Update 1: My ASUS laptop is ASUS ROG Zephyrus M GM501GS-EI027T. I’m using the latest BIOS version which is 313 (according to the latest version dated 08/30/2019)
Update 2: Given a CVE-2019-18216
Update 3: ASUS security team gave me the patch for the BIOS vulnerability I posted here and the patch works. I cannot reproduce the vulnerability using the previous technique described below. Thank you to the ASUS security team for a quick response to this vulnerability. Kudos!
A few months ago, I was traveling abroad and brought my superpower laptop, ASUS ROG GM501GS. At that time I departed from Jakarta, I don’t remember how many percents the battery in the laptop, when I arrived at the destination, the laptop was turned off.
Surprisingly, when the charger was plugged in, and the laptop was turned on, the BIOS configuration was reset. I knew when the laptop was turned on, the sound of the ASUS logo whizzing out again (I’ve turned off this configuration in the BIOS).
The laptop was boot normally, then I restarted it again to validate that the BIOS configuration’s correct. And it’s true, the BIOS configuration was reset, maybe because the battery was empty. If the BIOS doesn’t use a separated battery it makes security configuration and BIOS protection useless. Whereas in the BIOS configuration, we can prevent someone from booting using USB, protect the BIOS configuration with a password, configure the system to not boot without entering a password, including the virtualization feature, etc.
After coming from abroad, I made time to reproduce the behavior; this is what I did:
- Make sure the battery is in low condition, then access into the BIOS to make a change and save the configuration. The change in configuration can be anything. For example, I turn off the ASUS logo boot audio chime (this is just a sign for me). If the BIOS is reset, the ASUS logo boot audio will chime.
- Once configured, boot normally to the operating system.
- Use the laptop until it turns itself off; don’t do work things, remember if the system goes down anytime, your data would be lost.
- When the battery is completely discharged, plug in the charger, then turn on the laptop and let it boot normally into the operating system.
- After normal boot, unplug the charger and leave the laptop turned off until run out of battery. Make sure the operating system isn’t configured in power saving mode to save the battery.
- After dead for the second time, try pressing the power button repeatedly to make sure the laptop cannot start.
- Wait for about 30 minutes, then plug the charger again, then immediately press the power button.
- At this time, the laptop keyboard will light up, the laptop will restart many times, and in the end the ASUS logo boot audio sound will be chime. The chime indicates that the BIOS has been reset.
- If it didn’t work, repeat the steps above.
Earlier this week I contacted the ASUS security team and they responded that this was normal. Apparently the power source for the BIOS uses the same battery as the main battery and they told me that it is a new design.
I argue with the ASUS team that in my opinion, this is a vulnerability because the BIOS security configuration is made for security reasons. If this laptop is stolen (with a BIOS security configuration installed), then without the need to disassemble/remove the hard disk, the attacker can easily access the hard disk with USB.
ASUS security team accepts this and will improve the BIOS design in the future. Hopefully this can bring improvements to other laptop maker.
If there are friends and colleagues who use this ASUS ROG GM501GS,
make sure that the laptop battery is always in full condition. Do not travel using this laptop if the battery is low.
For companies, it’s best to use a laptop that has a BIOS battery configuration separate from the main battery to prevent losing the security configuration in the BIOS.
Picture taken from https://www.cnet.com/reviews/asus-rog-zephyrus-m-gm501-review/