Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Head Off ATA HDD Password Abuse

Posted by timothy on from the I-did-not-know-that dept.

An anonymous reader submits "German c't magazine has a story about abusing the security features of ATA hard disks. The bottom line is that almost all ATA hard disks in desktop PCs can be password-protected. However, on most desktop PCs, the BIOS does not support locking this option -- so viruses or malware could set a random password, making any data unreadable unless recovered by professionals."

17 of 215 comments (clear)

  1. the word being "could" by Anonymous Coward · · Score: 5, Insightful


    but when was the last highly destructive virus you saw ?

    virus writers/skripterz have long since learnt, if you kill the host it is of no use to you, you achieve nothing

    99% of viruses today are trojans because you can use your fancy stealth infection/propogation routines AND make a profit if you keep the host alive, locking a HD would be pointless and contrary to opinion most Virus writers are not stupid, misguided perhaps but not stupid

    1. Re:the word being "could" by Anonymous Coward · · Score: 1, Insightful

      It depends... in nature viruses silently reproduce before killing the host. There's no reason why computer viruses couldn't do the same - this would be very effective.

      Effective at what, mimicking nature? There's no advantage to doing that.

    2. Re:the word being "could" by nacturation · · Score: 2, Insightful

      So the clever blackmailer would then send a ransom note to an attached printer, wait for confirmation of a successful print, and then initiate the lockdown. If it can't find a printer, it would just use that host to spread to other machines. Gotta be ethical, right? :)

      "Need your data back? For only $1000, we'll send you the correct password. Send payment via Western Union to..."

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  2. Disk-Jacking to put hard drives At Your Disservice by D4C5CE · · Score: 4, Insightful
    There's a larger risk looming in this unwelcome feature... From an earlier submission:
    Heise has just released a dire warning (and temporary treatment) from c't regarding ATA hard disk security passwords: There may be a gaping security hole in millions of computers that allows malware to lock the hard drives from their legitimate users. Some will remember what this means from extortionate trojan horses as early as 1989 (search for "Panama" - judicial outcome in 1995). Now factor in how some similar disaster, "supported" by firmware, could spread over the Internet rather than by postal mail today...
    It seems crucial to protect one's system ASAP against what could become a boon for blackmailers.
    The problem is that if BIOS doesn't disable the function, a "well"-(i.e. viciously)-positioned malware (early in the boot process) could lock the hard drive on first reboot even before any protective software can kick in.
  3. Re:why would you do this? by darkwhite · · Score: 5, Insightful

    Why on earth would you want to password "protect" a hard drive? How would that be any better than properly encrypting your files?

    Speed.

    Only very sophisticated organizations have the means to lift data off a password-protected hard drive. Encryption, while more durable in that regard, sacrifices speed with every access to the files in question.

    --

    [an error occurred while processing this directive]
  4. Re:why would you do this? by discordja · · Score: 2, Insightful

    of course, the proper tools and you can easily bypass that as well (professional data recovery teams wouldn't have much of a job to do if it was easy as you say to lock the data away for good). pull the drive apart and read straight off the platters if need be.

    tools tools tools .. sure the NSA could break strong encryption given enough time but so could any determined individual that wanted to read the disk.

    --
    I stole this .sig
  5. Re:Security hole? by johkir · · Score: 2, Insightful
    Here's a possible profitable situation. I get into your offices one day, perhaps for an interview. Through some social engineering, I get access to a PC to 'check my email.' I also load this virus, which, after spreading itself around a bit, goes through it's time delay, and then locks the HD, on as many disks as it can. The cheapest solution is to install new ones. I, of course, know the password, and I just wait at the dumpster for all your personnel/financial info and maybe some proprietary software to land my way. Profit!

    Yes, you could wipe the drive with a nice big magnet, but where is that? Oh well.

    --
    These are some of the things molecules do...... given 4 billion years -Carl Sagan
  6. Re:Security hole? by Wesley+Felter · · Score: 2, Insightful

    That takes time, especially on large drives. Setting the password takes virtually no time.

  7. Re:professional? by mkldev · · Score: 4, Insightful
    I'm willing to bet drive manufacturers -do- have custom firmwares that do that. Why? Because otherwise they would end up generating a lot of bricks while testing bug fixes to those parts of the firmware....

    Further, it shouldn't be that hard to solve this problem. The drive reads the data off the disk. There's a ribbon cable between the controller board and the disk. Tap the data stream. Feed it into a logic analyzer that has a digital data ouptut (e.g. a USB logic analyzer). Take the data captured, find the sync bytes, then shove the remainder into an RLL decoder.

    Now figure out the ECC format used (it will typically be four bytes at the end of each sector, but this may vary). Strip the ECC bytes. You now have a track image of the track in question, probably with some extra sync bytes between sectors, but I'm not sure. If you want, you could simply single-step the drive motor repeatedly and copy the entire disk this way, but it is probably more effective to write a program that scans for things that right be an ATA password and tries them sequentially.

    To make this easier, every 4 passwords or so, the tool should ask you to power-cycle the drive. To facilitate this, take a power extender cable and cut the 5v line. Put a momentary off pushbutton inline. Press for a second and then release. In all likelihood, you should only need to power cycle the drive electronics, not the drive motor (12v).

    I've never tried this, of course, but in principle, it shouldn't be that bad....

    --
    120 character sigs suck. Make it 250.
  8. Re:professional? by HappyClown · · Score: 2, Insightful

    Nope, RTFA. Part of the firmware and password is stored on the HDD itself, so even replacing the entire drive controller hardware doesn't help.

  9. Re:OS level fix by enosys · · Score: 2, Insightful

    The article said the password was stored on the disk, not in flash memory on the board. Someone here claimed that it's stored in both. Remember, this is supposed to provide some security for your data if the disk is stolen. If swapping circuit boards "fixed" it that would be terrible security.

  10. Re:A hint.... by jimicus · · Score: 2, Insightful
    blackbird root # hdparm -I /dev/hde

    /dev/hde:

    ATA device, with non-removable media
    Model Number: ST340016A

    [ --- cut --- ]

    Security:
    Master password revision code = 65534
    supported
    not enabled
    not locked
    not frozen
    not expired: security count
    not supported: enhanced erase
    http://www.google.co.uk/search?q=ATA+master+passwo rd&start=0&start=0&ie=utf-8&oe=utf-8&client=firefo x&rls=org.mozilla:en-US:official

    Looks pretty true to me.
  11. Re:Disk-Jacking to put hard drives At Your Disserv by Anonymous Coward · · Score: 1, Insightful

    If you manage to backup every system in and out of your offices every few hours... congratulations, please let us know your storage solution...

    Two words: Thin Clients

  12. Re:professional? by tomhudson · · Score: 2, Insightful
    yes there is, get an identical drive and swap the logic boards.
    RTFA: The passwords, and most of the drive firmware, are stored on the drive platters, not on the logic boards.
  13. Re:professional? by TummyX · · Score: 2, Insightful

    Ofcourse swapping the electronics from a protected hard disk to an unprotected one won't work. But swapping the electronics for one that *doesn't care* about the password will.

    The data is not encrypted.

  14. big deal by idlake · · Score: 3, Insightful

    Viruses and spyware can simply erase your disk, in addition to changing the password. The solution? The same solution as for hardware failures, cats walking across the keyboard, or babies drooling on the disk: restore from a recent backup. If you don't have a recent backup, a virus that sets the ATA HDD password is the least of your problems.

  15. Re:directly from the site by pegr · · Score: 2, Insightful

    Variation of the swap logic boards trick...

    Swap with one of your own design. Since the password is on the disk, the orginal logic board has to get it, right? That means the logic board can talk to the platters... You just need a logic board that retrieves the password for you. Then swap back and do whatever you want.

    I bet that's how the data recovery outfits do it. They even stated in TFA that known models are no problem, unknown models may take awhile. Yup, designing a logic board to talk to someone else's drive might take a bit of time.