hardware crypto on ThinkPads -- What happens after many password attempts?
 

There was an article a while back saying that after 20 or so password attempts, hardware FDE drives will throw away the key -- in effect doing an instant wipe.

The article did not mention what brands/models of drives that do this, and the documentation is lousy in this respect. Anyone have insight on the behaviour of Hitachi and Seagate drives, as far as how many attempts are tolerated and what action the drive takes?

Is this dependent on the BIOS, or the drive?

The encryption key is generated by the encryption chip on the drive. It is however dependant on setting the hard drive password (and preferably Master drive password as well) in the BIOS. The ecryption key on the drive can only be regenerated (effectively making the contents inaccessible) though the drive password (if the master isn't set), or through the master password if set.

As far as I know you can enter the password as many times as you like. Nor is there any mention I've seen of such a feature on Lenovo's website or support documents of such behaviour. The best way would be to send and e-mail to Lenovo support and ask them directly.

I appreciate the reply, but after more thought, I'm doubting that the BIOS is what controls the limit of password attempts. If it did, then an adversary could use their own BIOS (or software TPM) to allow for infinite rapid attempts. If there's a limit, it would have to be imposed by the drive manufacturer.

OTOH, I read here that "If the user's Hard drive password has been forgotten...the hard drive must be replaced". Yikes! So not only is the data lost, but the hardware is bricked and drive cannot even be reformatted and reused. Great feature for the company selling the drives.

What strikes me as odd is that Lenovo is making that statement, not the maker of the hard drive. How can Lenovo brick the hard drive? It would seem only the drive itself could block the use of the instant wipe feature. Otherwise someone could simply install the drive in a non-Lenovo machine, use instant wipe to throw away the key, and then re-install the drive back into the Thinkpad.

What am I missing?

You can read "the hard drive has to be replaced" as: "if you forget the password, don't expect to access the hard drive again, ever". Which prevents malicious users to circumvent the hard disk's encryption in any way. If you don't know the password, game is over. Imagine that if Lenovo or anyone else would make the drive accessible in any way and data comes in the hands of someone who isn't the owner. If the real owner sues Lenovo or breaks publicity, Lenovo would be in deep trouble. It is much simpler not to touch an encrypted hard drive. It is the user's responsability not to loose the password, and if they do loose it, they have been warned.

jlinkels

In effect, they are the same statement. It's a scam against the consumer. Of course read access should remain blocked when the password is not supplied, but there is no reason not to grant write access from a security standpoint. From a business standpoint, they can sell more drives if they also block write access in the event of password loss.

If the idea is that adversaries cannot wipe the drive as a DoS attack, it doesn't matter because the adversary has physical access to the drive anyway (they can destroy it). If the idea is that a thief is getting something that's unusable, they're generally stealing the whole laptop anyway, which still has value without the drive.

I've found that the Thinkpad BIOS is incapable of doing an instant wipe of Hitachi FDE drives (but it can do an instant wipe on Seagate FDE drives). In fact, there is (apparently) no instant wipe feature whatsoever for Hitachi drives, even when you have the password.

Since Lenovo is using Hitachi for their stock drives, their warning makes sense.

I wonder if Hitachi has omitted instant wipe deliberately, as a way to sell more drives to those who lose their passwords.

In a certain way it is yes. By not allowing to access the drive ever again they preclude that data can be tampered with. That is very manufacturer-centric and not consumer friendly. What's new? As long as they can get away with it (read: this policy generates more profit than other options, and less headache, which also translates in more profit) they will continue. It is no use fighting that, that is [unfortunately] how the Western community works. A more expanded rant on that should be in the general forum but I don't want to waste my time.

jlinkels

The Western community has competition. Seagate decided to go the other way, to offer a product that doesn't turn into a brick when you forget the password. Seagate apparently finds consumer-centric products to be more profitable than Hitachi does. So in this sense, consumers can sensibly and effectively fight this, by buying Seagate instead of Hitachi.

BTW, my original question still stands. It's still not clear which hard drives "self destruct" after too many password attempts. The IronKey usb sticks will erase after 10 attempts, and I'm beginning to wonder if that's the only drive that does this.

If you have no Master password set then indeed, if you forget the drive password you're out of luck. If you have the master password set, that password can be used to regain access or reset the encryption key even if the regular drive password has been forgotten. Lenovo have a utility on their site that can be sued to reset the drive keys, effectively "wiping" the drive.

Thanks for pointing that out.. I was not aware of it. Which tool is it, specifically? I see two Windows tools for my model that I think could have this capability:

1) Secure Data Disposal
2) Atmel TPM (Trusted Platform Module) device driver for Windows