S 6.27 Secure update of BIOS

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

Many IT systems, for example PCs, require a Basic Input/Output System (BIOS) for start and/or operation. This BIOS is comprised of a program code and data and is used to carry out important configuration settings on the IT system and to provide elementary input/output functions. In many cases, the actual operating system is loaded with these functions, which then either takes over the control over the hardware itself or continues to use the BIOS functions. In most cases, the BIOS is stored in special memory modules (e.g. EEPROM or Flash-EPROM) the contents of which are also maintained when switching off the power supply.

For PCs in particular, the large number of configuration options has caused the BIOS to become very complex and thus also more prone to error. Many manufacturers have therefore started to implement an update mechanism for the BIOS and to provide bug-fixed versions of the BIOS at regular intervals. To perform the BIOS updates, the manufacturer usually also offers a special program, with which the contents of the corresponding memory modules can be overwritten. If a special program is offered for the BIOS update, it must be ensured that is obtained from a trusted source, that it is up-to-date and free of viruses.

Since the BIOS accesses the hardware directly and is loaded before operating systems and boot loaders, it is particularly difficult to detect manipulations to the BIOS. For this reason, only administrators may be entitled to install a new BIOS.

In general, the update mechanism for the BIOS should be used to equip IT systems with BIOS versions with as few errors as possible. The following aspects, however, should be considered in this context:

• First of all, a data backup of the currently installed BIOS should be carried out. For this purpose, the software offered by the manufacturer generally provides the possibility to read the installed BIOS and to save it as a file. If problems occur after the BIOS update, this BIOS version can be restored. If the mainboard is equipped with a redundant BIOS on a separate chip, it is not necessary to carry out the data backup.

• For central IT systems, for example servers, network coupling elements and PBX systems, the currently used and previous functional BIOS version should be archived respectively. In this respect, it must be ensured that the file can be clearly allocated to the respective IT system.

• In many cases, a BIOS update has an impact on the stored configuration data. Under certain circumstances, all settings made are reset to default values and are thus lost. A modern BIOS for PCs is able to determine many configuration data itself ("Auto Detect"), but particularly for more specific devices, it might be required to document the settings made prior to the BIOS update. In this respect, the recommendations of the manufacturer should be taken into account.
• An attacker might try to reinstall an older BIOS version in order to exploit its vulnerabilities. BIOS updates should therefore be documented (at least in areas with high protection requirements) as part of the patch and change management.

• BIOS updates and software to install BIOS updates are often provided by the manufacturer on the Internet. It must be ensured that both, i.e. updates and software, are only obtained from the manufacturers themselves or from official mirror servers. When in doubt, the manufacturer should be contacted to find out if a specific version made available on the Internet was actually released by the manufacturer.

• Incompatibilities or damaged files might cause an IT system to stop working properly after a BIOS update has been performed. Often, it is no longer even possible to restore the previous functional BIOS version. In general, then only the vendor or manufacturer is able to make the device ready for operation again and the IT system will not be available for a longer period of time under certain circumstances. Therefore, it must be ensured before carrying out the BIOS update that an adequate fallback solution (e.g. a replacement device) is available if such a failure cannot be tolerated.

• If possible, new BIOS versions should be tested before they are used. However, this is only possible if there are several IT systems all working with the same BIOS. In this case, the new BIOS version should be installed on one of these IT systems first and this device should be monitored for some time during operation. If no problems are detected, the new version can also be installed on the other IT systems.
  
  Note: It might seem to be attractive to perform this test in a virtual environment. However, since a virtual environment never exactly simulates the existing hardware of the real machine, such a test is not reliable. The functionality of a new BIOS must therefore be tested on a real system.
• Some manufacturers do not just recommend the latest BIOS version for their devices. Instead, there are tables in which a specific BIOS version is recommended depending on the application scenarios or model number of the IT system. This mainly relates to network coupling elements. The recommendations of the manufacturer should be taken into account.

Review questions:

• Is the previous functional BIOS version backed up before a BIOS update is carried out?
• Is it ensured that the BIOS can only be modified by an administrator?
• Are BIOS updates and the programs required for this purpose downloaded exclusively from trusted sources?