The Channel logo


By | John Leyden 2nd June 2008 16:03

HP biased against BIOS password security

Vendor nixes protection with step-by-step reset guide

HP has come under fire for nullifying BIOS password protection steps on laptops by publishing reset data on its website. UK-based security consultancy SecureTest compared the approach to hiding a front door key under a welcome mat.

Security breaches resulting from stolen laptops have hit the headlines repeatedly over recent months. Full disc encryption is the best approach to making sure data remains secure even if an item of hardware is lost or stolen. But other techniques, such as BIOS password security, still have a role in discouraging casual thieves from bothering to read the data on stolen or 'lost' laptops.

Early BIOS passwords were a product of a more innocent age, but even so password resets typically required technically involved procedures. Initially hardware hacks, such as the opening up the case and applying a parallel loopback connector, were possible. Laptop manufacturers later sharpened up their practices so that better reset processes were applied across the industry.

Laptop BIOS resets typically involve a call to a vendor and going through a challenge-response process before reset codes are handed out. So SecureTest was surprised to discover that HP publishes the reset process for the series of laptop most commonly used in the office on their UK website.

By comparison reseting the BIOS password on a Toshiba laptop involves a visit to a Toshiba dealer, the only parties authorised to obtain reset codes.

"HP might choose to defend itself by saying that its 'bundled security tools' provide a much greater degree of protection than the BIOS, but in reality security is about in-depth defence. Each layer of the security onion needs to be as impenetrable as possible," Ken Munro, a director of SecureTest, explained.

"So it frankly baffles us as to why the likes of HP would publish the reset process if the BIOS password isn’t intended to be used. It’s like hiding your key under the mat and leaving a note to that effect for passing burglars to see," he added.

We put these concerns to HP on Friday. We're yet to hear anything substantive back but will update this story if we do.

Although full disc encryption is the best approach for laptop security other techniques still have their place, according to Munro.

"Full disc encryption is the right thing for laptop security, but vendors often forget to mention the ATA-3 (or ‘drivelock’) standard that effectively ‘locks’ the hard drive to the BIOS.

"Unless this password has been entered, the laptop is rendered unbootable and the hard disc unreadable, even if it is removed and mounted in another machine. ATA-3 appears vulnerable only to a very prolonged brute force crack, rather like regular encryption," he said. ®

comment icon Read 23 comments on this article alert Send corrections


Woman cuddles 'sly-looking' Fennec fox. Photo by Shutterstock
Cartoon of employee asking wky boss makes hium wear suspenders (while pincer through open trapdoor remains poised above his head) illustration by Cartoon resource for Shutterstock

Frank Jennings

It's not like my boss painstakingly nurtured the contacts, right?


Girl and computer, photo via Shutterstock
Middle-class terror of engineering also part of problem
Nerd fail photo via Shutterstock
Shouting match
Single market vs. rest of the world