Recovery of Dell BIOS Passwords Enabled by Broken Encryption Scheme

Dell BIOS passwords stored with a flawed XOR cipher allow full recovery from flash dumps in milliseconds, posing risks to full disk encryption.

CSBadmin
3 Min Read

The Vulnerability

A critical weakness in Dell’s BIOS password storage allows an attacker to recover administrator and user passwords from the SPI flash chip in milliseconds without any brute force. Tracked as CVE-2026-40639, the flaw originates from a broken XOR encryption scheme rather than a proper cryptographic hash. Dell stores BIOS passwords in the DVAR region of the SPI flash, encrypted with a repeating 20 byte XOR key applied to a 32 byte field, with the first character left completely unencrypted.

For passwords of 12 characters or fewer, the null padded tail of the field leaks the entire XOR key, enabling instant reversal. For longer passwords, the key derivation uses only a fixed per device seed, a GUID, and the single unencrypted first character, limiting possible keys to 256 per device. Since old deleted DVAR records are not securely erased, an attacker can often recover an older short password, extract its key, and apply it to a longer current password sharing the same first letter.

Affected Devices and Patching Status

The issue affects the SystemPwSmm SMM driver used across many Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and the still supported Wyse 5070 thin client which remains unpatched. Newer models like the OptiPlex 3000 use a proper SHA-256 based SIVB vault and are not vulnerable. Researchers privately disclosed the issue to Dell in March 2026, and the company issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms with additional fixes targeted for the end of July 2026. The advisory does not yet cover the Wyse 5070 or several other confirmed vulnerable devices.

The attack requires physical access to the flash chip via a clip and programmer, or booting an attacker controlled OS, but needs no authentication or user interaction. Since BIOS passwords often gate Secure Boot, boot order, and pre boot DMA protections, recovering them can bypass full disk encryption, especially where TPM policies do not measure every relevant setting. The researchers recommend Dell transition to salted iterated password hashing across all platforms and securely erase historical DVAR records, while advising defenders not to rely solely on BIOS passwords to protect encrypted boot chains.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.