How To Head Off ATA HDD Password Abuse

An anonymous reader submits "German c't magazine has a story about abusing the security features of ATA hard disks. The bottom line is that almost all ATA hard disks in desktop PCs can be password-protected. However, on most desktop PCs, the BIOS does not support locking this option -- so viruses or malware could set a random password, making any data unreadable unless recovered by professionals."

professional?

[AmigaAvenger]

unless recovered by a professional? It takes all of 2 minutes to make a boot disk with atapwd and reset it. Besides, the reason no virus does this is because it needs an operational machine. If you lock out the drive you aren't going to spread yourself very far.

Here is a website that shows how to unlock it, and you don't even have to be a professional!

http://www.rockbox.org/lock.html

Re:professional?

If you lock out the drive you aren't going to spread yourself very far.

Think of it like this: A Slashdotter with a venereal disease. He isn't going to infect anyone.

Re:professional?

[C_To]

Did you read the bottom part of the page you quoted? It said there was no way to fix the ATA password in Maximum security mode without knowing what it is.

Re:professional?

[warrior]

No, you cannot use atapwd to reset it. There are two passwords, a master and a user. If you know the master password, you can use atapwd to reset the user password. These passwords are stored across platters and are stored as a checksum in flash on the HD controller. Resetting the password is not trivial at all. There are two options, use a logic analyzer and try to intercept the pieces of the password on it's way in to generate the checksum (haven't heard of anyone being able to accomplish this), or take the drive apart in a clean room, erase the password of the platters and attach a virgin controller. There are no companies in the US that will do either of these for you, and I don't think that's a coincidence. The very few (3-4) companies that perform this service make very good money of it. If you don't believe me, set your master ATA pwd to a known value and try to reset it by any means _without_ using the password. You can't, you're hosed. Most people at this point chuck the disk, they're cheap. But if you need the data you'll pay anything. The idea behind it is that should it get stolen, the data is safe. The companies that do data retrievel require proofs of ownership. However, for the fool that forgets or accidentally sets the password, you're hosed. For those of you that own Toshiba 80GB laptop hdds, beware, there's a flaw in the controller that may glitch and set a random password for you. In that case you'll want to talk to Nortek.

Re:professional?

[Qzukk]

There are two options, use a logic analyzer and try to intercept the pieces of the password on it's way in to generate the checksum (haven't heard of anyone being able to accomplish this), or take the drive apart in a clean room, erase the password of the platters and attach a virgin controller ....

If this is just password protection and not encryption, wouldn't it be simpler to replace the drive controller with one using firmware that ignores the password? I'm certain the drive manufacturers would have a few of these laying around.

Re:professional?

[darkwhite]

Your reasoning is correct - that should be the easiest way. But I'm willing to bet the HDD manufacturers don't have a few of these laying around because if it became known that a particular HDD has password-bypassing controller boards available on the grey/black market, the corporations who use this feature as part of their security procedures would stop buying that manufacturer's drives.

Re:professional?

[mkldev]

I'm willing to bet drive manufacturers -do- have custom firmwares that do that. Why? Because otherwise they would end up generating a lot of bricks while testing bug fixes to those parts of the firmware....

Further, it shouldn't be that hard to solve this problem. The drive reads the data off the disk. There's a ribbon cable between the controller board and the disk. Tap the data stream. Feed it into a logic analyzer that has a digital data ouptut (e.g. a USB logic analyzer). Take the data captured, find the sync bytes, then shove the remainder into an RLL decoder.

Now figure out the ECC format used (it will typically be four bytes at the end of each sector, but this may vary). Strip the ECC bytes. You now have a track image of the track in question, probably with some extra sync bytes between sectors, but I'm not sure. If you want, you could simply single-step the drive motor repeatedly and copy the entire disk this way, but it is probably more effective to write a program that scans for things that right be an ATA password and tries them sequentially.

To make this easier, every 4 passwords or so, the tool should ask you to power-cycle the drive. To facilitate this, take a power extender cable and cut the 5v line. Put a momentary off pushbutton inline. Press for a second and then release. In all likelihood, you should only need to power cycle the drive electronics, not the drive motor (12v).

I've never tried this, of course, but in principle, it shouldn't be that bad....

Re:professional?

[evilviper]

you can wipe the disk for a recover if the master password is tampered.

No, you certainly can't.

The hard drive will not accept any commands until you give it the correct password (stored in an eeprom). You'll get a stream of errors even if you just try to cat zeros to the drive's device.

In case it isn't obvious, I have first-hand experience with this, though on notebook drives, never desktop drives.

Re:why would you do this?

[tivoKlr]

Well, for software modding an Xbox for starters.

Xboxen will only boot from a locked hard drive, and to modify the files on an Xbox to, you know, allow you to run your own home written unsigned code, you need to be able to lock the drive once you've modified it to get the Xbox to recognize it.

I have encountered bioses that won't allow you to lock or unlock drives. Very annoying...

the word being "could"

but when was the last highly destructive virus you saw ?

virus writers/skripterz have long since learnt, if you kill the host it is of no use to you, you achieve nothing

99% of viruses today are trojans because you can use your fancy stealth infection/propogation routines AND make a profit if you keep the host alive, locking a HD would be pointless and contrary to opinion most Virus writers are not stupid, misguided perhaps but not stupid

Re:the word being "could"

[Tony+Hoyle]

It depends... in nature viruses silently reproduce before killing the host. There's no reason why computer viruses couldn't do the same - this would be very effective.

Re:the word being "could"

[kwalker]

Yes but the MOST successful viruses go years before they kill the host so as to maximize their infection rates. Plus often when a virus kills the host it's because the virus became TOO successful. Some viruses, like some of the herpes viruses, never kill the host, thereby living as long as the host organism does.

Disk-Jacking to put hard drives At Your Disservice

[D4C5CE]

There's a larger risk looming in this unwelcome feature... From an earlier submission:

Heise has just released a dire warning (and temporary treatment) from c't regarding ATA hard disk security passwords: There may be a gaping security hole in millions of computers that allows malware to lock the hard drives from their legitimate users. Some will remember what this means from extortionate trojan horses as early as 1989 (search for "Panama" - judicial outcome in 1995). Now factor in how some similar disaster, "supported" by firmware, could spread over the Internet rather than by postal mail today...

It seems crucial to protect one's system ASAP against what could become a boon for blackmailers.
The problem is that if BIOS doesn't disable the function, a "well"-(i.e. viciously)-positioned malware (early in the boot process) could lock the hard drive on first reboot even before any protective software can kick in.

Or even worse

[dilvish_the_damned]

What if someone encrypts all your data one night? You show up for work one morning only to find the latest worm has encrypted all your data and it forces you to recite the lyrics to ELOs Another Heart Breaks ("one, two, three," etc..) before you can get at your data again. Look, if it has enough access to reset the password on your ATA drive, you probably have bigger issues to worry about, like the gaping hole in your OS that allows user code direct access to your hardware.

Re:I love how they plan to force apple to comply

[theid0]

to the effect that we will program a demonstration of the damaging action and make it available to Apple

This seems to imply that it has not yet been done. Any hardware changes that I have done (Open Firmware changes, DVD region set) have needed an admin password.

However, in the article it basically says that the machine has to compromised PRIOR to startup (when the security extension loads). If someone already has access to your machine with an admin password, I really don't see the point in locking the drive. There are easier ways to pull a prank or cause damage.

Re:why would you do this?

[darkwhite]

Why on earth would you want to password "protect" a hard drive? How would that be any better than properly encrypting your files?

Speed.

Only very sophisticated organizations have the means to lift data off a password-protected hard drive. Encryption, while more durable in that regard, sacrifices speed with every access to the files in question.

Funny

[soniCron88]

"A DOS from a diskette boots suspiciously slowly"

When does a diskette ever boot not "suspiciously slowly"?

Dell BIOS HD Flaws

[__aaijsn7246]

In general, these features don't seem coded to well. Here's a post I made to Bugtraq back in December of 2003.

The Dell BIOS allows users to set several different passwords to protect
their machines from unauthorised access. There is 1) a Setup Password,
which is required to enter the BIOS setup, as well as 2) a Hard Drive
Password, as per the ATA Security Feature Set Specification.

Unfortunately, once a Hard Drive Password is set which contains one or
more of the following characters,

, . ; : ' [ ] { }

it can not be later entered to access the machine. It appears as though
a bug in the BIOS code prevents those characters from being taken as
input when the user is asked for the password - however, the BIOS
incorrectly allows users to set passwords containing those characters.

This is not an incredibly serious problem as such, since a user can go
back into the BIOS setup and change the password there, provided the
BIOS Setup is not protected with an unknown password. Or, as a last
resort, Dell can be phoned to provide a master backdoor password, as
long as the user can prove herself the legal owner of the computer. Of
course, the prerequisite of physical access to the machine highly
mitigates this vulnerability.

It is however an interesting bug from the point of view of Dell's
practices. I have contacted them over two weeks ago, but their
'technical support' is unable to understand or resolve the problem. Two
of their representatives told me to reinstall Windows XP Chipset
drivers, even when I asked to be forwarded to people higher in the
technical support chain. Perhaps this post will encourage Dell to pay
more attention in the future.

Affected Systems: Dell Inspiron 2650 System BIOS, A11
(A11 is the current BIOS as of writing, and was released in late
September of this year)
Other BIOS/Dell models are perhaps vulnerable but have not been tested.

big deal

[idlake]

Viruses and spyware can simply erase your disk, in addition to changing the password. The solution? The same solution as for hardware failures, cats walking across the keyboard, or babies drooling on the disk: restore from a recent backup. If you don't have a recent backup, a virus that sets the ATA HDD password is the least of your problems.

Recent destructive worm

[Bunyip+Redgum]

but when was the last highly destructive virus you saw ?
What about the witty worm?
It spread in less than an hour and the proceded to destroy data on the hosts hard disks.

Re:easy prevention: only set administrator passwor

[argent]

There is no "administrator password". The "master password" is like a janitor's master key. It's a failsafe to let you unlock the drive if the user password was set.

The incredibly stupid thing is there doesn't seem to be a way to say "disable the password mechanism completely". IMHO, this should be the default state, and it should require physical access to the drive (say, with a jumper) as well as (of course, any passwords) to switch it from one state to another. A laptop could connect that jumper to an external "security" button that you hold down while the BIOS does its thing.

Re:why would you do this?

[markwalling]

u m3an that u actually ha5 3 l3tt3r5? n0 way dud3, l1k3 ur t0ta77y g01ng t0 ru1n 1337 sp33k 4 a11 0f u5 1337 h4x50r5 damn thats annoying