The Spring Onion Hack: Why Your PC’s Security Might Be a Joke.

In a bizarre twist that sounds more like satire than cybersecurity research, it was recently demonstrated that a spring onion (yes the vegetable!) could be used to bypass security on Dell devices by exploiting firmware vulnerabilities. This isn’t just a quirky headline – it’s a serious wake-up call for anyone relying on built-in device security like TPMs or biometrics.

What Happened?

The vulnerability, as reported by Computer Weekly, involves flaws in Dell’s firmware that could allow an attacker to bypass secure boot mechanisms. The researchers showed that even with a Trusted Platform Module (TPM) present, the system could be compromised using physical access and “clever manipulation” - like using a vegetable to trigger capacitive sensors – highlighting how superficial some security implementations can be.

The Problem: Trusting the Wrong Hardware

The Dell vulnerability highlights that fundamental flaws in modern device security can occur even when a PC has a secure element like a TPM, it’s not truly secure if the firmware can be tampered with. In general, these devices lack tamper-resistance, meaning attackers can gain physical access to probe secure circuits and manipulate them to reveal their secrets.

And then there’s biometrics. The “Spring Onion Hack” shows how biometric authentication can be spoofed or bypassed. Once considered cutting-edge, biometrics are now continually proving to be inherently insecure when used as the sole method of authentication.

The Limitations of TPM and Biometrics

TPM: Not a Silver Bullet

• TPMs are embedded in general-purpose devices and rely on firmware integrity.

• If the firmware is compromised, the TPM can be rendered ineffective.

• TPMs lack physical tamper resistance in most consumer devices.

Biometrics: Convenient but Insecure

• Biometric data is not secret.

• Can be spoofed and bypassed.

• The “Spring Onion Hack” shows how easily sensors can be tricked.

The VeroGuard Solution: Security by Design

At VeroGuard, we believe security should be purpose-built, not patched together from consumer-grade components. Here’s how our solution addresses the issues exposed by the Dell incident:

Purpose-Built Hardware Authenticator

VeroGuard uses a dedicated hardware authenticator that is designed from the ground up for secure identity verification. The VeroCard is dedicated solely to identity-based functions. It has no physical ports for external connections and cannot be remotely activated, ensuring it remains isolated and secure from unauthorised access.

Tamper Resistance Is Non-Negotiable 

Security that can be physically bypassed isn’t security at all. VeroGuard’s authenticator is engineered with true tamper resistance and certified to payment industry specifications, ensuring that even if an attacker has physical access, they can’t compromise the device or the credentials it protects.

No Biometrics, No Guesswork

We don’t rely on biometrics. Why? Because;

1)        they’re not secret, and

2)        they’re probabilistic and not deterministic.

Biometric authentication systems are intentionally designed to tolerate slight variations in input, because no two biometric scans – even from the same person – are ever exactly identical. Ironically, a 100% match is often treated as suspicious, since it may indicate a replay attack using a previously captured biometric sample.

VeroGuard uses cryptographic keys stored in secure hardware.

Out-of-Band Authentication

Most importantly, VeroGuard’s authentication process occurs outside the target device. This out-of-band approach means that even if the PC or phone is compromised, the authentication remains secure. The device never sees your credentials, making phishing and malware attacks highly ineffective.

Final Thoughts: Don’t Let Your Security Be a Joke

The spring onion hack is amusing—until you realise it could happen to your business. It’s time to stop trusting consumer-grade security and start demanding real protection. VeroGuard offers a solution that is not just secure in theory, but secure by design.

• Dedicated hardware designed specifically for secure identity verification.

• Purpose built for authentication – NOT general-purpose use

• Out of Band – Authentication occurs outside the target device.

• Hardware Security Modules – Credentials are never exposed to the device, reducing phishing and malware risks.

• Engineered with true tamper-resistance – keys are wiped if tamper is detected