Hard Drive Passwords Easily Defeated; the Truth about Data Protection

AddThis Social Bookmark Button

It can be surprisingly easy to pull sensitive data such as thousands of names and social security numbers off laptops that are thought to be encrypted and secure. Recent data leakages (TSA, TJ MAXX) prove embarrassing and costly, and illustrate the necessity for robust security solutions.  IT Security research and advisory leader Trusted Strategies put the most prevalent hard disk data protection solutions to the test--and show how easy it is to crack frequently used technologies and get to valuable secrets.

In Part One of a three-part series, we’ll dive into hard disk password protection and the ease with which it can be penetrated. The second installment will focus on software-based full drive encryption -- an enticing solution that carries some risk. Lastly, we’ll focus on next-generation encrypting hard drives, which provide the most secure solution with the least impact to performance and productivity.

Can your computer keep a secret?

Why all laptop data protection methods are NOT created equal

Part 1: Hard Drive Passwords Easily Defeated; the Truth about Data Protection
By Bill Bosen, Trusted Strategies

Companies may rely on password protection to safeguard data stored on their computer’s hard drives, but in nearly all cases an attacker can easily disable the password lock and gain full access to the data on the drive.

Theft of sensitive information from personal and enterprise computing systems is one of the fastest growing crimes in America[1]. Ameriprise Financial, Ford Motor Company, the Department of Veterans Affairs and many others have lost millions of sensitive records stolen from their laptop computers.[2] The costs in incident response handling, legal fees, corrective actions, loss of reputation, and loss of customers can be crippling. Another daunting fact is that company management can be held personally liable for security breaches. 

A significant and increasing percentage of corporate data now resides at the edges of the enterprise on home office PCs and the laptop computers of mobile workers. Wherever it resides, protecting sensitive data is critical to an organization’s business practices and overall success. Consequently individuals and organizations are struggling to find cost-effective and user-friendly ways to keep sensitive data from falling into the wrong hands.

Comparison of hard disk drive data protection methods

There are a number of methods available to protect data on a hard disk. BIOS and operating system passwords are frequently used, but they only provide very minimal security, and can be readily removed by unskilled attackers without requiring sophisticated tools. Hard disk password locking is one of the most relied-upon security methods today. It is stronger than BIOS or operating system passwords, but this common protective measure can be easily defeated as well.

Software-based full drive encryption is significantly stronger than BIOS, operating system, or hard disk password locking.  Unfortunately, software-based encryption must run under the Operating System and in the CPU which can have an impact on the overall performance of the PC as well as cause an exposure to the security methods used to safeguard the information on the PC itself.  This means that there can be stealth processes running on the PC that can capture the encryption keys and even the non-encrypted data – which of course is not a very good scenario to have.  

Hard disk-based security provides some of the best and strongest encryption solutions for personal computers. No sensitive data or keys are available to the CPU or to other applications running under the operating system. In addition to the security advantages, encryption done in the drive’s hardware offers other attractive advantages. First, hard disk-based encryption has clear performance and reliability advantages. Second, because the encryption is integrated into the drive read/write function, it is transparent to the user. And finally, “factory” encryption significantly reduces the costs of acquisition, deployment and administration.

In the first installment of this investigation, we’ll dive into hard disk password protection and the ease with which it can be penetrated. The second installment will focus on software-based full drive encryption--an enticing solution that carries some risk. Lastly, we’ll focus on next-generation encrypting hard drives, which provide the most secure solution with the least impact to performance and productivity.


BIOS Password
Very minimal protection

Available on nearly all PCs. Prevents the computer from fully booting unless the correct password is provided. Does not encrypt any data. Very easily thwarted, no special skills needed. For example, the disk drive can simply be moved to another device with the BIOS lock turned off.

Operating System Password
Very minimal protection

Access to general OS functions is denied unless the correct password is given. Does not encrypt any data. Easily defeated by moving the hard disk to another computer. No special skills needed. Offers very minimal protection.

Hard Disk Password
(using ATA)
Minimal protection

Available on most notebooks and some desktops. Prevents the drive from retrieving data unless the correct password is provided. Does not encrypt any data. Easily defeated but requires specific skills or hiring someone with those skills. Stronger than BIOS or OS passwords but still weak protection and not suitable for data worth more than $100.

Software-Based Full Drive Encryption
Good protection

Add-on security product that modifies the hard disk drivers and encrypts all data as it is written to the disk. Requires correct password before the data is decrypted. Offers good protection but expensive to purchase and deploy, and impacts system performance which sometimes leads end users to turn it off.  There is a potential for Malware, Trojans or Rootkits to remotely turn off the software protection (the same as end users) without proper methods of protecting the software itself from attacks.  Also worth noting, some software-based products require the encryption to be turned off whenever an operating system update must be installed – causing an administration burden and also risk of exposure.

Next-Generation Encrypting Hard Drives
Excellent protection

The hard disk drive contains built in cryptographic hardware that encrypts all data as it is written to the disk. Requires the correct password to decrypt any data. Built into the computer so it’s not an add-on, and totally transparent to the user. Does not impact performance. Extremely difficult to defeat when good passwords are used. Offers excellent protection.

Comparison of hard disk drive data protection methods

Hard disk password locking

Most hard disk manufacturers offer a feature officially called the “ATA security feature set” but commonly known as “ATA hard drive password locking.”As the name implies, this feature allows users to lock their drive with a password. Unlike BIOS or operating-system password protection, ATA password locking is implemented at the drive. Even if the operating system password and any BIOS-level password protection is satisfied (or removed), an ATA protected disk drive will not retrieve data unless the correct ATA password is presented to the drive. This password locking feature is marketed under a variety of names by various manufacturers, including ATA password locking, DriveLock, HDD Password, HDP, and Security Lock.

On the surface, hard drive password locking appears to provide great protection, and many individuals and organizations are using this method to safeguard sensitive data stored on their computer hard drives. Unfortunately, in nearly all cases an attacker can easily disable the password lock and gain full access to the data on the drive.

Michael Crooker learned the hard way that hard disk password locking is not secure. He purchased a personal Compaq computer in September of 2002 specifically because of its DriveLock ATA password locking security feature. According to Crooker, the computer's manual claimed that if one were to lose both the Master and User Passwords the hard drive is useless. Not even Compaq can access the data[3].

However, after being arrested for selling a rifle with a silencer, Crooker’s computer was confiscated.  Law enforcement agents who did not have the hard disk password quickly removed the security mechanism and had full access to Crooker’s data. They found plenty of incriminating evidence. The case received considerable attention because Crooker sued both the retail establishment that sold him the computer and the computer manufacturer for false advertising.

Hardware tools easily remove hard disk passwords

The details of how the password security on Crooker’s PC was disabled were not disclosed, but one need not search very far to find numerous methods to defeat this security mechanism. In Crooker’s case, law enforcement agencies most likely used a hardware tool specifically designed to remove hard disk passwords. 

One such tool, theHDD Rockfrom YEC, sells for a little over $1,000. The product documentation states: “Instantly removes unknown passwords from locked hard drives. Total process time under 2 minutes[4]. In addition to the HDD Rock, a number of vendors offer similar products, including Ultrec[5], Vogon[6], AFF Laboratory[7], and others.

YEC and the other companies listed in this article sell their password recovery tools to law enforcement agencies and data recovery firms that are in the business of assisting legitimate owners in recovering their own data. These companies validate drive ownership before they will unlock a drive. However, there are other firms that will sell unlocking tools or provide unlocking services to anyone, no questions asked.

Hard disk password removal as a service

There are many companies that have the equipment and skills to unlock a password-protected hard drive. Bob Weiss, CEO of Password Crackers said that for around $100 his company can easily recover 90 percent of password-locked drives, and $1,000 will remove the password security from any drive. Datatrack LABS, located in the United Kingdom will also remove hard disk password protection for a service, as will a number of other firms. Datatrack LABS also claim the ability to unlock any drive whatsoever.

How hard disk password security is defeated

Although hard disk password drive locking conforms to an industry standard, different drive manufacturers implement the security feature in slightly different ways. Authors of password removal tools use a variety of methods to determine how to remove the hard disk ATA password from the various drives. Once the technique has been mastered for a particular drive model, the same method can be applied to all drives of the same model. Over time the tools have become smart enough to quickly and easily remove the password lock from nearly all models of disk drives. For example, the product literature for HDD Rock says it can remove the passwords from Toshiba, Seagate, MDT, Maxtor, Samsung, Western Digital, Fujitsu, and other drives.

Our intent here is to warn legitimate users about the limitations and risks of hard disk password locking technology, not to educate would-be hackers. Consequently we will provide only a high-level description of some of the methods used to defeat hard disk ATA protection.

One general approach to removing a hard disk password is to find the service area on the hard disk that contains information the drive needs to function properly. Within this service area is a flag that tells the drive if the password feature is enabled or not. If there is a password, it will also be stored there. There are several ways to locate this information within the service area, one of which is to simply use two identical drives, one with the password feature set and the other with it turned off. Comparing images from the two otherwise identical drives will reveal where the flag and password is at. Once these locations are known, there are a number of methods that can be used to either turn off the flag, thus disabling the feature, or to simply read the password. This can be performed on any drive of the same make and model.

In at least some drive models, the passwords are actually stored unencrypted within the drive’s service area. As long as the password for one drive is known, the drive can be searched to find that particular password string and thus determine where passwords are kept on all similar drives. Once this is known, it is a trivial matter to crack the system on any drive of the same model by reading the password from the now-known location.

Another technique that works on some systems involves using a second unlocked disk drive to fool the controlling software and allow the password on a locked disk to be changed. The general procedure is to remove the locked hard disk from the computer and replace it with an unlocked hard disk. The computer is then rebooted and a password is set on the hard disk. The next step involves going into the configuration area again and entering the command to change the password. After the system prompts for the current password to authenticate the change, the system will prompt for the new password. At that point the hard drive is removed while the system is running and the other hard drive, with the unknown password, is installed in its place. After that is done, the command is issued to change the password, which resets the password on the original locked drive to a known value.

An alternate method to bypass the password protection is much more involved and requires the right equipment and a special clean room, but it works on every disk drive. In this approach the seal is broken on the password-protected hard drive, the case opened and the hard disk platters removed. The platters are then reassembled in another hard drive where the password is known or disabled.

Encryption is the only secure protection

The problem with relying on hard disk ATA password security is that the data itself remains unprotected. Because password locking does not encrypt any data, once the lock is defeated the data can be read and stolen.

The solution is to encrypt the data. If the data on the hard drive is encrypted, it remains protected even if the password lock on the drive is defeated. A drive with its password lock beaten will retrieve data, but that data is useless if it is securely encrypted.

Fortunately good, transparent encryption solutions are becoming available. Gone are the days when one had to be a techno-geek to install, configure, and manage encryption. Software-based full disk encryption products have been available for several years from companies like GuardianEdge[8] , SafeBoot[9], and Pointsec (recently acquired by Checkpoint). Although these are aftermarket solutions that must be installed on existing systems and require a significant effort to deploy at large organizations, their use is much better than relying on hard disk password locking.

However, the best news by far is that the hard disk manufacturers themselves are starting to provide full disk encryption built into the drives. Seagate is the leader in this area with its newly released Momentus 5400 FDE.2 drive.[11] Seagate is also heading up a standards-based initiative in conjunction with the Trusted Computing Group (TCG), which will, if successful, make encryption performed within hard-disk drives ubiquitous.  The initiative, run by the TCG Storage Workgroup, has wide industry participation, so the prospects are promising.

Full disk encryption performed within the hard drive itself provides the best solution for protecting data stored on the hard disk.

Conclusions

The risks to organizations of losing confidential data stored on hard drives in PCs and servers cannot be ignored. Utilizing password security to protect data on hard disk drives is better than relying on BIOS or operating system passwords, but it is not strong enough for most organizations. Hard disk password security can be easily defeated by an attacker, either through a service or by obtaining password cracking tools from any number of sources. Because hard disk password systems do not encrypt the actual data, a broken password routine allows full access to the data on the drive. This means that hard disk ATA password security alone is not secure enough for protecting anything but casual data.

For most organizations, obtaining adequate protection of sensitive data on their disk drives requires encrypting that data. Software-based full drive encryption systems are one solution, but the next generation of encrypting hard disk drives have important advantages over the software-only solutions and will certainly be of value to any organization with high-value or regulated information.

Bill Bosen is a partner at the research and advisory firm, Trusted Strategies, LLC. This research was sponsored by Seagate.
http://www.trustedstrategies.com/
http://www.seagate.com/


[1] National Crime Prevention Council, http://www.ncpc.org/

[2] Privacy Rights Clearinghouse, http://www.privacyrights.org/

[3] Information Security News, May 1, 2006, Your Computer Is Not Secure

[4] HDD Rock Password Removal Tool: http://www.yec-usa.com/products/hddrock.htm

[6] Vogon Password Cracking POD http://www.vogon-forensic-hardware.com/

[7] AFF Laboratory’s Repair Station http://www.hdd-tools.com/products/rrs/drives/

[8] GuardianEdge Technologies Inc. http://www.guardianedge.com/

[9] SafeBoot International, http://www.safeboot.com/

[10] Pointsec Mobile Technologies, http://www.pointsec.com/

[11] Seagate Momentus 5400 FDE.2 encrypting drive, http://www.seagate.com/