Slashdot Mirror
How To Head Off ATA HDD Password Abuse
An anonymous reader submits "German c't magazine has a story about abusing the security features of ATA hard disks. The bottom line is that almost all ATA hard disks in desktop PCs can be password-protected. However, on most desktop PCs, the BIOS does not support locking this option -- so viruses or malware could set a random password, making any data unreadable unless recovered by professionals."
Why on earth would you want to password "protect" a hard drive? How would that be any better than properly encrypting your files?
Apple also sees no need for action - to load a kernel extension it is necessary to enter the administrator's password, the company noted. We have come to an agreement with Apple to the effect that we will program a demonstration of the damaging action and make it available to Apple. Perhaps someone in the United States will change his or her mind once he or she can only access their hard disk after entering correctly "c't Magazin für Computertechnik" (including the umlaut!).
Here is a website that shows how to unlock it, and you don't even have to be a professional!
http://www.rockbox.org/lock.html
but when was the last highly destructive virus you saw ?
virus writers/skripterz have long since learnt, if you kill the host it is of no use to you, you achieve nothing
99% of viruses today are trojans because you can use your fancy stealth infection/propogation routines AND make a profit if you keep the host alive, locking a HD would be pointless and contrary to opinion most Virus writers are not stupid, misguided perhaps but not stupid
_One_ april fools joke from a news source is cool. Wen you see the tenth "joke" on slashdot, its a bit old. When _all_ of those are just re-reporting of other sites' jokes, its pathetic.
The problem is that if BIOS doesn't disable the function, a "well"-(i.e. viciously)-positioned malware (early in the boot process) could lock the hard drive on first reboot even before any protective software can kick in.
How is this any worse than if a virus were to erase the hard drive?
OK im not Device programmer , but is it technicaly possible to create a virus that on certain brands of BIOSs using the hardware interface(i know MSI boards support software overclocking and many Graphics cards) could overclock the computer in some way and cause perminant dammage to the system as i am fairly certain you could and if so why is this not a more major worry as this could cause real damage
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Duke Nukem Forever running on Debian Sarge HURD?
KFG
What if someone encrypts all your data one night? You show up for work one morning only to find the latest worm has encrypted all your data and it forces you to recite the lyrics to ELOs Another Heart Breaks ("one, two, three," etc..) before you can get at your data again. Look, if it has enough access to reset the password on your ATA drive, you probably have bigger issues to worry about, like the gaping hole in your OS that allows user code direct access to your hardware.
I think you underestimate just how much I just dont care.
[Fuck Beta]
o0t!
Is this supposed to be funny or did the Slashdot staff really fall for this April's 1st joke??? If it's supposed to be funny, I can assure you, it's not. Not after the last day... In the second case it only seems to prove what we always thought :-)
This story was yesterday published on heise online...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
If this was meant to be an April Fool's joke, they could have at least made up a _new_ technology. As it is, ATA passwords are as old as ATA hard drives (which is to say, ancient). Thus, it is just another /. useless article day.
Imagine a worm/virus that spreads like mad and then locks hundreds of thousands or harddisks. That would be remarkably less than cool.
in Soviet Russia, your hard drives pwns you!
Please use the correct format:
I just heard some sad news on CNN. Pope John Paul II was found dead in his Vatican apartment today. There weren't any more details. Even if you didn't care much for his work, there's no denying his contribution to archaic beliefs. Truly a Catholic icon.
If it's in a known and common chip on the control board couldn't someone just replace the chip?
I regularly work with surface mount ICs and there are solutions to remove and replace virtually any device.
Stop the world; I need to get off.
Because compared to data, hardware is cheap, genius.
If you're a company, what concerns you more--having to buy a new CPU (~$250US, tops) or no longer being able to access your customer database, or internal accounting information, or whatever ($????)
Is that an adult magazine that happens to be anti-UN?
"In the June issue of c't: girls, girls girls, and why we hate Kofi Annan!"
Ignore the rantings above. Poster is an idiot.
The xbox uses the ata password feature to prevent unauthorized activity on a disk. The password can be twarted by hot swapping the drive into another machine after the xbox has unlocked the drive. After that point though a few other things stand in your way
Did they ever?
If the BIOS doesn't do it, the OS, upon boot could simply instruct the drive not to accept password change commands. Which wouldn't stop a sufficient virus from sabatoging the next boot and setting it, but still it increases security.
wow arn't you clever , though you forgot that data is regularly backed up if you have half a brain and knocking out a major system in your network could cripple it and cost a great deal of money
Its called the HDD passwd in a xbox.. Its how all xbox's are password protected against their own motherboard.. to prevent duplication and crap.. too bad its been broken more times than this entire post :)
Viva la xbox revolucion!
There's no Freedom like UFP-dom
A SRST initiated over the device control register would be interpreted as a COMRESET. Since the disk isn't able to distinguish a software-reset from a hardware-reset, it would open the freeze lock - outside the BIOS obviously, what would lead the ATA-security open for changing the password.
Erasing it or even recording some random porn images before password protecting, almost every user would just discard it, but there would be some of them who pay lot of money to discover one hundred copies of goatse .... really funny!
"A DOS from a diskette boots suspiciously slowly"
When does a diskette ever boot not "suspiciously slowly"?
Digital Sailor
You can restore an erased drive from backups.
A locked drive can't be restored when you don't know the password.
It's the difference between deleting the data, and deleting the drive. Drives are cheap now, but not to the point where throwing away drives can be ignored.
What's a more successful species? Smallpox or bubonic plague, or the bacteria that live in your gut that help digest your food and make you fart?
From my understanding as long as the Locked HD is on the MoBo where it was locked it still works fine, it only when it attached to another MoBo its unreadble (My experience if from the Xbox)
It appears in the printed edition 8/05. The april fools day joke appears in 7/05. And the editor wrote explicitly in the forum of heise online, it was *no* joke. So nice hint, but a little bit misleading
This is appsolutely correct. It should always be possible to read the data from the connection lines...at least until trusted computing hardware starts to hit the market.
And then if you can tell us how you put these backups back onto thousands of locked hard drives that you don't even have write access to anymore (otherwise all you'd need are spare hard drives for every machine), you'd only need the staff to service all of these computers before a few days of lost business have bankrupted your company.
Or wait a minute, sounds like a plan:
... or is there something similar for SCSI hard drives?
I'm not affiliated with them, but I just wanted to say that CT is in my opinion the best computer magazine today.
In general, these features don't seem coded to well. Here's a post I made to Bugtraq back in December of 2003.
The Dell BIOS allows users to set several different passwords to protect
their machines from unauthorised access. There is 1) a Setup Password,
which is required to enter the BIOS setup, as well as 2) a Hard Drive
Password, as per the ATA Security Feature Set Specification.
Unfortunately, once a Hard Drive Password is set which contains one or
more of the following characters,
, . ; : ' [ ] { }
it can not be later entered to access the machine. It appears as though
a bug in the BIOS code prevents those characters from being taken as
input when the user is asked for the password - however, the BIOS
incorrectly allows users to set passwords containing those characters.
This is not an incredibly serious problem as such, since a user can go
back into the BIOS setup and change the password there, provided the
BIOS Setup is not protected with an unknown password. Or, as a last
resort, Dell can be phoned to provide a master backdoor password, as
long as the user can prove herself the legal owner of the computer. Of
course, the prerequisite of physical access to the machine highly
mitigates this vulnerability.
It is however an interesting bug from the point of view of Dell's
practices. I have contacted them over two weeks ago, but their
'technical support' is unable to understand or resolve the problem. Two
of their representatives told me to reinstall Windows XP Chipset
drivers, even when I asked to be forwarded to people higher in the
technical support chain. Perhaps this post will encourage Dell to pay
more attention in the future.
Affected Systems: Dell Inspiron 2650 System BIOS, A11
(A11 is the current BIOS as of writing, and was released in late
September of this year)
Other BIOS/Dell models are perhaps vulnerable but have not been tested.
If you manage to backup every system in and out of your offices every few hours... congratulations, please let us know your storage solution...
Two words: Thin Clients
I've been doing more work with FPGA's recently:
:)
If this is the case, there are some IDE controller projects available on opencores. It shouldn't be a serious problem for someone to build a board that would allow you to mount the drive so you can copy data off of it - there are also open, well tested, PCI bridge modules freely available now.
http://www.opencores.org/browse.cgi/by_category
If it is indeed the serious concern that people indicate, and it can be broken by the means you suggest - I challenge someone with a few dollars to donate it to opencores with the objective of getting this done.
Indeed, the "sticking it to the man" factor is high enough that I am intrigued enough to have a more in depth look.
..don't panic
Viruses and spyware can simply erase your disk, in addition to changing the password. The solution? The same solution as for hardware failures, cats walking across the keyboard, or babies drooling on the disk: restore from a recent backup. If you don't have a recent backup, a virus that sets the ATA HDD password is the least of your problems.
but when was the last highly destructive virus you saw ?
What about the witty worm?
It spread in less than an hour and the proceded to destroy data on the hosts hard disks.
I've seen serious car accidents funnier than your statement.
the way i understood it, there are two passwords: user password and administrator password.
Access to the harddrive will only be prevented if the user password is set, but the user password can only be set when the administrator password is known.
So if I only set the administrator password, then the drive can be accessed as usual, but the user password cannot be set by some software.
Correct? or did I misunderstand that?
There is no "administrator password". The "master password" is like a janitor's master key. It's a failsafe to let you unlock the drive if the user password was set.
The incredibly stupid thing is there doesn't seem to be a way to say "disable the password mechanism completely". IMHO, this should be the default state, and it should require physical access to the drive (say, with a jumper) as well as (of course, any passwords) to switch it from one state to another. A laptop could connect that jumper to an external "security" button that you hold down while the BIOS does its thing.
I tried hdparm -I on my IBM ThinkPad T41p and IBM NetVista.
Both systems have two harddisks, and it is reporting for both the primary and secondary harddisks that the security feature is 'frozen'.
Also my dual CPU Opteron system with Phoenix bios reports both the primary and secondary harddisks as having the security feature 'frozen'.
So all my systems appear to be fine
Hard drive password locking today, full system locking tomorrow. Once DRM supporting BIOSes ("trusted computing") hit a critical mass, we will surely see viruses that use that DRM itself to disable the entire hardware, not just one drive or two.
In a way, these "trusted computing" solutions will be more risky than the open systems we have today. A virus on such a system could disallow your hardware to boot from any device and run any software, so even removing an affected drive would not be enough. Users would have to kiss the motherboard goodbye or seek profe$$ional help.
Don't expect to hear anything about this from M$ or any other proponents of trusted computing.
Yahoo.
--- -- - -
Give me LIBERTY, or give me a check.
And just how does the BIOS prevent locking your harddrive. Yes it might not have the API call if you use the BIOS, but can't you call the drive outside of the BIOS code?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Why is it that the word-wrapping of your post seems a bit weird? I am seeing line breaks in the middle of sentences.
The RIAA
I dont think that the xbox HDD password has been 'broken'. The last time I checked the scheme used was to boot the drive with the xbox and then hot swap the cable to your computer. The xbox provides the password to unlock the drive. Can anyone post the password? I dont think so.
If that was the case, you could, in theory, buy a brand new, identical hard drive to the one that was "HAXX0R3D" and swap out the controller boards.
I did this a long time ago with an IBM 10 Gig drive when the controller board died on it. It's kind of a delicate procedure but if you are careful you should be able to unscrew the board and replace it with a new one.
I didn't see anything in the article that addressed this so I'm not sure if it would work, but it's worth a try!
As things which require encryption become more commonplace, hardware aimed at the optomizing the encryption process is becoming more common and well. remember, some software encryption may be hard on your standard CPU because the PC by nature is - while optomized in certain areas - aimed at being more versatile than specific.
There are boards that have chipsets aiming at supporting hardware-based encryption though (I know VIA has a few). Just like a sub-1Ghz GPU will kick your 3.2Mhz CPU's ass for 3d rendering, a lower-speed but optomized EPU (Encryption Processing Unit?) could manage to do the process without overhead on the rest of your system, and without a largely noticable bottleneck.
Storing data without encryption still involves very specific hardware that does processing on the drive itself, data doesn't just magically jump onto the platters without the driving knowing how to put it there.
Throwing an encryption chip on motherboards (or perhaps even better on the drives themselves) would allow for all this to happen without speed issues... it's all about optimization.
And as for the security issues with the motherboards... why not restrict setting sucks things to doing so within the BIOS menus themselves... if you're playing with drive encryption options you should know what you're doing anyhow, though having an option to *lock* the encryption/passwords is definately a smart idea (perhaps even in the form of a hardware setting via jumper/toggles).
Its not that simple.
The firmware on the HDD's board is only a first stage bootloader. It just gets more boot code from the drive and jumps into it. The password isnt stored on the drive in cleartext - its encrypted. You must supply a proper passowrd that yeilds the same result. Modern disk drives resemble DOS, 20-30 tables and programs are accesed before the drive will 'TALK' to you.
There is a HW/SW combo, that claims to be able to reset the passwords: http://www.pc3000pci.com/pc3000.htm
HTH
-t
How much good does a back-up do, when you can't access your hard-drive. Or hard-drives. Or your back-up servers hard-drives. You'll have to buy a new hard-drive to back-down your stuff.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
If you lock out the drive you aren't going to spread yourself very far.
Oh I don't know.. Once I was done with it, I'd say the platters would 'spread' pretty far after a 5 story fall.
Data is information, especially that stored in a single row along the length of each chromosome. A chromosome is a mixture of chalk and clay used for filtering urine from the heart. I am certainly not a computer program that translates high level language code into machine language code.
Haven't seen any conspiracy theorists so far pick up on the "32 bit password" bit. Assuming the drive doesn't delay or stop responding to access attempts after a number of tries, this could be cracked in a matter of hours.
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net