The Channel logo


By | John Leyden 2nd June 2008 16:03

HP biased against BIOS password security

Vendor nixes protection with step-by-step reset guide

HP has come under fire for nullifying BIOS password protection steps on laptops by publishing reset data on its website. UK-based security consultancy SecureTest compared the approach to hiding a front door key under a welcome mat.

Security breaches resulting from stolen laptops have hit the headlines repeatedly over recent months. Full disc encryption is the best approach to making sure data remains secure even if an item of hardware is lost or stolen. But other techniques, such as BIOS password security, still have a role in discouraging casual thieves from bothering to read the data on stolen or 'lost' laptops.

Early BIOS passwords were a product of a more innocent age, but even so password resets typically required technically involved procedures. Initially hardware hacks, such as the opening up the case and applying a parallel loopback connector, were possible. Laptop manufacturers later sharpened up their practices so that better reset processes were applied across the industry.

Laptop BIOS resets typically involve a call to a vendor and going through a challenge-response process before reset codes are handed out. So SecureTest was surprised to discover that HP publishes the reset process for the series of laptop most commonly used in the office on their UK website.

By comparison reseting the BIOS password on a Toshiba laptop involves a visit to a Toshiba dealer, the only parties authorised to obtain reset codes.

"HP might choose to defend itself by saying that its 'bundled security tools' provide a much greater degree of protection than the BIOS, but in reality security is about in-depth defence. Each layer of the security onion needs to be as impenetrable as possible," Ken Munro, a director of SecureTest, explained.

"So it frankly baffles us as to why the likes of HP would publish the reset process if the BIOS password isn’t intended to be used. It’s like hiding your key under the mat and leaving a note to that effect for passing burglars to see," he added.

We put these concerns to HP on Friday. We're yet to hear anything substantive back but will update this story if we do.

Although full disc encryption is the best approach for laptop security other techniques still have their place, according to Munro.

"Full disc encryption is the right thing for laptop security, but vendors often forget to mention the ATA-3 (or ‘drivelock’) standard that effectively ‘locks’ the hard drive to the BIOS.

"Unless this password has been entered, the laptop is rendered unbootable and the hard disc unreadable, even if it is removed and mounted in another machine. ATA-3 appears vulnerable only to a very prolonged brute force crack, rather like regular encryption," he said. ®

comment icon Read 23 comments on this article alert Send corrections


Alexandre Mesguich

Change is order of day as tech giants shift strategy gears

Frank Jennings

Confused? No problem, we have 5, no 6, no 7... lots of standards

Chris Mellor

VC sequence could end not with a bang, but a whimper
Sad man stares glumly over boxed contents of desk. Image via shutterstock (Baranq)


money trap conceptual illustration
Big boys snare the unwary with too-good-to-be-true deals
Angus Highland cow
Pet carriers not wanted for whitebox stampede
Sorry OpenStack and Open Compute, we're not all Facebook
Gary Kovacs, CEO of AVG. Pic: World Economic Forum
Scammy download sites? Government snooping? Run of the mill for Gary Kovacs