HP has come under fire for nullifying BIOS password protection steps on laptops by publishing reset data on its website. UK-based security consultancy SecureTest compared the approach to hiding a front door key under a welcome mat.
Security breaches resulting from stolen laptops have hit the headlines repeatedly over recent months. Full disc encryption is the best approach to making sure data remains secure even if an item of hardware is lost or stolen. But other techniques, such as BIOS password security, still have a role in discouraging casual thieves from bothering to read the data on stolen or 'lost' laptops.
Early BIOS passwords were a product of a more innocent age, but even so password resets typically required technically involved procedures. Initially hardware hacks, such as the opening up the case and applying a parallel loopback connector, were possible. Laptop manufacturers later sharpened up their practices so that better reset processes were applied across the industry.
Laptop BIOS resets typically involve a call to a vendor and going through a challenge-response process before reset codes are handed out. So SecureTest was surprised to discover that HP publishes the reset process for the series of laptop most commonly used in the office on their UK website.
By comparison reseting the BIOS password on a Toshiba laptop involves a visit to a Toshiba dealer, the only parties authorised to obtain reset codes.
"HP might choose to defend itself by saying that its 'bundled security tools' provide a much greater degree of protection than the BIOS, but in reality security is about in-depth defence. Each layer of the security onion needs to be as impenetrable as possible," Ken Munro, a director of SecureTest, explained.
"So it frankly baffles us as to why the likes of HP would publish the reset process if the BIOS password isn’t intended to be used. It’s like hiding your key under the mat and leaving a note to that effect for passing burglars to see," he added.
We put these concerns to HP on Friday. We're yet to hear anything substantive back but will update this story if we do.
Although full disc encryption is the best approach for laptop security other techniques still have their place, according to Munro.
"Full disc encryption is the right thing for laptop security, but vendors often forget to mention the ATA-3 (or ‘drivelock’) standard that effectively ‘locks’ the hard drive to the BIOS.
"Unless this password has been entered, the laptop is rendered unbootable and the hard disc unreadable, even if it is removed and mounted in another machine. ATA-3 appears vulnerable only to a very prolonged brute force crack, rather like regular encryption," he said. ®