    multiple resolutions
    Hard Drives
    Samsung SSD 250GB + Hitachi HDD 750GB
    PSU
    120W adapter
    Case
    small
    Cooling
    laptop cooling pad
    Keyboard
    Backlit built-in + big one in USB
    Mouse
    SteelSeries Sensei
    Internet Speed
    slow and steady
    Browser
    Chromium, Pale Moon, Firefox Developer Edition
    Antivirus
    Windows Defender
    Other Info
    That's basically it.
Back
Top