©ASUSTEK COMPUTER INC. ALL RIGHTS RESERVED.

hintsu · ‎08-22-2017

I have a Maximus VIII Hero.
I'm slightly paranoid with viruses or hackers being able to rootkit the BIOS it self, and would like to disable the possibility to flash/overwrite BIOS from Windows or user-land.

Is there a way to disable this, such that its only possible to update the BIOS by inserting a USB-stick and updating at boot?

Also: Does setting an admin-password(and no user-password) in BIOS, force the use of password when performing update of BIOS from Windows?

haihane · ‎08-22-2017

i can't seem to reply to your thread, test.
edit: long wall of texts explaining how is rejected, but this dumb post of mine gets through? pfft

edit :2
i can't seem to reply to your thread, test
edit: now i can. lucky i saved the original draft before losing it. would be a pita to retype this.

i'll try to explain the best i could.

as far as i know (and i could be wrong in this case, you're recommended to cross-verify and ask on reddit for second opinions(s) ), as long as you don't install any bios update utility from motherboard site (ASUS Update or the likes), you should be safe from bios updating itself. Windows ISOs (all versions) by itself do not ship with any means of updating bios natively.

granted, this does not answer your question fully. while that does not prevent any user having physical access to your computer from running a program to update your motherboard's bios; this has something to do with how windows kernel works, that it's near impossible to prevent a bios updater program from updating your bios once it's run on the OS. the best you could do is to prevent it from happening from the first place.

about your question: Is there a way to disable this, such that its only possible to update the BIOS by inserting a USB-stick and updating at boot?
answer: not that i know of. as long as you don't install anything that may update bios, it should be safe. there's not a way that i know that would prevent bios from updating itself once somebody has physical access of your computer.

don't share your computer to anyone else, perhaps?

Also: Does setting an admin-password(and no user-password) in BIOS, force the use of password when performing update of BIOS from Windows?

i doubt it. (i suppose i could set a password on my own bios and then attempt to update it. pardon me for being lazy just to prove a point and i'd already thought of a workaround below)
let's just assume the bios behaves exactly like what you quoted above. what i'd do: reset CMOS, update the thing.

no siggy, saw stuff that made me sad.

haihane · ‎08-22-2017

ok, i had no idea what happened. probably the forum doesn't like reddit's ELI5 (explain like i'm five) references i linked. had to remove it for post to show. /annoyed.

no siggy, saw stuff that made me sad.

hintsu · ‎08-22-2017

Thanks for the reply. Appreciate your input.

Say I don't download any bios updating software from asus, and that I don't share my computer with anyone.
Then assume I was hacked by some catastrophic easy externally exploitable Windows zero-day vulnerability allowing remote execution of arbitrary software. And that the attacker used it to download the software from asus(or similarly reverse engineered software).
Couldnt the attacker in such a case do whatever he wished with my motherboard? Either upload his own bios which injects backdoors into whatever OS loaded(or the processor microcode), or simply deleting the entire BIOS, rendering the motherboard useless? (In such a case it would be difficult to re-apply a functioning BIOS, right?)

emsir · ‎08-23-2017

hintsu wrote:
Thanks for the reply. Appreciate your input.

Say I don't download any bios updating software from asus, and that I don't share my computer with anyone.
Then assume I was hacked by some catastrophic easy externally exploitable Windows zero-day vulnerability allowing remote execution of arbitrary software. And that the attacker used it to download the software from asus(or similarly reverse engineered software).
Couldnt the attacker in such a case do whatever he wished with my motherboard? Either upload his own bios which injects backdoors into whatever OS loaded(or the processor microcode), or simply deleting the entire BIOS, rendering the motherboard useless? (In such a case it would be difficult to re-apply a functioning BIOS, right?)

You sound a lot like paranoia. You assume, but you live in a fantasy. As far as i know there have been NO reports of the attack you assume. Take some pills and relax, drink some coffe and think of something positive. You will feel much better. No one is interested in attacking you Bios or computer, trust me.

hintsu · ‎08-25-2017

I'm not worried someone is after me in particular. But some idiot could develop a virus targeting the BIOS.
Viruses targeting Iran, have spread(probably unintentionally) in the wild.
If I could mitiage that small possibility of such a virus, with a second of my time clickign a "disable"-button, I'd do it.

haihane · ‎08-22-2017

then you're **** out of luck.

answer: yes. you're SOL.
you won't be that unlucky though, at least i hope not.
you're not that valuable enough of a target (as a commoner) to warrant such a sophisticated attack on you.

no siggy, saw stuff that made me sad.

haihane · ‎08-23-2017

hey hintsu, you might find this interesting.

what you were afraid of had been developed and deployed against Iran. (wannacry did this to a lesser degree)
https://en.wikipedia.org/wiki/Stuxnet

thought you might find this interesting. i was made aware of this by others at first, and now i'm sharing it to you.
(it's not meant to scare you though, though by the mere mention of it, i might have inadvertently did. but rejoice in the fact that we commoners have safety in our lack of importance).

no siggy, saw stuff that made me sad.

Disable bios update on Maximus VIII Hero