At Your Disservice, How ATA security functions jeopardize your data

Status
Not open for further replies.

Osiris

Golden Master
Messages
36,817
Location
Kentucky
At Your Disservice

How ATA security functions jeopardize your data
With most notebooks it is possible to secure the hard disk against unauthorized access with the aid of a password. Without the latter the disk, even when inserted into another computer, won't divulge its data. In the meantime this security function has become a feature of all 3.5" ATA hard disks and can hence be used - and abused - on desktop PCs!

One morning the screen stays blank - disk boot failure, insert system disk and press Enter. Could it be that the hard disk has given up the ghost overnight? No unusual noises can be heard and the disk does register with the BIOS. A DOS from a diskette boots suspiciously slowly and cannot access the hard disk - things aren't looking too good. And so into the Internet at the double with your second PC in search of diagnostic software. In such cases Hitachi's Drive Fitness Test is a blessing; its diagnosis tells you: "Device is password protected and cannot be tested." The hard disk is password protected. And who did that? And what is more important still: What is the password and how do I remove it?

In the last edition of c't magazine a number of articles appeared on how through encryption confidential data can be protected against outside scrutiny [1]. In that edition a further article had originally been slated to appear describing how instead of taking such elaborate measures hard disks could simply be sealed with the aid of a password. Such a move would be simple, take next to no time, involve no drag on performance and be considered sacure. Notebooks have been offering this function for a long time now, as have a number of desktop PCs and in the case of the others the function can easily, with the help of a few simple tools, be added on.

But in the course of our investigation the horror scenario described above suddenly cropped up: What if an unauthorized party were to lock a hard disk with a password? And what if that party was a virus? Then a set of simple tools won't suffice to give you access to your data. The options would be to throw the disk away - or place it in the hands of someone who specializes in retrieving data. He or she will in all probability be able to remove the password protection (see Box), but in turn will, according to how much effort was involved, ask several hundred euros for his or her services, thereby rendering the hard disk a total loss in economic terms.

Should such a calamity happen in a small company with a record of not looking after its data and in which back-ups were a weekly event, the data loss would be tremendous or at least the downtime until a specialist had unlocked the disk again would present massive problems. Then again, the computer administrator of a major company would surely break out into quite some sweat too if a worm succeeded in "locking" several hundred hard disks at the same time. We are hence dealing here with a full-blown security loophole affects all computers with ATA hard disks regardless of the operating system.

Fortunately, to date no virtual pest is known that can set hard disk passwords. There are indications, however, that one might already exist. At the beginning of March we received a call for help from a reader who said that his hard disk had suddenly been locked with a password unknown to him. High time then to look in detail at the mechanism which for some years now has been implemented in almost all ATA hard disks (IDE and Serial ATA). In many computers this mechanism rests unused making it possible, to use - or abuse - it with one's own software.

Locking Cylinder
The so-called Security Feature Set is part of the ATA specifications [2]. It provides for two 32-byte passwords, the "User Password" and the "Master Password." In the event of a user having forgotten his or her password the latter functions as a second key allowing the computer administrator in a company to save the disk all the same. Both passwords can be set independently as any random sequence of bytes.

The protection is activated by setting the user password with the aid of the ATA command Security Set Password (setting the master password does not activate the protection). Thereupon the hard disk initially remains accessible. When the computer is switched on again, however, or after a hardware reset, the disk is locked. The disk in this state allows no access to its data and accepts only a limited number of commands, such as, for instance, Identify Device, which is used to call up the device's type designation, serial number and the like.

The command Security Unlock in conjunction with the password temporarily unlocks the hard disks allowing one to work with it in a normal fashion. The security function remains in operation, however: At the next cold boot the disk is again found to have locked itself automatically. Not until the command Security Disable is entered together with the correct password will the locking mechanism turn itself off permanently. The hard disk will accept this command only when in an unlocked state.

When setting his or her password the user can choose between the security levels "High" and "Maximum." When the level "High" is chosen the disk will accept either the user or the master password to unlock the disk or disable the protection function. When "Maximum" is the choice only the user password will provide access to the data. Should it get lost then the administrator with his or her master password will only be able to unlock the disk after forfeiting all the data stored upon it. Which step is accomplished by the command Security Erase: It erases all the information by writing zeros onto all sectors of the hard disk before again allowing access to it.

Taking Care
To prevent the Security Feature Set from being abused the developers have created the command Security Freeze Lock. It freezes all security settings until the next cold boot, thus the hard disk will, in particular, no longer accept changes to passwords. The whole thing is designed to be implemented in the BIOS of notebooks: In the Setup menu of the notebook a hard disk password can be established which its BIOS then requests every time the device is switched on. After unlocking the disk and before starting the operating system the BIOS is meant to freeze the security settings to ensure that password protection remains safely under its control.

The question is: have the BIOS programmers of the desktop PC manufacturers thought of this? A tour of inspection through the device zoo of c't magazine's editorial staff provided some shocking insights: In the case of two thirds of all the PCs inspected the security functions were not frozen; and this group included not only devices cobbled together but also current branded PCs by Dell, HP and Apple. Of all BIOSs, the most popular one, Award BIOS, was unaware of ATA Security. Those that did prove to be protected were Fujitsu-Siemens computers (Phoenix BIOS 4.06), a Compaq PC and a number of devices equipped with AMI BIOS. Among the 16 current notebooks inspected four devices were found whose hard disk security was not frozen: Acer TravelMate 4050LMi, Asus V6V, Benq Joybook 5100e and Gericom Overdose 1440e. The Asus Model did at least freeze the security functions once a hard disk password had been set.

That the notebooks' error rate should be so low is not really that surprising, given that the security function was designed with them in mind. It has been a standard feature of 2.5" hard disks for ten years now - more than enough time for manufacturers to adjust the BIOSs of their notebooks to supporting it properly.

When in those states indicated by a red background the hard disk is vulnerable to password setting attacks. Only freezing the function will provide security.

Since 1998 IBM has also been implementing password protection in 3.5" fixed disks. When Microsoft wanted to keep the content of the hard disk of its game console Xbox a secret Seagate built a 3.5" hard disk with ATA Security for it, Western Digital then followed suit and, before one knew what was going on, it was present as a feature in all ATA fixed disks. But for a few exceptions PC manufacturers have to this day - years later - not taken note of it or have underestimated its potential for harm.

A Potential for Harm
How difficult is it in practice to lock a hard disk with a password, when the BIOS does not prevent one from doing so? For anyone with physical access to a PC its child's play: He or she boots a DOS from a diskette or a CD, then uses, for example, the program Atapwd, which is freely available on the Internet. A potential virus that runs under a current operating system such as Windows XP, Linux or Mac OS X would have a somewhat more difficult time of it. For one it would have to sneak around the (preferably active) virus scanner and thereafter require administrator rights to communicate with the fixed disk directly. As many Windows users are still working as administrators that is not much of an obstacle, however, and as for Mac OS X, entering one's administrator password to install any old piece of shareware has become common practice - hence it is quite easy to stumble into a trap here.

For programs under Windows several more or less well-documented mechanisms exist for issuing ATA commands. The procedure for Windows 2000 described in [3] (luckily) only works with commands that read data from a hard disk, in other words, do not transmit data, and not with those such as Security Set Password that send data to one. Even with the new method that Microsoft has implemented in Windows Server 2003 and XP with SP2 (IOCTL_ATA_PASS_THROUGH) we have so far not been able to successfully issue the command. Setting a hard disk password is hence more than a finger exercise for a programmer. As the ever new worms and root kits serve to show, however, the requisite know-how is out there among the scene of potential villains. In any case, given administrator rights it is possible, for these allow one to load a driver while the system is running, which driver is then allowed to do whatever it likes. And a string of virtual vermin need not be nicely programmed ...

Countermeasures
We have refrained from writing a driver of this kind. Instead we have opened up WinAAM, a program designed for automatic acoustics management, a crack. It now indicates the security settings of all ATA hard disks and will, should you desire it to do so, send them the command Security Freeze Lock. This, of course, is to be understood as more of a demonstration of technology than as a security tool, because the measure will only be effective up to the next cold boot. We have therefore also implemented the Freeze function as a service which secures the hard disks at every system start-up and before the user logs in.

Under Linux hdparm supplies the necessary infrastructure. Executed with root rights the current version displays with the option -I, among other things, the security settings of (at present only parallel) ATA hard disks. When the output indicates "not frozen" the disk is in danger. We have expanded hdparm to include the option -F, so as to be able to send the Freeze command to hard disks from out of an init script. The patches as well as an executable version are available; we have also contacted the developer and are confident that he will integrate this option into a future version. In principle hdparm can be reworked in such a manner as to set hard disk passwords.

Mac OS X behaves in a similar fashion to Windows: Given root rights kernel extensions can be loaded, which can then issue ATA commands. We have programmed an extension of this kind which sends the Freeze command to all ATA hard disks within reach (see Box).

Regardless of whether under Windows, Linux or Mac OS: Though protecting the hard disk when the system is running is better than nothing, it could be a move too late, for a pest could well have lodged itself surreptitiously in some place where it is executed the next time the system is started up, such as, for instance, the master boot record, the boot sector or even further back in the loader of the operating system. The only possible step that will also guard one against such an eventuality is to boot from a write-protected medium such as a CD-ROM a program that will secure the hard disk first and only thereafter allow the device to boot its operating system. We have developed such a bootable CD (see Box).

Taking the Bull by the Horns
The effect of the Freeze command only lasts for as long as the hard disk stays switched on or until it receives a reset signal. Many boards also generate this reset signal in the event of a warm boot, so that in principle it is necessary to boot from a CD every time. The standby mode S3 (Suspend-to-RAM) is off limits, because after coming back on the hard disk is in its basic state.

To force oneself to use the CD, one could take the bull by the horns by setting a password oneself with the aid of the above-mentioned DOS program Atapwd. In which case the hard disk would only respond if it was first unlocked by Atapwd or a like fitting tool. The above-mentioned CD will accomplish this for you and will, what is more, send the Freeze command; should thereafter the CD for once not be in the drive to begin with, it will not be possible for you to boot your computer in an unprotected fashion. Once this kind of arrangement has been chosen, however, the S3 standby mode is off limits once and for all, because should it be used nonetheless, then after coming back on the hard disk would be locked and Windows would crash.

It goes without saying that before setting your password you will have to try out whether your computer boots flawlessly from the CD (in the case of some BIOSs or in that of unusual boot configurations you might not succeed). Please note that when entering the password later on on the BIOS level the American keyboard layout applies. Attention: Should you forget both the User and the Master password there is no way to unlock the hard disk by any ordinary means! Then only expensive data retrieval services will be able to help you. We cannot guarantee that Atapwd will function properly at all times, all we can do is attest to its smooth running in all our tests to date.

Of course it is annoying to have to keep a boot CD in your CD drive on a permanent basis and to enter a password every time you boot your system. Should your computer be prone to this security loophole then in the long run a BIOS update is the only decent solution. Because this is so and with the intention of warning the major computer manufacturers in advance and hence giving them an opportunity to set their BIOS programmers the task of solving this problem we refrained from publishing, as originally planned, this article in the No. 7 issue of c't Magazine. Yet by the time this article went to press we had received official responses from only a few of the manufacturers.

Official Responses
According to the present state of knowledge all Dell desktop PCs are affected, but not company's notebooks. Dell was taking the information provided "very seriously and is at present investigating the problem identified intensively," the company spokesman Christoph Kaub declared. Work on an improved BIOS for new PCs was in progress and in the case of older PCs Dell intended to make updates available step by step, he added.

Hewlett-Packard stated that all HP BIOS versions froze the hard disk's security functions. In the case of one Media Center PC from the M200 Series (M260N) we detected, however, that the protection only applies to the primary master hard disk. The second hard disk on the secondary IDE channel was left unprotected. In the case of an approximately two year old Pavilion System not even the primary hard disk's security was frozen.

Medion, the company that manufacturers PCs for, among others, the major German retail chain Aldi, said that owning to staff shortages it was not in a position to answer our questions. Even after we pointed out that, among others, the PC distributed by Aldi in November (Titanium MD8383XL) was affected, the company's response did not change. Given this kind of attitude BIOS updates are not to be expected any time soon.

Apple also sees no need for action - to load a kernel extension it is necessary to enter the administrator's password, the company noted. We have come to an agreement with Apple to the effect that we will program a demonstration of the damaging action and make it available to Apple. Perhaps someone in the United States will change his or her mind once he or she can only access their hard disk after entering correctly "c't Magazin für Computertechnik" (including the umlaut!).

Conclusion
Originally it was quite a promising idea to equip hard disks with a password protection function. Especially with regard to notebooks this is a useful feature as, in the event of theft, it prevents at least the confidential data from falling into the wrong hands. Unfortunately, the protection provided isn't good enough - specialists are able to outwit it. If your secrets are more worth to you than a few hundred euros you would be well-advised to protect them not only by assigning a password to your hard disk but also by encrypting them.

Equipping desktop hard disks with a protective mechanism before all BIOSs could handle it properly was definitely not a good idea, as thereby doors to abuse were thrown open. That so far no notable damage has been caused is probably due to the fact that these days criminals who have specialized in this field much prefer spying on computers and controlling them remotely via the Internet for their own purposes to breaking them.

In light of the current state of affairs the ATA Security Feature Set is not much of a security boon, more like a security hole with a fairly large loop that needs to be closed through BIOS updates as soon as possible.

How safe do passwords render hard disks?
The ATA Security Feature Set described in this article is hard disk firmware-implemented password lock. Though performance is not affected by it, it provides less security than strong encryption. The moment someone outwits the firmware all data are up for grabs.

The hard disk manufacturers have repeatedly assured the public that they have not built into their devices backdoors in the form of secret master keys and are hence themselves unable to unlock a password-secured hard disk. Even swapping the electronics of the protected hard disk for that of an unprotected one will not suffice to outwit the protection, because large sections of the firmware and the password itself are stored on the hard disk itself and not as one might have expected in flash memory on the motherboard.

Resourceful minds working for data retrieval companies have nonetheless found ways and means of circumventing the password. The company Ibas was kind enough to give us a demonstration of their skills. We locked a WD1000JB with a password of 32 bytes length and sent it to the company, only to receive, by return post as it were, the "secret" file we had stored on it. "There was a bit of luck involved," Ibas's managing director Karl Flammersfeld said. "When we are already familiar with a hard disk model we can do these things quickly. In the case of models unknown to us, it may take us a while, but for the most part our efforts are successful." How the trick works, he would not say - it's a trade secret. What is apparent though is that it is not necessary to open the hard disk to get at the data.

Thus the sobering upshot to the topic of ATA Security is: As data retrieval companies have found a way around it, the mechanism must be considered too unsafe for truly sensitive data. As only data retrieval companies have found a way around it the mechanism can be (ab)used to wreak considerable havoc.

Inoculating Mac OS X
Under Mac OS X our kernel extension ATASecurity.kext protects the hard disk against malicious password setters. It works with hard disks with a parallel ATA interface, such as those in Macs with a G3 or G4 CPU, as well as with the serial ATA hard disks to be found in G5 Power Macs. The installation routine is carried out by a program written in AppleScript whose packet contains the extension.

To install you have to be logged-in as administrator. Before copying the kernel extension into the directory /System/Library/ Extensions the installer carries out a function test. It is not necessary to reboot the system, ATASecurity will take up its work immediately.

Those who prefer to install manually at the terminal can get at the extension in the Finder via the function "Show Pakage Contents" from the context menu of the installer file (Ctrl-Click). There it is to be found in the directory "Resources".

ATASecurity cannot be unloaded when active. We deliberately dispensed with this capability, so as not to provide an opportunity for an attacker to outwit the protection. Should you for some reason wish to delete the extension you must first start the Mac while holding down the Shift key. Then the system will not load the extension and the installation program can subsequently remove it completely.

Unfortunately, the kernel extension ATASecurity does not provide total protection. Although when once active it will thwart all attempts by an attacker to set a hard disk password, there is no guarantee that malicious software might not, prior to the activation of ATASecurity, have caused harm. There does not seem to be a way under Mac OS X for developers to determine the start sequence of kernel extensions. (adb)


Inoculating your PC with a bootable CD
With the aid of the bootable CD we developed (included with c't 8/05, or available for download) it is easy to find out whether your PC is susceptible to password setting attacks. When you boot with it the ATASecurity program is launched. It will check all ATA hard disks hooked up to the system for security functions and whether or not these are "frozen" as they should be. If everything is OK the software will after a short delay boot the operating system from the hard disk and henceforth you will never again have to worry about hard disk passwords.

Should ATASecurity detect a vulnerable hard disk it will, after issuing a prompt to the user, send it the ATA command Security Freeze Lock, which freezes the protective mechanism, thereby preventing any malicious setting of passwords. Attention: The protection bestowed only lasts until the next cold boot. Only a BIOS update - supplied once the manufacturer of the PC or main board in question has recognized and remedied the problem - can confer permanent protection. Until then the safest way to proceed is to boot the computer exclusively with the aid of the CD.
 
Status
Not open for further replies.
Top