Users of Lenovo ThinkPad laptops may be in for a nasty surprise if they forget their main (supervisor) hard drive password. The Chinese hardware manufacturer refuses to reset hard drive (BIOS) security passwords for laptops even if they are covered by warranty. Lenovo, which bought IBM's ThinkPad laptop business in 2005, cites …
If setting the password is optional then users have to take the blame for setting one without reading the small print and for forgetting it.
On the other hand, if Lenova are prepared to replace the motherboard and make a system fully functional on production of appropriate purchase documentation there seems no reason they could not reset the password given the same documentation. It's therefore not about security, it's about profiteering.
How hard is it to...
Don't want to be mean
to the guys breaking the stories to you but someone better tell Shaun P there's no Lenovo/IBM, just Lenovo nowadays when it comes to Thinkpads.
And "web based password reset" for a HDD password or a power-on password? Care to explain how that's supposed to work?
Mine's the one with a CMOS battery and discarded system board jumper in the pockets...
I had this problem... Fortunately I always use the same password: "password".
Damn I'm smart!
recoverable = not safe
If a password is recoverable or resettable, why have a password anyway. A lot password should mean no more access to the data. If it means something else, it is useless!
"If Lenovo were to reset administrator or HDD passwords by either policy or available procedure, then we would be creating an exposure and undermining the value of the passwords to deter theft and prevent unintended access to data."
Does this password protect the hard drive's encryption or merely the motherboard's bios?
Is the hard drive readable on another computer?
If the password merely protects the bios, I don't see why resetting this password is a big deal? In any case, lenovo should be able to reset the master password as well as any media keys it may be holding. The net effect would be the same as issuing a new motherboard and reinstalling the old hard drive/peripherals, with much less waste.
Re: Not clear
"Does this password protect the hard drive's encryption or merely the motherboard's bios?"
It depends on which password you're talking about. The HDD passwords (both user and master) protect the hard drive no matter what system it's in. If you're trying to protect the data on the drive this is the one to set.
The BIOS user and supervisor passwords only protect access to the individual machine's hardware and its BIOS settings. In the event of theft this isn't any real deterrent to getting at data, but it does prevent use of the system without a replacement motherboard. This seems to be what the article is referring to since replacing the motherboard wouldn't fix a forgotten HDD password.
Thanks for responding.
"It depends on which password you're talking about."
Actually I was trying to understand what the password on lenovo laptops really protects.
"This seems to be what the article is referring to since replacing the motherboard wouldn't fix a forgotten HDD password."
Exactly, but when read in this context lenovo's statements about protecting data don't add up. Since they're willing to reset a user password to let the user boot up the machine, it would seem that protecting the data on the machine is not their concern. This is why I wondered if there was something special about these laptops I had overlooked.
well done Lenovo
Well done them. While there may well be exploitable flaws somewhere to work around the password issue and/or a "law enforcement" override it's good to see this level of willingness to piss users off in exchange for a increased perception of data security.
Much as I hate to say it
as I dislike Lenovo (kind of disliking IBM by proxy, or possibly poxy) I think their stated reason makes perfect sense. Though it is a no-win situation: the determined thief could easily circumvent the lockout, but that doesn't mean Lenovo should therefore remove all obstacles to more-or-less immediate access to the data on the hard disk.
Beer, because there's no liberty cap icon.
Sorry but I couldn't stop laughing at this bit: "Lenovo's unwritten policy if you 'forget' your password is, buy a new laptop," Shaun, who has experience the problem at first hand, explained. "Mr Criminal on the other hand can break the security in under 30 minutes. Kind of ironic that Lenovo can offer no real support to legitimate customers, but the bloke at the car boot sale can."
If Shaun is of the opinion that a crim only needs 30 mins to break the security then why on earth did he bother putting a supervisor password on it in the first place?
Just because your name is Criminal doesn't mean you have to be one.
Re: Mr Criminal
How refreshing and enlightened. I'm very pleased that you said that as I'm a bit pissed off with people jumping to conclusions.
any relation to
Re: Mr Goatraper
I don't know why your post had me giggling; it brought to mind some Satyr-like offspring, being possibly the relative asked after; and yet I have no idea what this entire thread is about.
Simple- Write your password on a post-it note and attach to your laptop lid...
Seriously though - don't forget your password
It shouldn't be covered under warranty - why should Lenovo pick up the bill for a users stupidity....
I'm no security expert, but having a web based password reset service seems somewhat risky...?
Who expected them to pay for it?
I didn't expect it to be free, I just didn't expect it to cost more than the laptop is worth. The laptop is a T61p and is less than 18 months old, and who says I forgot the password? I haven't, the laptop takes almost a minute to get to a password prompt where it only used to take a few seconds.
Because, if you're under warranty and you've forgotten the supervisor password, then the solution is to come up with different reason to get the systemboard exchanged under warranty. ZeroStat, anyone?
So rather than provide an easy fix for a security-thru-obscurity situation, Lenovo ensures an expensive fix.
This is not news
This has always been the case with Thinkpads and is a feature, not a bug. The hardware is in some cases genuinely difficult/almost impossible to get into.
The truth is that the difficulty varies across models, but is rarely trivial. It usually requires special programs and sometimes a custom cable.
If you don't want to get locked out, don't set a password..
Someone else's password
"If you don't want to get locked out, don't set a password.."
It's trivial for a non-owner else to set the bios password if the owner steps away for a minute. The supervisor password could go unnoticed for a long time.
If the password can be broken in 30 minutes, there's no point setting one in the first place. If you don't set one in the first place, you can't forget it. Problem solved.
Re: Simple Solution
My wife couldn't break the password in 30 minutes, or ever. She's the only one I'm worried about.
weird security logic
"If the password can be broken in 30 minutes, there's no point setting one in the first place".
Car and front-door locks can be broken even quicker - do you honestly think it is sound security advice therefore not to lock your car or house.
Personally I applaud Lenovo in this respect (shame the laptops are shit though).
Just write the password down and stick it on the bottom of the Thinkpad. That's what everyone I know does.
Not new. Not even remotely new.
This is as it has been for as long as I have been using Thinkpads, and long before Lenovo bought the brand from IBM.
Having bought password protected S/H Thinkpads, and tried many of the 'home-brew' methods of unlocking them, I would say that many of the methods just don't work unless you have a high degree of skill, perseverance, and possibly several Thinkpads to work on.
For many older Thinkpads, what is really needed is a new serial EEPRAM chip soldered onto the motherboard, and then re-programmed with the Model and Serial number and the UUID. This is beyond even reasonably skilled electronics amateurs, really needing a magnified soldering station. It can be done by eye with a needle-nosed soldering iron and a steady hand, but you are more likely to damage the board than not (de-soldering high contact density surface mount chips is not easy in my experience). And IBM/Lenovo never made the software for setting the VPD available.
The newer ones, with TPM Security Chips fitted require both the EEPRAM and the Security Chip reset. This requires specialist knowledge which AFAIK is not in the public domain.
Companies deploying Thinkpads should set and securely record the master password themselves, and only let the users change the hard-disk and boot password. That way, the company IT department can rescue a Thinkpad before it is destined for the scrap-heap or a large repair bill.
The whole reason why this is the case is because Thinkpads are designed from the ground up to be good business laptops. This includes good security. I really don't think that you really want an easy way to break into a laptop containing YOUR sensitive data.
Lenovo is just applying the "Your lack of planning does not make it my emergency" principal.
The wrong assumption, again.
I didn't forget the password, that's my point. But so what if I did, the solution to the problem isn't viable and does against the whole philosophy of security - why can't IBM reset the security for legitimate owners of the hardware?
... because they don't believe that you didn't forget it, and cannot tell whether you are the legitimate owner or not.
It's not that there is a hidden backdoor, there is no backdoor.
The point that I was trying to make is that Lenovo would have to do quite a lot or rework to make the system usable again. It's MUCH MORE expensive to re-work the motherboard than to make it in the first place.
The reason for there being no backdoor is that they want to be able to re-assure their major customers that Thinkpads are a secure asset that becomes known to be not worth stealing.
You can't have it easy to reset and secure at the same time. If being easy to reset was all that was required, then having it in the CMOS battery-backed RAM would be all that was required. This was abandoned over 10 years ago by pretty much all manufacturers.
Even if IBM/Lenovo had some propriety secrets or code to reset the passwords, this would escape into the open and render the whole security useless.
Lenovo is right
to run into the problem you have to:
1- activate the password feature
2- not backup your password anywhere
3- forget your password
It's a trifecta of stupidity, you get what's coming to you.
Plus, I really object to 3rd parties unlocking the stuff I choose to lock.
All the whiners don't seem to realize that security comes at a cost, mainly in convenience. If you don't want to be bothered when forgetting your pwd... then don't use one.
Who say's I forgot it? I've used the same one all along.
Lenovo Ideapad S10e
Got a Lenovo Ideapad S10e - and is fully aware of the risk with the supervisor password.
I use one which is easy to memorize and use - and I let my wife know what it is. So if any ne'er-do-well decide to blag my netbook, he/she/it'll have a merry time trying to recover this password.
My final bit of revenge - even though the ne'er-do-well might crack it at the end...
Must commend Lenovo for standing on principle.
Resetting the password doesn't necessarily mean access to protected data
IANAL but I wonder how that would stand up against European or UK consumer laws? Even when a manufacturer states something in supplied agreements, you often find that it can be trumped by local consumer laws. We have a lot more power than we know when it comes to companies trying to turn us over!
How totally unreasonable
of Lenovo not to want to spend vast amounts of their time and money resetting passwords that dimwits have been so dedicatedly stupid to set and then forget.
If you lock yourself out of your car the AA will come and let you in and give you a bill.
If you lock yourself out of your house a locksmith will replace the locks but your house insurance won't pay for it.
If you can't think of a password you can't forget, don't set it
Long-standing policy for security
I used to work for Thinkpad support "back in the day" when a 486DX/100 processor and a double duty DSP soundcard/modem solution would cost you $9000. I supported machines all the way back to the days of luggable monochrome, microchannel suitcases with a built-in 5 1/4" drive. I can vouch for the fact that IBM's policy on resetting supervisor passwords was always to replace the hardware. There were three tiers of passwords. The supervisor password was required on boot to access the BIOS and therefore any of the machine's hardware. This could not be reset and required replacing the system board as the EEPROMs were not available as individual FRUs inside or outside the company.
The hard drive password which was required to access the machine's hard drive or ultra-bay option drive. If lost, the password "reset" was to replace the hard drive or to use the supervisor password to access the reset function of the hard drive password. If the supervisor password was not set, you had to replace the hard drive. There was also a power on password which could be reset by either the supervisor password or the hard drive password. Users, of course, never RTFMed, so they'd set up the highest tier password and forget it. We went out of our way, of course, to accommodate users, but our first and foremost loyalty was to the security of the device.
If a password could be reset by a series of keystrokes while standing on one foot and shouting, it could hardly be used to support a device that was supposed to be ready for business/client confidential information. As support, we would have preferred the easy out rather than to receive the rants of angry forgetful users, but our feeling that, if they wanted lax security they should have purchased a Toshiba instead. At the time, Toshiba made the only seriously competing, full-featured product and had been taken to task for allegedly selling silent running submarine technology to the Soviets. There were attempts to catalogue users with their devices, but the high costs of the machines caused a market to develop in used laptops when businesses sold their laptops to new users after a few years to recoup some of the initial cost. IBM had pioneered the low level formatting of drives from the BIOS in response to customer requests and the action at the time was considered good enough for destructive re-use of the media.
To create the full reset function in response to customers would have encouraged the already common theft of the laptops and undermined their security. It's really that simple. I'm sure Lenovo feels the same way, having purchased Division 23 wholesale along with the Thinkpad name and technology. Why is this news so many years later?
I should have mentioned in my post as former TP support
I should have mentioned, but I thought it went without saying, that the data was toast even if the system board was replaced, another benefit of the tiered password setting. If the system board were replaced, the hard drive would as well, but the most expensive part of the machine, the LCD panel and housing (even a barely above monochrome DSTN display was expensive) could still be used. This replacing the system board and hard drive on a laptop was the solution to a lost supervisor password, which was still a cheaper solution than replacing a whole machine. Thus a forgetful customer spent $3000-$4000 instead of $9000 for a full machine replacement. The data was never compromised because it could not be accessed again. Seems pretty secure to me.
I didn't forget the password
That's my point, I didn't forget it. Also the AA wouldn't charge you the price of a new car to open it would they? I don't mind paying a bit for a solution to this, but not the price of a new motherboard. This is a T61p, the motherboard will cost an absolute fortune.
If you lock your keys in your car, AAA won't fix the problem for free--but neither will they require you to replace the engine and transmission.
Yes, yes, I get that it's an emotional response; having contempt for "stupid" users makes you feel better about yourself. I've worked in IT for years; I know how this game is played. But let's not fall into the trap of false dichotomy while we're being all self-congratulatory! The fact that Lenovo is willing to fix the problem for $400 shows that it isn't about security. If it were, they wouldn't do it at any price. The fact that they are willing to fix it for $400 shows that they will, in fact, fix it. They simply ought to charge less, that's all.
But then it wouldn't punish people enough, would it? Which is really what this is all about. To Lenovo, it's about profit; to Lenovo's supporters, it's about delighting st the thought of "stupid" people suffering. It's not actually about security to anyone.
...and its not only Lenovo. HP was doing this for years (and still is).
If you set this password (encrypt your system), there is not a simple undo. This was done not for Levovo's "security concerns" but because if it could be undone at all, the governments of the world would not buy their machines, period.
What good is security to a government if the vendor can wave a magic want an unencrypt the firmware password on any machine they want, instantly making those machines USB bootable and thus crackable.
...and how does Lenovo perform this trick btw, even if they had a tool? Oh, by letting you DOWNLOAD the tool? Great, so every hacking in the entire world can unlock any Lenovo machine. Yea, that would have made the entire idea worth it. Now the only people who could not get into their machines who want to are consumers, but all the hackers can? Might as well lock the machine with a DRM key... it's just as secure as soon as there's a tool.
No, Lenovo offers no tool because they CAN'T offer a tool. Even if one existed in-house it's a huge security risk not just for their customers, but for their potential sales to any government or business who insists on completely lockable hardware.
Years ago when I worked for a reseller, we explicitly told customers "if you turn this on, and forget this password, you're well and fucked, so don't forget it." The Bios itself gives such a warning when you go to turn it on.
How does a manufacturer...
provide a warranty against user stupidity? Especially if they're not allowed to correct the cause of the failure which is what they could do if the problem originated in their product.
You are assuming that I forgot the password. I didn't. The laptop now takes a lot longer to prompt for a password, and I've only ever used one BIOS password on it. I typed it every day, hard to forget really.
So, if you haven't forgotten it, what exactly are you complaining about?
The title is required, and must contain letters and/or digits.
"Security" that requires replacing a motherboard but then the hard drive is accessible again is a pretty funny kind of security. Don't most corporate users consider the data on the drive (or more importantly, the lack of OTHER PEOPLE'S access to the data on the drive) to be more valuable than the machine itself? There's no mention in the article about the drive also being rendered useless. Else the problem becomes a simple one: forgetting password becomes excuse to upgrade.
So what we really have is a laptop version of the old trick by car stereo manufacturers: charge 80% of the price of a new stereo for a replacement faceplate, thereby poisoning the value of stolen goods.
good for them
When I install encryption software, I make a point of telling people "If you lose your password, you're just out of luck. There is no way to break the password, regardless of what you may have seen in movies. If the password could be easily broken, there'd be no point in having a password in the first place, would there?"
I tell them that a lost password = you just earned an erased hard drive with a fresh OS install on it, not your data back.
It's not the HDD password anyway, and even if it were the data is backed up. It's the supervisor password, and I'd be happy to just have it back with no OS on there.
Why not just...
... write the password on a Post-It and stick it on the bottom of the ThinkPad, so if you forget it you've got an instant reference?!
Excuse me whilst I use my time machine
Just followed a link to the first example in a forum and it dates from 2005. Must be a slow news day when we need to dredge up 5 year old stories. What's next? Windows 95 not compaitble with 3.1 shocker????
But IBM still haven't found a solution.
It does not need a solution. It's deliberately designed this way to be secure, not so that Lenovo can charge a repair fee.
no password is not an option
If you chose not to set a password someone can brick your laptop by setting one for you with about 45 seconds of unsupervised access.
The person pulling such a "prank" may not realize that the sole recourse for your particular laptop is to have the motherboard replaced.
Two-factor, e.g: PKI-magcard + PIN? PIN + SecurID token? PIN can be simple, and need not be changed periodically.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16