All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 45 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Security theater (backdoor ATA Master Password)
PostPosted: May 30th, 2010, 15:49 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
Security theater: "security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security". (from wikipedia)

So a while back, I bought a Seagate Momentus 5400 FDE.3 drive (ST9320329) (FDE = Full Disk Encryption) with the intention of completely securing my data from even sophisticated attacks like DRAM freezing. Being an FDE drive, all data on the drive is always encrypted as it is written to the platters (at least that's the claim), using a unique key that is stored in the drive's electronics and never leaves the drive unit (this vs. software encryption where the key is stored somewhere in system DRAM). To get to the key you would have to dismantle the drive's electronics to expose the chip containing the key and then you *still* may not be able to read it without inputting a password. So it seems like a pretty decent security measure (though I presume it's not 100.0000% foolproof and should only be used in combination with other measures if you want really tight security).

From the factory, the data isn't secure because even though the data on the drive is encrypted, there's no access control in place to start with. That is so that you can just pop it in any system and use it like a regular drive without jumping through any hoops. A backwards compatibility of sorts. Fair enough. With the ST9320329, access control is turned on via standard ATA User/Master Password. That is, once a password is set, the drive will not offer any access (in fact, the chip that holds the key apparently won't disclose it to the rest of the drive's electronics) until that password is provided using the standard ATA boot-time (BIOS) drive unlocking protocol.

One might easily be tricked into thinking that once you set the ATA password (using your system's BIOS setup screen) that you're all set. However, as you gurus out there know, system BIOS screens typically only let you set the ATA User Password and not the ATA Master Password (in fact, I've yet to discover any BIOS that lets you change the ATA Master Password and this is at the crux of the problem, but more on that later). As best I can tell, according to the ATA Standard, once the ATA User Password is set, then if an ATA Master Password is set, that will also work to unlock the drive at boot-time (assuming you're in "High" security mode - the default, if I understand correctly - and not "Maximum" security mode). No problem so far, right? You might presume that from the factory, an ATA Master Password wouldn't be set and all you need to do is set the ATA user password and you're golden.

Not so.

According to Seagate's user manual for Momentus FDE.3 drives, "Upon shipment from the Seagate factory... the ATA master password is set to the Security ID (SID)."

Reference:
http://www.seagate.com/staticfiles/support/disc/manuals/notebook/momentus/5400%20FDE.3/100513273a.pdf
(see 1.2.1 on p.3)

And here's the kicker - the SID is printed on the drive itself!. That is, from the factory, there is a bypassing backdoor password printed right on the drive.

Thus, even if you set a hard drive password in your system BIOS screen, you data is still fairly easy to access.

Am I missing something here? This doesn't seem right. Seagate touts the security of their Momentus FDE drives as a selling point, but then they print a backdoor password right on the drive. What's worse, there's apparently no way for even a sophisticated user to change that ATA Master Password from anything other than the SID that's printed on the drive. I'm not an HDD Guru, but I'm no slouch either and I have yet to figure out a way to change the ATA Master Password. Asking for support from Seagate has proven futile - they refuse to disclose any method for changing it.

So, to summarize this episode of Security Theater:

Seagate sells their Momentus FDE drives touting "government-grade" security, but they print a documented backdoor password on the drive and refuse to disclose any method to change that password.

Again, am I missing something here? Is this not preposterously ludicrous?

BTW, I've tried out utilities like Victoria, but you can't change ATA passwords once your system has booted because changes are frozen out by any system I've tried (using the ATA SECURITY FREEZE LOCK command) in order to (wisely) counter the possibility of malware screwing with your ATA password(s).

I even bought an old laptop cheap on eBay (Thinkpad T60) because its BIOS was documented as being able to change the "Master HD password". However, that was a mirage - the "Master HD password" is not the ATA Master Password - it's only a password that allows you to disable the ATA User password.

So what's a tinkering dude supposed to do here? Am I just out of luck, having been snookered by this security theater?


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: May 31st, 2010, 15:42 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
Tinkerdude here again.

FYI, technically the model of my drive has an AS on the end of it. That is: ST9320329AS

And for what it's worth, Seagate's page for this product is at:

http://www.seagate.com/ww/v/index.jsp?vgnextoid=a52f03d4d19ec110VgnVCM100000f5ee0a0aRCRD&locale=en-US#tTabContentSpecifications


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: May 31st, 2010, 16:09 
Offline

Joined: July 18th, 2006, 3:05
Posts: 7526
Location: ITALY
Don't have such drive at hand to make a test, but if you use plain DOS and a plain system, I think that you CAN always change drive master password assuming you know the previous one.

Otherwise, you have to deal with the internal drive security subsystem.

You pointed out something interesting, instead : people pay little or no attention to details, so the "printed backdoor" problem. It's like people who use Wi-Fi routers or other networking equipment right out from the box and don't even change administrative PW, so in many case it is possible from the WAN or over the air to identify manufacturer and use the common known passwords to gain control of the device.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 10:29 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
BlackST wrote:
Don't have such drive at hand to make a test, but if you use plain DOS and a plain system, I think that you CAN always change drive master password assuming you know the previous one.


Well, it seems to me this would require:

1. A system that has both
* a SATA interface
AND
* a BIOS that will NOT send the ATA FREEZE SECURITY LOCK (which locks out password changes at boot-time until reboot).
2. a DOS driver for the SATA interface in the system described in 1.

It might not be too difficult to find a system with an old enough BIOS that it won't freeze out password changes after bootup (though that would still be pretty old, I imagine). However, such an old system will likely NOT have a SATA interface, let alone a DOS driver for that interface.

So it seems to me a tougher problem than it might first appear.

tinkerdude


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 11:35 
Offline

Joined: August 12th, 2008, 13:11
Posts: 3241
Location: USA
If you boot to an MHDD CD you should have no problems dealing with ATA password stuff. You can unplug and replug the drive while in the program if you need to.

_________________
You don't have to backup all of your files, just the ones you want to keep.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 13:42 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
drc wrote:
If you boot to an MHDD CD you should have no problems dealing with ATA password stuff. You can unplug and replug the drive while in the program if you need to.


Ah, if it were only that simple 8-)

I can't get MHDD to even find the drive using just this method (latest version 4.6, ISO CD version). This is on a ThinkPad T60. It sees the CD drive just fine, but that doesn't help me. (I did try the /enableprimary command-line option too, for what it's worth). I'm attaching an image (or will attempt to, anyway) of the screen that I see if anyone would care to diagnose...

tinkerdude


Attachments:
File comment: image of MHDD startup screen
mhddsmall.jpg
mhddsmall.jpg [ 84.73 KiB | Viewed 20849 times ]
Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 13:49 
Offline

Joined: August 12th, 2008, 13:11
Posts: 3241
Location: USA
Probably need to put it in ATA/IDE/Legacy mode instead of AHCI (or use a different computer).

_________________
You don't have to backup all of your files, just the ones you want to keep.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 14:27 
Offline

Joined: July 18th, 2006, 3:05
Posts: 7526
Location: ITALY
You can also use ATA/SATA converter and an old system with ATA only.
I have tried Jmicron , Marvell and a couple of other chipsets and they work fine with MHDD.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 16:46 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
drc wrote:
Probably need to put it in ATA/IDE/Legacy mode instead of AHCI (or use a different computer).


Well, that helped. I changed the "SATA Controller Mode Option" from "AHCI" to "Compatibility" (see photo) and MHDD could then recognize the drive.

Problem is, it turns out that MHDD cannot change the ATA Master Password. The manual even says the "PWD command sets USER password". See http://hddguru.com/software/2005.10.02-MHDD/mhdd_manual.en.html#chapter2
There apparently is no support for changing the ATA Master Password in MHDD.

Now, Victoria for DOS does have an option for that and I was able to get that going. But the hitch is, as I suspected, you can't change passwords once the BIOS freezes the security with the ATA SECURITY FREEZE LOCK command. You can see in the photo below where Victoria shows "Security: FROZEN".

I tried popping the drive out and back in, but with this system (ThinkPad T60) when you pop in a drive that has the unfortunate side effect of cutting all video. The system doesn't crash, but I can no longer see what it's doing (not even via the external video port). So that's apparently a dead end as well.

Any other ideas?

tinkerdude


Attachments:
File comment: ThinkPad T60 SATA Configuration
SATAconfig.jpg
SATAconfig.jpg [ 54.26 KiB | Viewed 20827 times ]
File comment: Victoria for DOS shows frozen ATA security
victoriafreeze.jpg
victoriafreeze.jpg [ 102.49 KiB | Viewed 20827 times ]
Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 17:00 
Offline

Joined: August 12th, 2008, 13:11
Posts: 3241
Location: USA
tinkerdude wrote:
I tried popping the drive out and back in, but with this system (ThinkPad T60) when you pop in a drive that has the unfortunate side effect of cutting all video. The system doesn't crash, but I can no longer see what it's doing (not even via the external video port). So that's apparently a dead end as well.

In that case I would recommend using a different machine

_________________
You don't have to backup all of your files, just the ones you want to keep.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 17:08 
Offline

Joined: August 12th, 2008, 13:11
Posts: 3241
Location: USA
An alternate approach to changing the master password would be setting the security level to maximum, so that even if the master password is provided the drive can only be erased, not unlocked.

_________________
You don't have to backup all of your files, just the ones you want to keep.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 17:11 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
drc wrote:
tinkerdude wrote:
I tried popping the drive out and back in, but with this system (ThinkPad T60) when you pop in a drive that has the unfortunate side effect of cutting all video. The system doesn't crash, but I can no longer see what it's doing (not even via the external video port). So that's apparently a dead end as well.

In that case I would recommend using a different machine


Thanks for the help :)

Does anyone have any favorite laptop (or desktop) makes/models for this sort of thing? That is, working with unfrozen SATA drives? I'm not exactly swimming in old machines, nor do I want to be, and before I snag one on eBay, I'd want to be confident it would do the job.

Or some other strategy? The ATA/SATA converter looks intriguing, but I'd also hesitate to go with one of those unless someone can say they've changed an ATA Master Password through it.

R


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 17:16 
Offline

Joined: August 12th, 2008, 13:11
Posts: 3241
Location: USA
I'd say pick up a working desktop from your local recycled crap dealer (and yes, the adapter should work fine unless it is horribly non-spec-conforming)

_________________
You don't have to backup all of your files, just the ones you want to keep.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 1st, 2010, 17:39 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
drc wrote:
An alternate approach to changing the master password would be setting the security level to maximum, so that even if the master password is provided the drive can only be erased, not unlocked.


Ah, yes, I can see that too. So you wouldn't actually have to change the ATA Master Password , but you would have to be working with a setup that could enable the Maximum Security option when setting the ATA User Password. Again, it looks like Victoria could do this (but not MHDD), yet there would still be the problem of getting around ATA SECURITY FREEZE LOCK.

Then again, that's unless someone knew of a BIOS that could set Maximum Security when setting the ATA User Password (even though it need not be able to set the ATA Master Password). I hope that anyone who knows of any such beast could chime in...

tinkerdude


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 2nd, 2010, 9:28 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3135
Location: Chicago
Another pretty example of "I know it all" user which apparently knows nothing but makes a mess here

FDE has nothing to do with ATA password. FDE drive can have two passwords: one for FDE and one ATA password (just in case you may need it). Real protection comes with "Trusted mode" as you can see in a manual
If you need FDE protection buy a laptop with FDE drive - it has all the software user needs to enable password protected FDE

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 2nd, 2010, 10:18 
Offline

Joined: October 15th, 2009, 8:11
Posts: 51
Location: Islands
Seagate does confuse issues with this Security feature matrix.

Attachment:
Matrix.PNG
Matrix.PNG [ 22.16 KiB | Viewed 20788 times ]


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 2nd, 2010, 10:23 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2770
Location: England
The lovely "Seagate Secure™ Technology" apparently plenty of 3rdparty vendors willing to take your hard cash to help you use it ;o)

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 2nd, 2010, 17:55 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
Here's an update and a mea culpa:

I wrote:
Quote:
I even bought an old laptop cheap on eBay (Thinkpad T60) because its BIOS was documented as being able to change the "Master HD password". However, that was a mirage - the "Master HD password" is not the ATA Master Password - it's only a password that allows you to disable the ATA User password.


Well, it turns out that this is wrong - the Thinkpad "Master HD password" actually IS the ATA Master Password.

I had previously investigated this and concluded that the Thinkpad T60 does not actually change the ATA Master Password because though a "Master" password setting appeared in the BIOS, I found that this password was NOT accepted as valid at the boot-time ATA password prompt. As a result, I concluded that the Thinkpad's "Master" password wasn't actually the ATA Master Password (according to the ATA Standard, it should have worked just as well as the ATA *User* Password to access the drive at boot-time).

It turns out that a preceding obscure incantation is required (but only on some ThinkPad models) to get the system to accept the "Master" password as an ATA Master Password. For some irrational and totally unintuitive reason, one must press "F1" at the boot-time password prompt prior to entering the "Master" password on my ThinkPad. The "F1" is not required if you're just entering in the ATA *User* Password. I only discovered this completely by accident (having casually and unintentionally hit the F1 key at the password prompt for no reason, whereupon a cryptic icon appeared).

After closer study of the Thinkpad Hardware Maintenance Manual, I found that this nonsense is actually documented, but tucked away in a section called "How to remove the hard-disk password.":

"For models supporting the Passphrase function, press F1 while HDP icon is
appearing on the screen; then enter the master HDP."

You can check it out on p.24 at:
http://download.lenovo.com/ibmdl/pub/pc ... 137_02.pdf

You would think a note might have been displayed at the prompt indicating that a preceding F1 is required for the Master Password, but no.

So the upshot is that many, if not all recent-model ThinkPads DO, in fact allow the user to set and use the ATA Master Password, and thus close off the security hole that comes with Seagate FDE drives from the factory.

BUT, it turns out I'm still a bit hosed because I wanted to use this drive in a Dell Latitude E6500. Dell apparently uses some kind of password hashing algorithm so that the password you type in is not the password that's actually submitted to the drive (both when you set it or when you unlock it at boot-time). I guess they hash it with some unique machine identifier so that the drive could only be accessed from that specific system (that's a feature they adverstise right in the BIOS screen). This might otherwise be nice, I guess, but that prevents me from setting the master password on the Thinkpad and then sticking it into the Dell. I verified the Thinkpad doesn't do this by putting the drive in a totally different system and getting past the ATA password prompt using either the User or Master Password set with the Thinkpad without any problem.

Furthermore, not only does the Dell system NOT let you change the ATA Master Password, but when you set the User password, it secretly sets the Master Password to something that Dell corporate knows (or can calculate, probably based on the service tag or something).

That's not exactly what I was looking for 8-P

In fairness, Dell does offer to set the ATA Security Level to Maximum (using a user-friendly description for that) when you set the ATA User password. Maximum Security level means that the only way to unlock the drive via the Master Password is via a total erasure of the system (actually, just the cryptographic key is destroyed, but the data thus becomes categorically irretrievable). So they at least offer you the opportunity to preclude Dell from having or giving access to your data via the ATA Master Password. I guess I'll probably go with that for now.

tinkerdude


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 2nd, 2010, 18:30 
Offline

Joined: August 20th, 2009, 18:16
Posts: 19
Location: Illinois, USA
Doomer wrote:
FDE has nothing to do with ATA password. FDE drive can have two passwords: one for FDE and one ATA password (just in case you may need it).


Hmmmmm.

From a Seagate FDE FAQ at:
http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=206011&NewLang=en

"Momentus FDE drives can be described having three password modes: OFF, standard ATA security, and Seagate Secure security. When passwords are OFF, the drive family can run on any OS, system and BIOS. When passwords are managed using standard ATA security, any notebook BIOS with password controls is compatible. In this case, the password challenge looks exactly the save as a non-FDE drive. These two password modes are also valid for non-Windows applications."

Also:

"Between the two security modes on the drive, traditional ATA security and the Seagate Secure mode, there are significant differences regarding passwords. Seagate Secure and traditional ATA password modes are mutually exclusive. One cannot activate both types of passwords at the same time."

Finally, for my FDE drive, there is no other way to manage security other than with ATA passwords. The ST9320329AS comes with no Seagate Secure (AKA Drive Trust) features, which I didn't want. See:
http://www.seagate.com/docs/pdf/datasheet/disc/ds_momentus_5400_fde_3.pdf

So for my FDE drive, security has everything to do with ATA passwords.


Top
 Profile  
 
 Post subject: Re: Security theater (backdoor ATA Master Password)
PostPosted: June 2nd, 2010, 23:04 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3135
Location: Chicago
tinkerdude wrote:
"Between the two security modes on the drive, traditional ATA security and the Seagate Secure mode, there are significant differences regarding passwords. Seagate Secure and traditional ATA password modes are mutually exclusive. One cannot activate both types of passwords at the same time."

Finally, for my FDE drive, there is no other way to manage security other than with ATA passwords. The ST9320329AS comes with no Seagate Secure (AKA Drive Trust) features, which I didn't want. See:
http://www.seagate.com/docs/pdf/datasheet/disc/ds_momentus_5400_fde_3.pdf

So for my FDE drive, security has everything to do with ATA passwords.

Wow! So my diagnosis is right. It is "I know it all" type
1. I have personally seen FDE drives with ATA password and FDE user password enabled at the same time
2. FDE drive is ALWAYS encrypted even if you don't have any "passwords" enabled. Don't you think that enabling ATA password will be already not the first step in security of such drive?
3. There is a way to enable Drive Trust mode on your drive and if you don't know how that doesn't mean it's impossible
4. So for your drive or any other FDE drive ATA password has nothing to do with FDE password
5. About manuals - user manuals for any drive of any vendor will stand that it is impossible to access user data if you set and lost ATA password, apparently some users beleive in this and some even "know it for sure"

I have a perfect solution for you - buy a latop with true FDE support if you want real protection and at the same time open a savings account and start putting money on it - you will need them to recover you data one day

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 45 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group