Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Head Off ATA HDD Password Abuse

Posted by timothy on from the I-did-not-know-that dept.

An anonymous reader submits "German c't magazine has a story about abusing the security features of ATA hard disks. The bottom line is that almost all ATA hard disks in desktop PCs can be password-protected. However, on most desktop PCs, the BIOS does not support locking this option -- so viruses or malware could set a random password, making any data unreadable unless recovered by professionals."

46 of 215 comments (clear)

  1. why would you do this? by Doppler00 · · Score: 2, Interesting

    Why on earth would you want to password "protect" a hard drive? How would that be any better than properly encrypting your files?

    1. Re:why would you do this? by tivoKlr · · Score: 5, Informative

      Well, for software modding an Xbox for starters.

      Xboxen will only boot from a locked hard drive, and to modify the files on an Xbox to, you know, allow you to run your own home written unsigned code, you need to be able to lock the drive once you've modified it to get the Xbox to recognize it.

      I have encountered bioses that won't allow you to lock or unlock drives. Very annoying...

      --
      Ocean is land, covered with water.
    2. Re:why would you do this? by darkwhite · · Score: 5, Insightful

      Why on earth would you want to password "protect" a hard drive? How would that be any better than properly encrypting your files?

      Speed.

      Only very sophisticated organizations have the means to lift data off a password-protected hard drive. Encryption, while more durable in that regard, sacrifices speed with every access to the files in question.

      --

      [an error occurred while processing this directive]
    3. Re:why would you do this? by discordja · · Score: 2, Insightful

      of course, the proper tools and you can easily bypass that as well (professional data recovery teams wouldn't have much of a job to do if it was easy as you say to lock the data away for good). pull the drive apart and read straight off the platters if need be.

      tools tools tools .. sure the NSA could break strong encryption given enough time but so could any determined individual that wanted to read the disk.

      --
      I stole this .sig
    4. Re:why would you do this? by darkwhite · · Score: 2, Interesting

      If you have started the machine and logged in, it is assumed that you are actually in control of the machine and its environment. The proper way to protect a running machine is to lock the screen and the bootloader (so the only way to get local access to the disk is to power cycle and face the master password) and to have a secured network interface (which you can never be 100% sure about but you can get pretty close).

      Of course, if you have a trojan installed or are being held hostage, these security principles don't work. The ATA password feature was designed to protect corporate data without the slowdown and incompatibilities possible when using software encryption.

      --

      [an error occurred while processing this directive]
    5. Re:why would you do this? by archen · · Score: 2, Interesting

      My understanding is that this was intended mainly for laptops. I'm not sure how long this has been a part of the standard, but I wouldn't be surprised if many laptops were still being distributed with Windows 98 when this was drawn up. Is it better than encrypting your files? Well of course not, but it doesn't slow down the hardware at all, and it's rather simple.

      But how safe is encrypting your files? What algorithm does it use? Is it implemented properly? Even if you know for sure, someone can read the data off the drive use a brute force attack (impractical but possible). With the ata password you can't (easily) read anything off the drive short of a raw read off of the platters, so I wouldn't say it's that bad of an idea.

      I'm just sort of curious how this would affect ATA RAID controllers. Would it pass such a command through, or just ignore it?

    6. Re:why would you do this? by that+_evil+_gleek · · Score: 2, Interesting

      Ya.
      This is just supesition but I'm assuming if 1 enables this in the bios, your password is then stored
      in bios's cmos memory and the bios then uses that to unlock the drive, to the support an autoboot feature.
      so the machine can boot by itself , w/o user interaction. So any computer that someone could just snatch and grab
      will likely autoboot and unlock the drive, and not be very good security, maybe for office desktops where maybe
      someone could open the case, take the drive , but not abscond with the the whole machine.

      Of course, there could be a CMOS bios lock as well, and if the password is there and booting options restricted,
      then if one zaps the cmos via jumper, one loses the drive password, and that could work pretty well for security,
      Though if it send to autoboot a cd or floppy , it would be easy to get the appropiate cmos util, run it to clear
      the password, then steal drive password. If the bios was set to only boot the locked drive, then 1 might be able to
      replace the drive, maybe using 1 with exact same parameters ( if auto config is off), and boot (then steal info from cmos again) unless the bios will refuse to boot an unlocked the drive -- I mean if the bios goes to trouble of checking that
      the drive is locked... again just guessing but if a locked drive just returns ERR_LOCKED or whatever to any ati command
      then the bios might only try to unlock the drive, if its locked... so swapping drives might work.. Considering a good implementation and good user behavior , it could be good. Also if you can't lock a drive w/o the old password..

      Now if the above is true, and the hacker knows the CMOS of the machine very well, then its possible that a prog
      could access the cmos memory lock down the cmos setting to only boot the now infected drive, put the drive password
      in cmos (its probably encrypted with some simple hash, but assume he or she has broken that ) , now do the drive lock,
      and 0wn the machine... Now the user is locked in. He or she has noticed that his computer is slower, but he can't
      do anything about it, and he can't boot to trusted media, because the cmos is locked, if the cmos is zapped the drive password is lost and all data is lost, he can use the machine but has to live with slowdowns as the machine is used for ddos attacks and the like.

    7. Re:why would you do this? by markwalling · · Score: 3, Funny

      u m3an that u actually ha5 3 l3tt3r5? n0 way dud3, l1k3 ur t0ta77y g01ng t0 ru1n 1337 sp33k 4 a11 0f u5 1337 h4x50r5 damn thats annoying

      --
      ...For the beast had been reborn with its strength renewed, and the followers of Mammon cowered in horror.
  2. professional? by AmigaAvenger · · Score: 4, Informative
    unless recovered by a professional? It takes all of 2 minutes to make a boot disk with atapwd and reset it. Besides, the reason no virus does this is because it needs an operational machine. If you lock out the drive you aren't going to spread yourself very far.

    Here is a website that shows how to unlock it, and you don't even have to be a professional!

    http://www.rockbox.org/lock.html

    1. Re:professional? by Anonymous Coward · · Score: 5, Funny
      If you lock out the drive you aren't going to spread yourself very far.
      Think of it like this: A Slashdotter with a venereal disease. He isn't going to infect anyone.
    2. Re:professional? by C_To · · Score: 3, Informative

      Did you read the bottom part of the page you quoted? It said there was no way to fix the ATA password in Maximum security mode without knowing what it is.

    3. Re:professional? by Cylix · · Score: 2, Interesting

      Eh,
      you can wipe the disk for a recover if the master password is tampered.

      Read the provided roxbox link.

      --
      "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
    4. Re:professional? by warrior · · Score: 5, Informative

      No, you cannot use atapwd to reset it. There are two passwords, a master and a user. If you know the master password, you can use atapwd to reset the user password. These passwords are stored across platters and are stored as a checksum in flash on the HD controller. Resetting the password is not trivial at all. There are two options, use a logic analyzer and try to intercept the pieces of the password on it's way in to generate the checksum (haven't heard of anyone being able to accomplish this), or take the drive apart in a clean room, erase the password of the platters and attach a virgin controller. There are no companies in the US that will do either of these for you, and I don't think that's a coincidence. The very few (3-4) companies that perform this service make very good money of it. If you don't believe me, set your master ATA pwd to a known value and try to reset it by any means _without_ using the password. You can't, you're hosed. Most people at this point chuck the disk, they're cheap. But if you need the data you'll pay anything. The idea behind it is that should it get stolen, the data is safe. The companies that do data retrievel require proofs of ownership. However, for the fool that forgets or accidentally sets the password, you're hosed. For those of you that own Toshiba 80GB laptop hdds, beware, there's a flaw in the controller that may glitch and set a random password for you. In that case you'll want to talk to Nortek.

      --
      Intel transfer the difficult from Hadware to software, for get more power, programmer need more technology. -- chinaitn
    5. Re:professional? by Qzukk · · Score: 3, Interesting

      There are two options, use a logic analyzer and try to intercept the pieces of the password on it's way in to generate the checksum (haven't heard of anyone being able to accomplish this), or take the drive apart in a clean room, erase the password of the platters and attach a virgin controller ....

      If this is just password protection and not encryption, wouldn't it be simpler to replace the drive controller with one using firmware that ignores the password? I'm certain the drive manufacturers would have a few of these laying around.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:professional? by darkwhite · · Score: 3, Informative

      Your reasoning is correct - that should be the easiest way. But I'm willing to bet the HDD manufacturers don't have a few of these laying around because if it became known that a particular HDD has password-bypassing controller boards available on the grey/black market, the corporations who use this feature as part of their security procedures would stop buying that manufacturer's drives.

      --

      [an error occurred while processing this directive]
    7. Re:professional? by mkldev · · Score: 4, Insightful
      I'm willing to bet drive manufacturers -do- have custom firmwares that do that. Why? Because otherwise they would end up generating a lot of bricks while testing bug fixes to those parts of the firmware....

      Further, it shouldn't be that hard to solve this problem. The drive reads the data off the disk. There's a ribbon cable between the controller board and the disk. Tap the data stream. Feed it into a logic analyzer that has a digital data ouptut (e.g. a USB logic analyzer). Take the data captured, find the sync bytes, then shove the remainder into an RLL decoder.

      Now figure out the ECC format used (it will typically be four bytes at the end of each sector, but this may vary). Strip the ECC bytes. You now have a track image of the track in question, probably with some extra sync bytes between sectors, but I'm not sure. If you want, you could simply single-step the drive motor repeatedly and copy the entire disk this way, but it is probably more effective to write a program that scans for things that right be an ATA password and tries them sequentially.

      To make this easier, every 4 passwords or so, the tool should ask you to power-cycle the drive. To facilitate this, take a power extender cable and cut the 5v line. Put a momentary off pushbutton inline. Press for a second and then release. In all likelihood, you should only need to power cycle the drive electronics, not the drive motor (12v).

      I've never tried this, of course, but in principle, it shouldn't be that bad....

      --
      120 character sigs suck. Make it 250.
    8. Re:professional? by HappyClown · · Score: 2, Insightful

      Nope, RTFA. Part of the firmware and password is stored on the HDD itself, so even replacing the entire drive controller hardware doesn't help.

    9. Re:professional? by Lehk228 · · Score: 2, Interesting

      yes there is, get an identical drive and swap the logic boards.

      --
      Snowden and Manning are heroes.
    10. Re:professional? by tomhudson · · Score: 2, Insightful
      yes there is, get an identical drive and swap the logic boards.
      RTFA: The passwords, and most of the drive firmware, are stored on the drive platters, not on the logic boards.
    11. Re:professional? by darkwhite · · Score: 2, Interesting

      The controller likely reads the password from the platter on each power up and stores it in the on-chip cache or the SDRAM (the modern ATA drive controller has to be a full-featured processor). It most likely doesn't copy the password to the flash.

      If it puts the password in the SDRAM and you try to yank the SDRAM write pin, the controller probably won't start at all. However, if you tap the memory bus, you might be able to issue your own command to erase the password in the RAM while the controller is running.

      --

      [an error occurred while processing this directive]
    12. Re:professional? by TummyX · · Score: 2, Insightful

      Ofcourse swapping the electronics from a protected hard disk to an unprotected one won't work. But swapping the electronics for one that *doesn't care* about the password will.

      The data is not encrypted.

    13. Re:professional? by evilviper · · Score: 3, Informative
      you can wipe the disk for a recover if the master password is tampered.

      No, you certainly can't.

      The hard drive will not accept any commands until you give it the correct password (stored in an eeprom). You'll get a stream of errors even if you just try to cat zeros to the drive's device.

      In case it isn't obvious, I have first-hand experience with this, though on notebook drives, never desktop drives.
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    14. Re:professional? by k8to · · Score: 2, Informative

      I am baffled that the parent was modded up, given that it is clearly incorrect even according to the link listed.

      To be clear, the link listed provides only one piece of information in addition to the heise article: drives come with a default master password, and it is possible to find out if it the default master password is still in place.

      While handy information, it does not alleviate the security concerns. A locked drive is still inaccessable without the password. A malicious user or malware can change the master and user password and still render the drive a brick.

      --
      -josh
  3. the word being "could" by Anonymous Coward · · Score: 5, Insightful


    but when was the last highly destructive virus you saw ?

    virus writers/skripterz have long since learnt, if you kill the host it is of no use to you, you achieve nothing

    99% of viruses today are trojans because you can use your fancy stealth infection/propogation routines AND make a profit if you keep the host alive, locking a HD would be pointless and contrary to opinion most Virus writers are not stupid, misguided perhaps but not stupid

    1. Re:the word being "could" by Tony+Hoyle · · Score: 3, Interesting

      It depends... in nature viruses silently reproduce before killing the host. There's no reason why computer viruses couldn't do the same - this would be very effective.

    2. Re:the word being "could" by Lord+Kano · · Score: 2, Interesting

      What if someone is trying to get revenge on a former employer?

      Design the virus to propogade for a fixed period of time and then lock down all of the hard drives over night.

      LK

      --
      "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    3. Re:the word being "could" by kwalker · · Score: 4, Informative

      Yes but the MOST successful viruses go years before they kill the host so as to maximize their infection rates. Plus often when a virus kills the host it's because the virus became TOO successful. Some viruses, like some of the herpes viruses, never kill the host, thereby living as long as the host organism does.

      --
      ... And so it comes to this.
    4. Re:the word being "could" by nacturation · · Score: 2, Insightful

      So the clever blackmailer would then send a ransom note to an attached printer, wait for confirmation of a successful print, and then initiate the lockdown. If it can't find a printer, it would just use that host to spread to other machines. Gotta be ethical, right? :)

      "Need your data back? For only $1000, we'll send you the correct password. Send payment via Western Union to..."

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  4. Disk-Jacking to put hard drives At Your Disservice by D4C5CE · · Score: 4, Insightful
    There's a larger risk looming in this unwelcome feature... From an earlier submission:
    Heise has just released a dire warning (and temporary treatment) from c't regarding ATA hard disk security passwords: There may be a gaping security hole in millions of computers that allows malware to lock the hard drives from their legitimate users. Some will remember what this means from extortionate trojan horses as early as 1989 (search for "Panama" - judicial outcome in 1995). Now factor in how some similar disaster, "supported" by firmware, could spread over the Internet rather than by postal mail today...
    It seems crucial to protect one's system ASAP against what could become a boon for blackmailers.
    The problem is that if BIOS doesn't disable the function, a "well"-(i.e. viciously)-positioned malware (early in the boot process) could lock the hard drive on first reboot even before any protective software can kick in.
  5. Security hole? by Gzip+Christ · · Score: 2, Interesting

    How is this any worse than if a virus were to erase the hard drive?

    1. Re:Security hole? by johkir · · Score: 2, Insightful
      Here's a possible profitable situation. I get into your offices one day, perhaps for an interview. Through some social engineering, I get access to a PC to 'check my email.' I also load this virus, which, after spreading itself around a bit, goes through it's time delay, and then locks the HD, on as many disks as it can. The cheapest solution is to install new ones. I, of course, know the password, and I just wait at the dumpster for all your personnel/financial info and maybe some proprietary software to land my way. Profit!

      Yes, you could wipe the drive with a nice big magnet, but where is that? Oh well.

      --
      These are some of the things molecules do...... given 4 billion years -Carl Sagan
    2. Re:Security hole? by Wesley+Felter · · Score: 2, Insightful

      That takes time, especially on large drives. Setting the password takes virtually no time.

  6. Or even worse by dilvish_the_damned · · Score: 4, Interesting

    What if someone encrypts all your data one night? You show up for work one morning only to find the latest worm has encrypted all your data and it forces you to recite the lyrics to ELOs Another Heart Breaks ("one, two, three," etc..) before you can get at your data again. Look, if it has enough access to reset the password on your ATA drive, you probably have bigger issues to worry about, like the gaping hole in your OS that allows user code direct access to your hardware.

    --
    I think you underestimate just how much I just dont care.
  7. Re:I love how they plan to force apple to comply by theid0 · · Score: 4, Interesting


    to the effect that we will program a demonstration of the damaging action and make it available to Apple

    This seems to imply that it has not yet been done. Any hardware changes that I have done (Open Firmware changes, DVD region set) have needed an admin password.

    However, in the article it basically says that the machine has to compromised PRIOR to startup (when the security extension loads). If someone already has access to your machine with an admin password, I really don't see the point in locking the drive. There are easier ways to pull a prank or cause damage.

  8. Disk-Jacking to put hard drives At Your Disservice by D4C5CE · · Score: 2, Informative
    could overclock the computer in some way and cause perminant damage to the system (...) why is this not a more major worry as this could cause real damage
    Not only because any attack like this would have to work with rather primitive code on a wide(spread) variety of hardware (like an ATA hard drive - very few systems don't have one), but also because the goal of an extortionist is to have hostages (cf. the above quotes on the 1989 attack). The "horror scenario" is something like this: A malware written to interfere at an early stage, e.g. as a replacement Master Boot Record, to lock the drive with a random password and display a message (which includes a scrambled representation of the password used) telling the user that the system won't work on reboot, and where to send money for "his or her" particular unlock code and/or a "personal" unlock disk. For those who are "lucky" enough to follow these "orders", there is a chance of getting the data back (i.e. "buying back" one's own system against "payola") until the blackmailer gets busted or bored... For anyone else just hitting reset, there will be no reboot, and specialist recovery to remove a 32-bit lock as the only chance (except for the vague hope that the malware or decrypter will very soon be "open-sourced" by the authorities on catching that crook).
  9. Funny by soniCron88 · · Score: 3, Funny

    "A DOS from a diskette boots suspiciously slowly"

    When does a diskette ever boot not "suspiciously slowly"?

    --
    Digital Sailor
  10. Re:OS level fix by enosys · · Score: 2, Insightful

    The article said the password was stored on the disk, not in flash memory on the board. Someone here claimed that it's stored in both. Remember, this is supposed to provide some security for your data if the disk is stolen. If swapping circuit boards "fixed" it that would be terrible security.

  11. Re:A hint.... by jimicus · · Score: 2, Insightful
    blackbird root # hdparm -I /dev/hde

    /dev/hde:

    ATA device, with non-removable media
    Model Number: ST340016A

    [ --- cut --- ]

    Security:
    Master password revision code = 65534
    supported
    not enabled
    not locked
    not frozen
    not expired: security count
    not supported: enhanced erase
    http://www.google.co.uk/search?q=ATA+master+passwo rd&start=0&start=0&ie=utf-8&oe=utf-8&client=firefo x&rls=org.mozilla:en-US:official

    Looks pretty true to me.
  12. Re:directly from the site by Anonymous Coward · · Score: 2, Informative

    Actually, the article states that the password is distributed across the platters, and a checksum is in the flash memory on the controller board. Therefore stripping out the controller board & replacing it is not going to make the drive work.

    In fact the recovery company mentioned in the article reportedly didn't have to open the drive to recover the password... Probably there's a flaw in the logic that controls checking the password. I suspect the password is stored unencrypted on the disk and there's a way to issue the "retreive password for checking" command with a special device connected to an IO port on the controller board.

  13. Dell BIOS HD Flaws by __aaijsn7246 · · Score: 4, Interesting

    In general, these features don't seem coded to well. Here's a post I made to Bugtraq back in December of 2003.

    The Dell BIOS allows users to set several different passwords to protect
    their machines from unauthorised access. There is 1) a Setup Password,
    which is required to enter the BIOS setup, as well as 2) a Hard Drive
    Password, as per the ATA Security Feature Set Specification.

    Unfortunately, once a Hard Drive Password is set which contains one or
    more of the following characters,

    , . ; : ' [ ] { }

    it can not be later entered to access the machine. It appears as though
    a bug in the BIOS code prevents those characters from being taken as
    input when the user is asked for the password - however, the BIOS
    incorrectly allows users to set passwords containing those characters.

    This is not an incredibly serious problem as such, since a user can go
    back into the BIOS setup and change the password there, provided the
    BIOS Setup is not protected with an unknown password. Or, as a last
    resort, Dell can be phoned to provide a master backdoor password, as
    long as the user can prove herself the legal owner of the computer. Of
    course, the prerequisite of physical access to the machine highly
    mitigates this vulnerability.

    It is however an interesting bug from the point of view of Dell's
    practices. I have contacted them over two weeks ago, but their
    'technical support' is unable to understand or resolve the problem. Two
    of their representatives told me to reinstall Windows XP Chipset
    drivers, even when I asked to be forwarded to people higher in the
    technical support chain. Perhaps this post will encourage Dell to pay
    more attention in the future.

    Affected Systems: Dell Inspiron 2650 System BIOS, A11
    (A11 is the current BIOS as of writing, and was released in late
    September of this year)
    Other BIOS/Dell models are perhaps vulnerable but have not been tested.

  14. Simple FPGA interface? by xtal · · Score: 2, Interesting

    I've been doing more work with FPGA's recently:

    If this is the case, there are some IDE controller projects available on opencores. It shouldn't be a serious problem for someone to build a board that would allow you to mount the drive so you can copy data off of it - there are also open, well tested, PCI bridge modules freely available now.

    http://www.opencores.org/browse.cgi/by_category

    If it is indeed the serious concern that people indicate, and it can be broken by the means you suggest - I challenge someone with a few dollars to donate it to opencores with the objective of getting this done.

    Indeed, the "sticking it to the man" factor is high enough that I am intrigued enough to have a more in depth look. :)

    --
    ..don't panic
  15. big deal by idlake · · Score: 3, Insightful

    Viruses and spyware can simply erase your disk, in addition to changing the password. The solution? The same solution as for hardware failures, cats walking across the keyboard, or babies drooling on the disk: restore from a recent backup. If you don't have a recent backup, a virus that sets the ATA HDD password is the least of your problems.

  16. Recent destructive worm by Bunyip+Redgum · · Score: 3, Informative

    but when was the last highly destructive virus you saw ?
    What about the witty worm?
    It spread in less than an hour and the proceded to destroy data on the hosts hard disks.

  17. easy prevention: only set administrator password? by F�an�ro · · Score: 2, Interesting

    the way i understood it, there are two passwords: user password and administrator password.

    Access to the harddrive will only be prevented if the user password is set, but the user password can only be set when the administrator password is known.

    So if I only set the administrator password, then the drive can be accessed as usual, but the user password cannot be set by some software.

    Correct? or did I misunderstand that?

  18. Re:easy prevention: only set administrator passwor by argent · · Score: 3, Informative

    There is no "administrator password". The "master password" is like a janitor's master key. It's a failsafe to let you unlock the drive if the user password was set.

    The incredibly stupid thing is there doesn't seem to be a way to say "disable the password mechanism completely". IMHO, this should be the default state, and it should require physical access to the drive (say, with a jumper) as well as (of course, any passwords) to switch it from one state to another. A laptop could connect that jumper to an external "security" button that you hold down while the BIOS does its thing.

  19. Re:directly from the site by pegr · · Score: 2, Insightful

    Variation of the swap logic boards trick...

    Swap with one of your own design. Since the password is on the disk, the orginal logic board has to get it, right? That means the logic board can talk to the platters... You just need a logic board that retrieves the password for you. Then swap back and do whatever you want.

    I bet that's how the data recovery outfits do it. They even stated in TFA that known models are no problem, unknown models may take awhile. Yup, designing a logic board to talk to someone else's drive might take a bit of time.