I recently acquired an ONN Laptop. This is a brand of laptop sold exclusively through Walmart in the US.
I decided to investigate this laptop because I had a suspicion it’s BIOS was not particularly locked down. Turns out my suspicion was well founded; this article will describe the various configuration settings made available through BIOS on the ONN Laptop.
I was unable to conduct extensive vulnerability testing with this laptop as by setting a particular BIOS option, through the built-in BIOS Configuration Utility nonetheless, I bricked the laptop. Read the analysis section for more information, where I also list out the various attacker vectors I identified.
Through the configuration menus listed below it is possible to enable Intel DCI without making any custom modifications to the BIOS image using a tool such as
RU.efi. This means it is possible to enable Intel DCI without disabling and re-enabling Secure Boot. I was able to connect the laptop to a host system running Intel System Debugger (legacy) and successfully halt the laptop’s processor and see the system state, as well as perform some rudimentary debugging at this level.
The interesting functions of the BIOS - specifically the network enabled capabilities, do not seem to function properly. Every time I tried setting a boot URI in the UEFI HTTP IPv4 configuration menu, the option value reset to blank every time I saved the BIOS configuration.
Several other options, such as
ASF Support in
Advanced / AMT Configuration also displayed this behavior. When I set
ASF Support to enabled, saved, and then exited the BIOS, on the very next entry into BIOS the
ASF Support option was set to disabled.
I was able to get the WiFi configuration to successfully authenticate to the WiFi network, but the device never responded to ICMP or other IP level messages. It seems like there is some Layer 2 attack surface here in terms of authenticating to the WiFi access point, which may be the only “remote” attack vector. This still would require local proximity to the device.
Other interesting input includes the
Cert Enrollment option in the
Advanced / TLS Configuration menu. This allows certificates to be loaded from USB storage, which invites some unique opportunities, given physical access.
There of course are the UEFI NVRAM variables as potential vectors to supply malicious input. I did not explore this avenue beyond setting options in the BIOS configuration utility.
Also worth noting is that the
Firmware Configuration Menu contains an option for
Ignore Policy Update - when I set this to be the configured option, the laptop would no longer boot, not even to BIOS, resulting in a bricked laptop. It looks like the BIOS manufacturer attempted to warn users about setting this option, but it was not clear to me that setting this option as the configured value would have the effect of bricking the laptop.
I might have been able to restore the laptop to a functional state if I had made a back up of the SPI ROM prior to testing; I did not do this, foolishly not thinking that there could be any way to permanently brick the laptop through BIOS shy of powering off the device during a firmware update. Certainly I did not anticipate a configurable option placing the laptop in such a state.
The best advice I can offer users of this laptop is that they set the
User Password under the
Security Menu - this will require a password to POST as well as access BIOS settings. I’m not convinced that there isn’t a way to bypass this authentication mechanism, but it is better than nothing. Like most devices, physical access to this device essentially means game over in terms of security - by allowing debug capabilities it is possible to manipulate the laptop at the platform level.
Below is a run through of the BIOS Configuration Utility menus. Note that except for one or two special instances, the values in the images for the various settings are the default values.
This is the first screen the user is greeted with upon entering system BIOS. The user can enter the system BIOS by pressing the
Delete button at the ONN splash screen. It contains version information for the currently install BIOS image.
There are six total menus:
The advanced menu is where most BIOS configuration options are set. This includes the following sub-menus:
There are a few additional Networking menus that appear once Network Stack is enabled and the BIOS settings have been saved and the system reset. Those are:
MAC:<MACADDRESS>-IPv4 Network Configuration
MAC:<MACADDRESS>-HTTP Boot Configuration
MAC:<MACADDRESS>-IPv6 Network Configuration
We will explore these last five menus near the end of this post.
This seems to be a power management and monitoring subsystem of the chipset. It contains a number of sub-menus:
Lower Power SO Idle Capability
Intel Ready Mode Technology
The Advanced / Connectivity Menu is used to configure onboard chip detection for communications chips, such as Bluetooth and WWAN.
The Advanced / CPU Configuration menu details the L1-L4 cache information, as well as the processor ID and speed. Additioanlly, virtualization can be configured through this menu.
The Power & Performance Menu allows the user to configure CPU and GT power options.
The PCH Menu includes information on Intel ME, including version information. It allows various ME options to be set, including ME debug options.
These are options for debugging Intel Management Engine. They include:
The Advanced / Thermal Configuration Menu allows thermal configuration of CPU, Platform, and DPTF.
The Advanced / Platform Settings Menu contains the following options:
The Advanced / D3 Cold Settings Menu includes the following options:
The Advanced / Overclocking Menu allows the ability to enable/disable overclocking on the platform.
The Advanced / Intel AMT Menu contains configuration options for Intel Active Management Technology. We will explore this capability further in the analysis section of this post.
The configuration options for this menu include:
The Advanced / Intel ICC Menu includes the following configuration options:
The following configuration information is also presented:
This menu allows the user to enabled/disable ThunderBolt(TM) support.
This menu allows a user to configure Intel DCI, amongst other platform configuration options. The sub options in this menu are:
The options in this menu include:
Enabled (DCI OOB+[DbC])
I have set this option to
Enabled (DCI OOB) so we can use DCI to debug the platform. More information on this will be provided in the analysis section.
The Advanced / Debug Settings Menu / Advanced Debug Menu options are:
The Advanced / Trusted Computing Menu contains TPM information as well as the following options:
The Advanced / ACPI Menu contains the following configuration options:
The Advanced / S5 menu allows the user to enable / disable Wake From S5.
The Advanced / SMART Menu allows the user to enable / disable SMART.
The Advanced / Serial Port Console Redirection Menu has the following options:
The Advanced / Acoustic Mangement Configuration Menu allows the user to enable / disable acoustic management of a given SATA device.
The Advanced / AMT Graphics Menu allows the user to set the output for AMT Graphics.
The Advanced / PCI Settings Menu allows BME DMA Mitigation to be enabled / disabled.
The Advanced / USB Settings menu contains the following configuration options:
These next few networking stack-related options are only visible if networking has been enabled.
The chipset menu contains a few additional platform configuration options. The sub-menu’s available here are:
Note that by default, the
Firmware Configuration is set to
Additional options for
Firmware Configuration include:
The following options are availabe for primary display:
I set this option to
PCI to work with my HDMI capture card. By default it is set to
The Security menu allows the user to set an
Administrator Password or a
User Password. The
Administrator Password allows access to BIOS Setup, while the
User Password allows POST and access to BIOS Setup.
Additionally, Secure Boot can be configured in this menu.
There are two options for Secure Boot Mode:
Note the Secure Boot is enabeld by default.
The Boot Menu presents the user with options as to boot device order.
The Save & Exit Menu presents the user with options to save BIOS configuration settings as well as to override the boot settings
@RockerFernando reached out to me with some additional details. Apparently there are Gateway-branded laptops that have the same BIOS as the ONN-branded laptop. Like me, he had bricked his laptop by setting the same BIOS option. I was pretty sure that by resetting the NVRAM we could restore our laptops to a usable state, and @RockerFernando went and figured out how to do this. If you open the chassis and disconnect the battery, or simply wait a few months until the battery is totally dead, and then hold down the power button for about a minute, you should be able to reset NVRAM thus clearing the faulty configuration value. Thanks @RockerFernando for the tip!