How To Head Off ATA HDD Password Abuse

An anonymous reader submits "German c't magazine has a story about abusing the security features of ATA hard disks. The bottom line is that almost all ATA hard disks in desktop PCs can be password-protected. However, on most desktop PCs, the BIOS does not support locking this option -- so viruses or malware could set a random password, making any data unreadable unless recovered by professionals."

professional?

[AmigaAvenger]

unless recovered by a professional? It takes all of 2 minutes to make a boot disk with atapwd and reset it. Besides, the reason no virus does this is because it needs an operational machine. If you lock out the drive you aren't going to spread yourself very far.

Here is a website that shows how to unlock it, and you don't even have to be a professional!

http://www.rockbox.org/lock.html

Re:professional?

[C_To]

Did you read the bottom part of the page you quoted? It said there was no way to fix the ATA password in Maximum security mode without knowing what it is.

Re:professional?

[warrior]

No, you cannot use atapwd to reset it. There are two passwords, a master and a user. If you know the master password, you can use atapwd to reset the user password. These passwords are stored across platters and are stored as a checksum in flash on the HD controller. Resetting the password is not trivial at all. There are two options, use a logic analyzer and try to intercept the pieces of the password on it's way in to generate the checksum (haven't heard of anyone being able to accomplish this), or take the drive apart in a clean room, erase the password of the platters and attach a virgin controller. There are no companies in the US that will do either of these for you, and I don't think that's a coincidence. The very few (3-4) companies that perform this service make very good money of it. If you don't believe me, set your master ATA pwd to a known value and try to reset it by any means _without_ using the password. You can't, you're hosed. Most people at this point chuck the disk, they're cheap. But if you need the data you'll pay anything. The idea behind it is that should it get stolen, the data is safe. The companies that do data retrievel require proofs of ownership. However, for the fool that forgets or accidentally sets the password, you're hosed. For those of you that own Toshiba 80GB laptop hdds, beware, there's a flaw in the controller that may glitch and set a random password for you. In that case you'll want to talk to Nortek.

Re:professional?

[darkwhite]

Your reasoning is correct - that should be the easiest way. But I'm willing to bet the HDD manufacturers don't have a few of these laying around because if it became known that a particular HDD has password-bypassing controller boards available on the grey/black market, the corporations who use this feature as part of their security procedures would stop buying that manufacturer's drives.

Re:professional?

Why the heck can't you just replace the chip with the flash with a new one?

The password is duplicated on each platter, so the new firmware will read the password and halt again.

Re:professional?

[evilviper]

you can wipe the disk for a recover if the master password is tampered.

No, you certainly can't.

The hard drive will not accept any commands until you give it the correct password (stored in an eeprom). You'll get a stream of errors even if you just try to cat zeros to the drive's device.

In case it isn't obvious, I have first-hand experience with this, though on notebook drives, never desktop drives.

Re:professional?

[k8to]

I am baffled that the parent was modded up, given that it is clearly incorrect even according to the link listed.

To be clear, the link listed provides only one piece of information in addition to the heise article: drives come with a default master password, and it is possible to find out if it the default master password is still in place.

While handy information, it does not alleviate the security concerns. A locked drive is still inaccessable without the password. A malicious user or malware can change the master and user password and still render the drive a brick.

Re:why would you do this?

[tivoKlr]

Well, for software modding an Xbox for starters.

Xboxen will only boot from a locked hard drive, and to modify the files on an Xbox to, you know, allow you to run your own home written unsigned code, you need to be able to lock the drive once you've modified it to get the Xbox to recognize it.

I have encountered bioses that won't allow you to lock or unlock drives. Very annoying...

Re:directly from the site

no you cant. If you open the drive outside of a clean room you will destroy it.

So if your point is that if you build your own class 100 clean room and buy the password recovery tools from Nortek, then yes, you could do it yourself.

I think at that point though, most would consider you a professional recovery expert.

Re:the word being "could"

[kwalker]

Yes but the MOST successful viruses go years before they kill the host so as to maximize their infection rates. Plus often when a virus kills the host it's because the virus became TOO successful. Some viruses, like some of the herpes viruses, never kill the host, thereby living as long as the host organism does.

Disk-Jacking to put hard drives At Your Disservice

[D4C5CE]

could overclock the computer in some way and cause perminant damage to the system (...) why is this not a more major worry as this could cause real damage

Not only because any attack like this would have to work with rather primitive code on a wide(spread) variety of hardware (like an ATA hard drive - very few systems don't have one), but also because the goal of an extortionist is to have hostages (cf. the above quotes on the 1989 attack). The "horror scenario" is something like this: A malware written to interfere at an early stage, e.g. as a replacement Master Boot Record, to lock the drive with a random password and display a message (which includes a scrambled representation of the password used) telling the user that the system won't work on reboot, and where to send money for "his or her" particular unlock code and/or a "personal" unlock disk. For those who are "lucky" enough to follow these "orders", there is a chance of getting the data back (i.e. "buying back" one's own system against "payola") until the blackmailer gets busted or bored... For anyone else just hitting reset, there will be no reboot, and specialist recovery to remove a 32-bit lock as the only chance (except for the vague hope that the malware or decrypter will very soon be "open-sourced" by the authorities on catching that crook).

Re:why would you do this?

No, if u have a modchip the original bios can be booted, however if u softmod, or flash original bios then ur banned from liveif u go on with a non-unique or hacked bios

You can restore an erased drive

You can restore an erased drive from backups.

A locked drive can't be restored when you don't know the password.

It's the difference between deleting the data, and deleting the drive. Drives are cheap now, but not to the point where throwing away drives can be ignored.

Still readable after locking

[KasKyt]

From my understanding as long as the Locked HD is on the MoBo where it was locked it still works fine, it only when it attached to another MoBo its unreadble (My experience if from the Xbox)

Re:Still readable after locking

No, you are wrong.

Re:directly from the site

Actually, the article states that the password is distributed across the platters, and a checksum is in the flash memory on the controller board. Therefore stripping out the controller board & replacing it is not going to make the drive work.

In fact the recovery company mentioned in the article reportedly didn't have to open the drive to recover the password... Probably there's a flaw in the logic that controls checking the password. I suspect the password is stored unencrypted on the disk and there's a way to issue the "retreive password for checking" command with a special device connected to an IO port on the controller board.

Recent destructive worm

[Bunyip+Redgum]

but when was the last highly destructive virus you saw ?
What about the witty worm?
It spread in less than an hour and the proceded to destroy data on the hosts hard disks.

Re:easy prevention: only set administrator passwor

[argent]

There is no "administrator password". The "master password" is like a janitor's master key. It's a failsafe to let you unlock the drive if the user password was set.

The incredibly stupid thing is there doesn't seem to be a way to say "disable the password mechanism completely". IMHO, this should be the default state, and it should require physical access to the drive (say, with a jumper) as well as (of course, any passwords) to switch it from one state to another. A laptop could connect that jumper to an external "security" button that you hold down while the BIOS does its thing.

works properly on IBM's

I tried hdparm -I on my IBM ThinkPad T41p and IBM NetVista.
Both systems have two harddisks, and it is reporting for both the primary and secondary harddisks that the security feature is 'frozen'.

Also my dual CPU Opteron system with Phoenix bios reports both the primary and secondary harddisks as having the security feature 'frozen'.

So all my systems appear to be fine