You might have heard about this on the news lambasting Lenovo for a BIOS backdoor that survives across re-installs, however note that this is a BUILT-IN function on Windows 8+ that all OEM’s have been able to take advantage of. I’ve updated my Windows 10 Privacy Checklist page with WPBT information. Here’s the added information for your convenience:
BIOS (WPBT / TPM):
- Even if you re-format and re-install Windows from scratch, Microsoft has implemented (since Windows 8) a function named ‘Windows Platform Binary Table’ (official documentation [docx]).
- Officially: “The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute.”
- This function is not described anywhere except in a remote part of the Windows Hardware Dev Center.
- WPBT allows hardware vendors to implement OS binary modifications from the BIOS. This includes programs, files and settings at the vendor’s discretion. Naturally, this breaks every model of a secure system.
- One hardware vendor, Lenovo, has already been using this, packaged as Lenovo Service Engine, on newer models. Assume that all hardware vendors are doing the same.
- A similar behaviour can be found in the ‘Computrace’ function on some older BIOS, as outlined in this HP document.
- The BIOS portion of WPBT is designed to find and replace Windows 8/10 files, however it is unknown whether it works on non-NTFS partitions. Presumably, encrypting with Bitlocker will serve little purpose, as Bitlocker relies on the TPM chip, also tightly tied into the BIOS/hardware.
- It wasn’t that long ago when we were discussing the NSA using a similar technique, as well as Hacking Team – the ability to continually drop new rootkits and spyware on a machine, even across re-installs (note that this applies to pre-Win 8 machines as well).
- If you’re using an affected Lenovo machine, assume the machine is in a compromised state, even with FDE. Apply the Lenovo WPBT removal tool, then re-format and re-install the compromised machine, preferably with a thorough wipe in between.
- Disable any BIOS functions which reference anti-theft or Computrace. If you are not planning to use TPM, disable it in BIOS, along with any BIOS options referencing biometrics.
- TPM contains a unique RSA key and builds a unforgeable hash of your entire hardware profile for signature purposes. It adds security, but this unique identifier could be used to de-anonymize you. Note that you will not be able to use Bitlocker, which brings me neatly to my next point.
- Don’t use Windows. With each iteration or patch rollout, more and more privacy and security holes are being implemented, by design. Switch to a Linux distro and use full-disk encryption with a strong password and good security hygiene. At this time, it does not appear GRUB bootloader is affected by the BIOS backdoor.
- It’s important to note that if your BIOS is compromised (officially or not), there is no guaranteed way of un-infecting it, apart from destroying the physical chip and replacing it. Even then, the number of closed binary blobs on modern BIOS’s makes it a game of roulette.