The Channel logo


By | John Leyden 2nd June 2008 16:03

HP biased against BIOS password security

Vendor nixes protection with step-by-step reset guide

HP has come under fire for nullifying BIOS password protection steps on laptops by publishing reset data on its website. UK-based security consultancy SecureTest compared the approach to hiding a front door key under a welcome mat.

Security breaches resulting from stolen laptops have hit the headlines repeatedly over recent months. Full disc encryption is the best approach to making sure data remains secure even if an item of hardware is lost or stolen. But other techniques, such as BIOS password security, still have a role in discouraging casual thieves from bothering to read the data on stolen or 'lost' laptops.

Early BIOS passwords were a product of a more innocent age, but even so password resets typically required technically involved procedures. Initially hardware hacks, such as the opening up the case and applying a parallel loopback connector, were possible. Laptop manufacturers later sharpened up their practices so that better reset processes were applied across the industry.

Laptop BIOS resets typically involve a call to a vendor and going through a challenge-response process before reset codes are handed out. So SecureTest was surprised to discover that HP publishes the reset process for the series of laptop most commonly used in the office on their UK website.

By comparison reseting the BIOS password on a Toshiba laptop involves a visit to a Toshiba dealer, the only parties authorised to obtain reset codes.

"HP might choose to defend itself by saying that its 'bundled security tools' provide a much greater degree of protection than the BIOS, but in reality security is about in-depth defence. Each layer of the security onion needs to be as impenetrable as possible," Ken Munro, a director of SecureTest, explained.

"So it frankly baffles us as to why the likes of HP would publish the reset process if the BIOS password isn’t intended to be used. It’s like hiding your key under the mat and leaving a note to that effect for passing burglars to see," he added.

We put these concerns to HP on Friday. We're yet to hear anything substantive back but will update this story if we do.

Although full disc encryption is the best approach for laptop security other techniques still have their place, according to Munro.

"Full disc encryption is the right thing for laptop security, but vendors often forget to mention the ATA-3 (or ‘drivelock’) standard that effectively ‘locks’ the hard drive to the BIOS.

"Unless this password has been entered, the laptop is rendered unbootable and the hard disc unreadable, even if it is removed and mounted in another machine. ATA-3 appears vulnerable only to a very prolonged brute force crack, rather like regular encryption," he said. ®

comment icon Read 23 comments on this article alert Send corrections


Privacy image

Frank Jennings

Two working parties, ministers galore... but data transfer law remains in limbo

Chris Evans

It does simplify the hardware setup, whatever it is
A microscopic view of the biometric shark skin. Pic: James Weaver

Chris Mellor

Do something and stop faffing about in the bush league

Kat Hall

International system in general needs greater transparency


Nerd fail photo via Shutterstock
Shouting match
Single market vs. rest of the world
Mostly it's financial crime. Here's what all the cool kids' terms mean in English
Apple logo. Pic: Blake Patterson
Plenty of bumps in the 40-year road for Mac makers