ATA Security Exposed

by Michael Hampton (Homeland Stupidity)

In 2002, Michael Crooker brought home his shiny new Compaq Presario notebook computer with a new feature called DriveLock which, as its name implies, locks the hard drive until the proper password is given.

The owner's manual claimed that "If one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq's headquarters staff."

But when he was arrested in 2004 on firearms charges, the FBI was able to bypass the drive password with no trouble at all and access all of his (legal) porn and his e-mail to his attorney.  Crooker sued Hewlett-Packard for false advertising and eventually settled out of court.

ATA Security Overview

DriveLock was the brand name for a part of the ATA Security Mode feature set, and virtually every IDE/ATA/SATA drive manufactured since 2000 has it.  A similar feature set is available for SCSI drives, but almost no SCSI drives implement it.  The ATA Security Mode feature set provides two major features: the ability to lock the drive using passwords, and the ability to erase all the data on the drive.

The Linux hdparm -I command will tell you if your drive supports the ATA Security Mode feature set and the enhanced security erase, whether the freeze lock is set, and whether the master password has been changed from the factory default.  All of these features are explained below.

Hard Drive Passwords

ATA drives allow two 32-byte passwords to be set, a user password and a master password, both using the SECURITY SET PASSWORD command.

If a password shorter than 32-bytes is supplied, it will be padded with either spaces or NULLs (0x00), depending on the utility you use.

When the user password is set, the drive will be locked at power-on or reset, and will not respond to commands to read or write data.

The user password must be supplied at power on to unlock the drive.  The system BIOS does this by issuing the SECURITY UNLOCK command.  The user password can be removed with the SECURITY DISABLE PASSWORD command.

The master password cannot be removed, only changed, and each drive manufacturer ships drives with a default master password set at the factory.

ATA drives have two master password security levels: High and Maximum.

In the High level, the master password can be used to change the user password if it has been forgotten.  It can also be used to unlock the drive.  In the Maximum level, the master password cannot be used to unlock the drive or change the user password.  It can only be used to erase the user password along with all the user data on the disk.

The system BIOS only allows the user password to be set; it doesn't provide a function to set either the master password or the Maximum security level; these must be done with third-party utilities such as hdparm on Linux or ATAPWD.EXE, on a DOS boot disk, available at: dwl.xbox-scene.com/~xbox/xbox-scene/tools/harddrive/atapwd.zip

When the master password is changed, the master password revision code will also be changed.

The utility you use to change the password determines what the new revision code will be.  The current version of the Linux hdparm utility sets the revision code to 0xFF11 (65297).  From the factory the revision code is 0xFFFE (65534).  If a drive doesn't support master password revision codes, it will always return 0x0000 (0) or 0xFFFF (65535).

Once the drive is unlocked, the SECURITY FREEZE LOCK command can be used to disable any commands which would lock the drive, change or remove passwords, or erase the drive.

If the drive is frozen, it must be power cycled or hardware reset to return to normal operation.

Many notebook BIOSes send the SECURITY FREEZE LOCK command during the power-on self test, making it impossible to set passwords or erase a drive from within the operating system.  If your BIOS does this, you will likely have to move the drive into another computer in order to erase it, or change the master password and security level.  Try using a desktop computer, as few desktop BIOSes issue the SECURITY FREEZE LOCK.  While it can be annoying, this is actually a useful feature since it prevents malicious software from setting a hard drive password without the user's knowledge.

Security Erase

This is the most interesting part of the ATA Security Mode feature set.

When a drive receives the SECURITY ERASE UNIT command it will immediately begin erasing user areas of the drive, overwriting them with logical zeroes.  To prevent accidental erasure, the command must be preceded with a SECURITY ERASE PREPARE command.  If a user password has been set, either the user password or the master password must be provided.  Erasing the drive also erases any user password.

Most newer drives also support an enhanced mode for SECURITY ERASE UNIT.

In the enhanced mode, the drive is erased with vendor-specific patterns in order to prevent forensic recovery of the drive.  (You don't have to write 35 passes of anything to a modern hard drive; due to the encoding scheme and track density, two passes done a certain way are sufficient.)  In addition, enhanced mode also erases sectors which were marked bad and reallocated.

The pattern specified by the Center for Magnetic Recording Research (cmrr.ucsd.edu/people/Hughes/CmrrSecureEraseProtocols.pdf) to secure erase a hard drive is two random writes, each of which "Is offset off-track opposite to the other by at least 10% of the track pitch."

This prevents using a scanning magnetoresistive microscope (the most exotic and expensive way to read data from a disk) to read data from the track edges, which can still be done no matter how many times you overwrite your disk using Darik's Boot and Nuke or other traditional hard drive erase utilities.

To issue the secure erase commands and actually destroy all the data on your hard drive beyond all possibility of recovery, use HDDERASE.EXE in DOS, available at: https://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml  (Tutorial)

or:

$ sudo hdparm --security-erase-enhanced

in Linux.

If you need to erase many drives, Dead On Demand makes a product called Digital Shredder, available at www.deadondemand.com, which does nothing but issue SECURITY ERASE UNIT commands to any drive plugged into it.  It can erase up to three drives at a time and supports hot-plugging drives.

Data Recovery

Both the user password and master password are written to the hard drive service area, a special area on the disk which is normally inaccessible.  This area also stores the drive firmware, geometry information, and other vendor-specific goodies.

The service area is different from the Host Protected Area, so you can't gain access to it by exposing the HPA.

Causing the hard drive to enter a special factory mode is one of two ways that law enforcement and data recovery companies access locked drives.

This allows access to the drive service area and is the method used by the Vogon Password Cracker Pod at: www.vogon-investigation.com/password-cracker.htm

There is no defense against this attack except for full-disk encryption.

The method to enter factory mode is different for each vendor and is a closely guarded secret, shared only with law enforcement and some data recovery companies.  Most manufacturers won't even admit that such a mode exists.  If you want to know how it's done, try studying hard drive firmware update utilities, because the firmware is stored in the service area along with the passwords.

The master password is set to a factory default, which varies by drive vendor and sometimes by drive model.

Most law enforcement forensic tools and data recovery companies use the default master passwords to access locked hard drives.  This can be prevented by changing the master password, or by setting the disk to Maximum security level, but then don't forget your user password!

You may be able to find a master password for your drive by using Google.

Some master passwords known to be in use are (without quotes):

"WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "tttttttttttttttttttttttttttttttt" "Seagate " "Maxtor " "Maxtor INIT SECURITY TEST STEP " "Maxtor" (padded with 0x00) 32 spaces (0x20) 32 (0xFF) 'XBOXSCENE" and "TEAMASSEMBLY" (for Xbox drives)

Conclusion

Setting a hard drive password will keep out your little sister, but it isn't likely to keep out your local police.

Even if it does, they can send it to the FBI, who can get into the drive in seconds.  Setting a hard drive password seems pointless in these days of widespread full-disk encryption, which is available with most Linux distributions and the expensive versions of Windows Vista.

Some hard drives now ship with hardware-based full-disk encryption as well.

Yet the ATA enhanced secure erase facility is believed to be the most secure way to wipe a drive clean.

Even the supposedly DoD-approved 35 pass wipe isn't good enough for the government anymore; they're now using ATA enhanced secure erase to decommission hard drives.

You should be, too.