back to article Forgot your ThinkPad password? Get new hardware

Users of Lenovo ThinkPad laptops may be in for a nasty surprise if they forget their main (supervisor) hard drive password. The Chinese hardware manufacturer refuses to reset hard drive (BIOS) security passwords for laptops even if they are covered by warranty. Lenovo, which bought IBM's ThinkPad laptop business in 2005, cites …

COMMENTS

This topic is closed for new posts.
  1. Jason Bloomberg Silver badge
    FAIL

    Caveat emptor

    If setting the password is optional then users have to take the blame for setting one without reading the small print and for forgetting it.

    On the other hand, if Lenova are prepared to replace the motherboard and make a system fully functional on production of appropriate purchase documentation there seems no reason they could not reset the password given the same documentation. It's therefore not about security, it's about profiteering.

  2. Winkypop Silver badge
    Joke

    How hard is it to...

    ...remember "qwerty123"

  3. Florence
    Coat

    Don't want to be mean

    to the guys breaking the stories to you but someone better tell Shaun P there's no Lenovo/IBM, just Lenovo nowadays when it comes to Thinkpads.

    And "web based password reset" for a HDD password or a power-on password? Care to explain how that's supposed to work?

    Mine's the one with a CMOS battery and discarded system board jumper in the pockets...

  4. Phil 54
    FAIL

    Lucky me

    I had this problem... Fortunately I always use the same password: "password".

    Damn I'm smart!

  5. petur
    Thumb Up

    recoverable = not safe

    If a password is recoverable or resettable, why have a password anyway. A lot password should mean no more access to the data. If it means something else, it is useless!

    1. Lou Gosselin

      Not clear

      "If Lenovo were to reset administrator or HDD passwords by either policy or available procedure, then we would be creating an exposure and undermining the value of the passwords to deter theft and prevent unintended access to data."

      Does this password protect the hard drive's encryption or merely the motherboard's bios?

      Is the hard drive readable on another computer?

      If the password merely protects the bios, I don't see why resetting this password is a big deal? In any case, lenovo should be able to reset the master password as well as any media keys it may be holding. The net effect would be the same as issuing a new motherboard and reinstalling the old hard drive/peripherals, with much less waste.

      1. Ben 42
        Boffin

        Re: Not clear

        "Does this password protect the hard drive's encryption or merely the motherboard's bios?"

        It depends on which password you're talking about. The HDD passwords (both user and master) protect the hard drive no matter what system it's in. If you're trying to protect the data on the drive this is the one to set.

        The BIOS user and supervisor passwords only protect access to the individual machine's hardware and its BIOS settings. In the event of theft this isn't any real deterrent to getting at data, but it does prevent use of the system without a replacement motherboard. This seems to be what the article is referring to since replacing the motherboard wouldn't fix a forgotten HDD password.

        1. Lou Gosselin

          @Ben 42

          Thanks for responding.

          "It depends on which password you're talking about."

          Actually I was trying to understand what the password on lenovo laptops really protects.

          "This seems to be what the article is referring to since replacing the motherboard wouldn't fix a forgotten HDD password."

          Exactly, but when read in this context lenovo's statements about protecting data don't add up. Since they're willing to reset a user password to let the user boot up the machine, it would seem that protecting the data on the machine is not their concern. This is why I wondered if there was something special about these laptops I had overlooked.

  6. Peter Galbavy

    well done Lenovo

    Well done them. While there may well be exploitable flaws somewhere to work around the password issue and/or a "law enforcement" override it's good to see this level of willingness to piss users off in exchange for a increased perception of data security.

  7. Anonymous Coward
    Pint

    Much as I hate to say it

    as I dislike Lenovo (kind of disliking IBM by proxy, or possibly poxy) I think their stated reason makes perfect sense. Though it is a no-win situation: the determined thief could easily circumvent the lockout, but that doesn't mean Lenovo should therefore remove all obstacles to more-or-less immediate access to the data on the hard disk.

    Beer, because there's no liberty cap icon.

  8. Anonymous Coward
    WTF?

    LOL

    Sorry but I couldn't stop laughing at this bit: "Lenovo's unwritten policy if you 'forget' your password is, buy a new laptop," Shaun, who has experience the problem at first hand, explained. "Mr Criminal on the other hand can break the security in under 30 minutes. Kind of ironic that Lenovo can offer no real support to legitimate customers, but the bloke at the car boot sale can."

    If Shaun is of the opinion that a crim only needs 30 mins to break the security then why on earth did he bother putting a supervisor password on it in the first place?

  9. Anonymous Coward
    Anonymous Coward

    Mr Criminal

    Just because your name is Criminal doesn't mean you have to be one.

    1. Anonymous Coward
      Joke

      Re: Mr Criminal

      How refreshing and enlightened. I'm very pleased that you said that as I'm a bit pissed off with people jumping to conclusions.

      James Baboonshagger.

      1. Ken 16 Silver badge
        Joke

        any relation to

        Mr Goatraper?

        1. Puck

          Re: Mr Goatraper

          I don't know why your post had me giggling; it brought to mind some Satyr-like offspring, being possibly the relative asked after; and yet I have no idea what this entire thread is about.

  10. mike 66
    FAIL

    Simple- Write your password on a post-it note and attach to your laptop lid...

    Seriously though - don't forget your password

    It shouldn't be covered under warranty - why should Lenovo pick up the bill for a users stupidity....

    I'm no security expert, but having a web based password reset service seems somewhat risky...?

    1. Anonymous Coward
      Anonymous Coward

      Who expected them to pay for it?

      I didn't expect it to be free, I just didn't expect it to cost more than the laptop is worth. The laptop is a T61p and is less than 18 months old, and who says I forgot the password? I haven't, the laptop takes almost a minute to get to a password prompt where it only used to take a few seconds.

    2. Snert Lee

      Why

      Because, if you're under warranty and you've forgotten the supervisor password, then the solution is to come up with different reason to get the systemboard exchanged under warranty. ZeroStat, anyone?

      So rather than provide an easy fix for a security-thru-obscurity situation, Lenovo ensures an expensive fix.

  11. Peter Kay

    This is not news

    This has always been the case with Thinkpads and is a feature, not a bug. The hardware is in some cases genuinely difficult/almost impossible to get into.

    The truth is that the difficulty varies across models, but is rarely trivial. It usually requires special programs and sometimes a custom cable.

    If you don't want to get locked out, don't set a password..

    1. Lou Gosselin

      Someone else's password

      "If you don't want to get locked out, don't set a password.."

      It's trivial for a non-owner else to set the bios password if the owner steps away for a minute. The supervisor password could go unnoticed for a long time.

  12. Jerome 0

    Simple solution

    If the password can be broken in 30 minutes, there's no point setting one in the first place. If you don't set one in the first place, you can't forget it. Problem solved.

    1. Nuke
      FAIL

      Re: Simple Solution

      My wife couldn't break the password in 30 minutes, or ever. She's the only one I'm worried about.

    2. Anonymous Coward
      Grenade

      weird security logic

      "If the password can be broken in 30 minutes, there's no point setting one in the first place".

      Car and front-door locks can be broken even quicker - do you honestly think it is sound security advice therefore not to lock your car or house.

      Personally I applaud Lenovo in this respect (shame the laptops are shit though).

  13. Version 1.0 Silver badge
    Thumb Up

    Easy fix

    Just write the password down and stick it on the bottom of the Thinkpad. That's what everyone I know does.

  14. Anonymous Coward
    FAIL

    Not new. Not even remotely new.

    This is as it has been for as long as I have been using Thinkpads, and long before Lenovo bought the brand from IBM.

    Having bought password protected S/H Thinkpads, and tried many of the 'home-brew' methods of unlocking them, I would say that many of the methods just don't work unless you have a high degree of skill, perseverance, and possibly several Thinkpads to work on.

    For many older Thinkpads, what is really needed is a new serial EEPRAM chip soldered onto the motherboard, and then re-programmed with the Model and Serial number and the UUID. This is beyond even reasonably skilled electronics amateurs, really needing a magnified soldering station. It can be done by eye with a needle-nosed soldering iron and a steady hand, but you are more likely to damage the board than not (de-soldering high contact density surface mount chips is not easy in my experience). And IBM/Lenovo never made the software for setting the VPD available.

    The newer ones, with TPM Security Chips fitted require both the EEPRAM and the Security Chip reset. This requires specialist knowledge which AFAIK is not in the public domain.

    Companies deploying Thinkpads should set and securely record the master password themselves, and only let the users change the hard-disk and boot password. That way, the company IT department can rescue a Thinkpad before it is destined for the scrap-heap or a large repair bill.

    The whole reason why this is the case is because Thinkpads are designed from the ground up to be good business laptops. This includes good security. I really don't think that you really want an easy way to break into a laptop containing YOUR sensitive data.

    Lenovo is just applying the "Your lack of planning does not make it my emergency" principal.

    1. Anonymous Coward
      Anonymous Coward

      The wrong assumption, again.

      I didn't forget the password, that's my point. But so what if I did, the solution to the problem isn't viable and does against the whole philosophy of security - why can't IBM reset the security for legitimate owners of the hardware?

      1. Anonymous Coward
        Anonymous Coward

        @Shaunp

        ... because they don't believe that you didn't forget it, and cannot tell whether you are the legitimate owner or not.

        It's not that there is a hidden backdoor, there is no backdoor.

        The point that I was trying to make is that Lenovo would have to do quite a lot or rework to make the system usable again. It's MUCH MORE expensive to re-work the motherboard than to make it in the first place.

        The reason for there being no backdoor is that they want to be able to re-assure their major customers that Thinkpads are a secure asset that becomes known to be not worth stealing.

        You can't have it easy to reset and secure at the same time. If being easy to reset was all that was required, then having it in the CMOS battery-backed RAM would be all that was required. This was abandoned over 10 years ago by pretty much all manufacturers.

        Even if IBM/Lenovo had some propriety secrets or code to reset the passwords, this would escape into the open and render the whole security useless.

  15. barth

    Lenovo is right

    to run into the problem you have to:

    1- activate the password feature

    2- not backup your password anywhere

    3- forget your password

    It's a trifecta of stupidity, you get what's coming to you.

    Plus, I really object to 3rd parties unlocking the stuff I choose to lock.

    All the whiners don't seem to realize that security comes at a cost, mainly in convenience. If you don't want to be bothered when forgetting your pwd... then don't use one.

    1. Anonymous Coward
      Anonymous Coward

      Wrong

      Who say's I forgot it? I've used the same one all along.

  16. Anonymous South African Coward Bronze badge
    Thumb Up

    Lenovo Ideapad S10e

    Got a Lenovo Ideapad S10e - and is fully aware of the risk with the supervisor password.

    I use one which is easy to memorize and use - and I let my wife know what it is. So if any ne'er-do-well decide to blag my netbook, he/she/it'll have a merry time trying to recover this password.

    My final bit of revenge - even though the ne'er-do-well might crack it at the end...

    Must commend Lenovo for standing on principle.

  17. Peter 39

    data access

    Resetting the password doesn't necessarily mean access to protected data

  18. Anonymous Coward
    FAIL

    Interesting

    IANAL but I wonder how that would stand up against European or UK consumer laws? Even when a manufacturer states something in supplied agreements, you often find that it can be trumped by local consumer laws. We have a lot more power than we know when it comes to companies trying to turn us over!

  19. Anonymous Coward
    WTF?

    How totally unreasonable

    of Lenovo not to want to spend vast amounts of their time and money resetting passwords that dimwits have been so dedicatedly stupid to set and then forget.

    If you lock yourself out of your car the AA will come and let you in and give you a bill.

    If you lock yourself out of your house a locksmith will replace the locks but your house insurance won't pay for it.

    If you can't think of a password you can't forget, don't set it

    1. Anonymous Coward
      Megaphone

      Long-standing policy for security

      I used to work for Thinkpad support "back in the day" when a 486DX/100 processor and a double duty DSP soundcard/modem solution would cost you $9000. I supported machines all the way back to the days of luggable monochrome, microchannel suitcases with a built-in 5 1/4" drive. I can vouch for the fact that IBM's policy on resetting supervisor passwords was always to replace the hardware. There were three tiers of passwords. The supervisor password was required on boot to access the BIOS and therefore any of the machine's hardware. This could not be reset and required replacing the system board as the EEPROMs were not available as individual FRUs inside or outside the company.

      The hard drive password which was required to access the machine's hard drive or ultra-bay option drive. If lost, the password "reset" was to replace the hard drive or to use the supervisor password to access the reset function of the hard drive password. If the supervisor password was not set, you had to replace the hard drive. There was also a power on password which could be reset by either the supervisor password or the hard drive password. Users, of course, never RTFMed, so they'd set up the highest tier password and forget it. We went out of our way, of course, to accommodate users, but our first and foremost loyalty was to the security of the device.

      If a password could be reset by a series of keystrokes while standing on one foot and shouting, it could hardly be used to support a device that was supposed to be ready for business/client confidential information. As support, we would have preferred the easy out rather than to receive the rants of angry forgetful users, but our feeling that, if they wanted lax security they should have purchased a Toshiba instead. At the time, Toshiba made the only seriously competing, full-featured product and had been taken to task for allegedly selling silent running submarine technology to the Soviets. There were attempts to catalogue users with their devices, but the high costs of the machines caused a market to develop in used laptops when businesses sold their laptops to new users after a few years to recoup some of the initial cost. IBM had pioneered the low level formatting of drives from the BIOS in response to customer requests and the action at the time was considered good enough for destructive re-use of the media.

      To create the full reset function in response to customers would have encouraged the already common theft of the laptops and undermined their security. It's really that simple. I'm sure Lenovo feels the same way, having purchased Division 23 wholesale along with the Thinkpad name and technology. Why is this news so many years later?

      1. Charcaroth
        Megaphone

        I should have mentioned in my post as former TP support

        I should have mentioned, but I thought it went without saying, that the data was toast even if the system board was replaced, another benefit of the tiered password setting. If the system board were replaced, the hard drive would as well, but the most expensive part of the machine, the LCD panel and housing (even a barely above monochrome DSTN display was expensive) could still be used. This replacing the system board and hard drive on a laptop was the solution to a lost supervisor password, which was still a cheaper solution than replacing a whole machine. Thus a forgetful customer spent $3000-$4000 instead of $9000 for a full machine replacement. The data was never compromised because it could not be accessed again. Seems pretty secure to me.

    2. Anonymous Coward
      Anonymous Coward

      I didn't forget the password

      That's my point, I didn't forget it. Also the AA wouldn't charge you the price of a new car to open it would they? I don't mind paying a bit for a solution to this, but not the price of a new motherboard. This is a T61p, the motherboard will cost an absolute fortune.

    3. Franklin
      Thumb Down

      Poor analogy

      If you lock your keys in your car, AAA won't fix the problem for free--but neither will they require you to replace the engine and transmission.

      Yes, yes, I get that it's an emotional response; having contempt for "stupid" users makes you feel better about yourself. I've worked in IT for years; I know how this game is played. But let's not fall into the trap of false dichotomy while we're being all self-congratulatory! The fact that Lenovo is willing to fix the problem for $400 shows that it isn't about security. If it were, they wouldn't do it at any price. The fact that they are willing to fix it for $400 shows that they will, in fact, fix it. They simply ought to charge less, that's all.

      But then it wouldn't punish people enough, would it? Which is really what this is all about. To Lenovo, it's about profit; to Lenovo's supporters, it's about delighting st the thought of "stupid" people suffering. It's not actually about security to anyone.

  20. Michael C
    Big Brother

    Nothin New

    ...and its not only Lenovo. HP was doing this for years (and still is).

    If you set this password (encrypt your system), there is not a simple undo. This was done not for Levovo's "security concerns" but because if it could be undone at all, the governments of the world would not buy their machines, period.

    What good is security to a government if the vendor can wave a magic want an unencrypt the firmware password on any machine they want, instantly making those machines USB bootable and thus crackable.

    ...and how does Lenovo perform this trick btw, even if they had a tool? Oh, by letting you DOWNLOAD the tool? Great, so every hacking in the entire world can unlock any Lenovo machine. Yea, that would have made the entire idea worth it. Now the only people who could not get into their machines who want to are consumers, but all the hackers can? Might as well lock the machine with a DRM key... it's just as secure as soon as there's a tool.

    No, Lenovo offers no tool because they CAN'T offer a tool. Even if one existed in-house it's a huge security risk not just for their customers, but for their potential sales to any government or business who insists on completely lockable hardware.

    Years ago when I worked for a reseller, we explicitly told customers "if you turn this on, and forget this password, you're well and fucked, so don't forget it." The Bios itself gives such a warning when you go to turn it on.

  21. Rasslin ' in the mud

    How does a manufacturer...

    provide a warranty against user stupidity? Especially if they're not allowed to correct the cause of the failure which is what they could do if the problem originated in their product.

    1. Anonymous Coward
      Anonymous Coward

      Another assumption

      You are assuming that I forgot the password. I didn't. The laptop now takes a lot longer to prompt for a password, and I've only ever used one BIOS password on it. I typed it every day, hard to forget really.

      1. Mark 65

        Errr

        So, if you haven't forgotten it, what exactly are you complaining about?

  22. Peter H. Coffin

    The title is required, and must contain letters and/or digits.

    "Security" that requires replacing a motherboard but then the hard drive is accessible again is a pretty funny kind of security. Don't most corporate users consider the data on the drive (or more importantly, the lack of OTHER PEOPLE'S access to the data on the drive) to be more valuable than the machine itself? There's no mention in the article about the drive also being rendered useless. Else the problem becomes a simple one: forgetting password becomes excuse to upgrade.

    So what we really have is a laptop version of the old trick by car stereo manufacturers: charge 80% of the price of a new stereo for a replacement faceplate, thereby poisoning the value of stolen goods.

  23. John Ridley 1

    good for them

    When I install encryption software, I make a point of telling people "If you lose your password, you're just out of luck. There is no way to break the password, regardless of what you may have seen in movies. If the password could be easily broken, there'd be no point in having a password in the first place, would there?"

    I tell them that a lost password = you just earned an erased hard drive with a fresh OS install on it, not your data back.

    1. Anonymous Coward
      Anonymous Coward

      Definately.

      It's not the HDD password anyway, and even if it were the data is backed up. It's the supervisor password, and I'd be happy to just have it back with no OS on there.

  24. Anonymous Coward
    Coat

    Why not just...

    ... write the password on a Post-It and stick it on the bottom of the ThinkPad, so if you forget it you've got an instant reference?!

  25. BongoBoy
    Thumb Down

    Excuse me whilst I use my time machine

    Just followed a link to the first example in a forum and it dates from 2005. Must be a slow news day when we need to dredge up 5 year old stories. What's next? Windows 95 not compaitble with 3.1 shocker????

    1. Anonymous Coward
      Anonymous Coward

      Indeedy

      But IBM still haven't found a solution.

      1. Anonymous Coward
        Anonymous Coward

        @shaunp

        It does not need a solution. It's deliberately designed this way to be secure, not so that Lenovo can charge a repair fee.

  26. ZenCoder

    no password is not an option

    If you chose not to set a password someone can brick your laptop by setting one for you with about 45 seconds of unsupervised access.

    The person pulling such a "prank" may not realize that the sole recourse for your particular laptop is to have the motherboard replaced.

  27. Mal Adapted
    Black Helicopters

    Strong authentication?

    Two-factor, e.g: PKI-magcard + PIN? PIN + SecurID token? PIN can be simple, and need not be changed periodically.

  28. dkenned1

    Had to do this

    My laptop was stolen and several months later it was actually returned, but the thing had been bricked by the thieves witht the supervisor password nonsense. I also had the 3 year warranty and gold support or whatever from lenovo and they refused to fix it even though I'm the registered owner. Pretty frustrating. They explained that if the motherboard hardware failed they would replace it.

    What I did was find the TPM chip on the motherboard, solder a few wires to it, hook up the serial connection and reset it. not an easy task and not for the faint of heart, but i figured it was bricked anyway so I took the risk.

    not the easiest solder connection on that board and it was on the bottom of the unit, it was challenging but in the end i got it fixed.

    IBM T61

    1. Anonymous Coward
      Anonymous Coward

      My thoughts exactly.

      That's exactly what I plan on doing. There are a few sites that sell kits to enable this. Naturally I'll document the process and make it as public as I can. The laptop is effectively spare parts now anyway, so I might as well risk $80 to get it fixed. If that doesn't work I'll sell it for parts on ebay and then buy anything except Lenovo.

      This security policy needs to change as it doesn't benefit anyone in the long-term, even Lenovo as they will ultimately lose sales.

    2. Anonymous Coward
      Anonymous Coward

      TPM module and Serial EEPRAM chips

      On older Thinkpads, these are two separate chips, and the TPM module was optional on many models. On T23 through to T43's the Serial EEPRAM chip was an Atmel 10 or 14 pin surface mount chip (can't remember the numbers). There are supposed to be *readable* with the kit mentioned by dkenned1, but I have tried on two separate T23's and could never get it to work, although I did use the homebrew kit rather than pre-made one. The soldering is *very* fiddly, and I challenge anyone who is not a regular user of soldering irons to successfully carry out the work.

      If there is also a TPM module (optional on T23-T43), I believe that there is extra encryption involved that checks the contents, and also scrambles the password so that it cannot be read from the serial EEPRAM. Similarly, if a perfect motherboard with a TPM module fitted, has it removed, then this bricks the motherboard until the *correct* TPM module is replaced (ebay TP parts sellers beware of this, I have bought 2 'working' Mobo's from ebay sellers who post testing removed the TPM module and discarded it. Grrrrr).

      On T60's and later, I believe that they have put the Serial EEPRAM function into the TPM module, and soldered it onto the motherboard (rather than the TPM module being a plug-in daughter board). I do not believe any amount of hardware hacking will enable the passwords to be read from one of these. This is by design and is a key selling point.

      I do not know how this info relates to A and R series Thinkpads. I only use second-hand T series.

  29. Anonymous Coward
    Anonymous Coward

    Always been the case

    It's not easy to do and does require some hardware hacking skills but it's not impossible to reset passwords on IBM/Lenovo laptops. Certainly less than the cost of a replacement motherboard.

  30. Stevie

    Bah!

    This article underscores the fundamental flaw in thinking that password-only-based security represents. The password is supposed to be a secure credential, but by its nature is highly unlikely to be so in the vast majority of cases. The problem is systemic and cannot be solved satisfactorily for all cases with bolt-ons. (example: password aging schemes only ever truly inconvenience the people with a perfect right to the password. Given no change in habits, a user's stealthily busted password can be busted the same way when it's changed).

    Proximity-detected, or even better, contact PIDS are really the only answer, although they suffer from many of the same "social" problems that passwords do: they get forgotten or lost and there you go. How about a motherboard-based "any three from five" scheme could be built on the backbone of ubiquitous RFID spinoff tech using, say, jewelry, ID cards and so forth to assemble a viable identity credential set? To use your "secure" tech it would only be necessary to be wearing the right combination of items (watch, ring etc), each of which having it's own identity that squawks, transponder style, when queried.

    Of course, now you are into ID card territory with all the bugbears that lets loose.

  31. Joel Mansford
    Thumb Down

    BIOS Passwords are just a pain...

    I can't see any reason why Lenovo can't reset motherboard passwords, the use of the motherboard doesn't pose any high security risk. Also it's a specialist item which is just wrong to bin due to some software on it!

    However, harddrive passwords I think they're completely correct not to unlock, afterall it's the data that people care about losing (mostly). If you forget your HDD password then tough luck - you've lost your data and since a HDD costs less than fifty quid now it's not an expensive or difficult item to replace.

    1. Anonymous Coward
      Anonymous Coward

      I agree

      I didn't want the HDD password to be reset, reformatting the HDD did that, but I do want them to reset the BIOS password.

  32. John Sanders
    Heart

    Thinkpads

    Have been the same for years, what is the news?

    I always considered the Thinkpad's motherboard password a last laugh, a "fcuk you thief" kind of thing. You stole my laptop, now you'll have to sweat to use it.

    1. Anonymous Coward
      Unhappy

      Not as serious as you think...

      These are in my guess designed this way to create more revenue for the manufacturer. I took apart a friend's Dell one time that had this issue (forgotten password). No dip switches, no jumpers and the BIOS battery was soldered to the motherboard. Simply soldering the battery off and back on fixed the issue. My only conclusion with the no jumpers, dip switches or removable battery was a design decision to "force" people to replace the motherboard. Funny how it's still the same years later. As much as I would cheer on a good F YOU! to a thief you are probably only delaying them a couple hours from using your shiny new laptop.

  33. Anonymous Coward
    Anonymous Coward

    Some of you make the same assumptions Lenovo did

    I didn't forget the password, I've used the same one since I've had the laptop, and it's the supervisor password not the HDD password. I disabled the security to turn off the HDD password so I could reuse it, and when I set it up again that's when I got locked out. And before you say it, I didn't type it in incorrectly. But.... the laptop now takes a lot longer to prompt for a password than it did before. My view is that an encrypted password has been brought over from the TPM module when I turned that back on.

    I also didn't find out about the password policy or how easily it is to potentially break the password until after I had the problem, else otherwise I wouldn't have bothered, there would be no point.

    I don't expect Lenovo to provide a free fix, but their solution costs more than the laptop is worth. So my point is that they assume I am wrong and offer no viable solution to the problem. If you were in my position would you be happy about their support? Make fun of the situation, call me a dumb-ass, whatever. The fact is their security and user support need updating.

  34. Head
    WTF?

    Ha

    Dell doesn't do that, lenovo sucks.

  35. Simon Brown
    WTF?

    ShaunP highlights a flash problem

    Hi,

    ShaunP's issue highlights a problem with flash memory, mirroring an experience we had with encrypted USB keys - but it could probably happen to any flash memory that is encrypted.

    If you use the same password every day then it is nigh-on impossible to forget passwords. So when your password suddenly stops working it's incredibly frustrating. Our problem was with Sandisk Countour Cruzer 8Gb USB sticks. They support 256bit AES encryption and we duly implemented a password policy. As backup I also held an encrypted copy of all the company's passwords. Imagine my surprise when suddenly passwords stopped working on two of the memory sticks. The users hadn't changed their passwords (one of the users was me, I definitely hadn't changed my password), the password "hints" were not being displayed (a bad sign I guess) and I could not reformat the USB stick or use it in any way.

    This was annoying but it's only a USB stick, the manufacturer takes full responsibility and replaced the USB stick.

    What Lenovo are doing here is saying that even if their encrypted flash memory fails, they can not take responsibility for it.

    Is that a breach of the "fit for purpose" section of the sale of goods act?

    1. Anonymous Coward
      Anonymous Coward

      Checksums

      All of the persistent memory in a Thinkpad is checksum'd. If it were a case that this memory had become damaged or corrupted, then the checksum check would fail, leading to an identifiable pattern of beeps when the laptop is powered up.

      If there were one of these pattern of beeps (which are documented in the maintenance manual that is on the Lenovo website) then Lenovo would have leapt in, and fixed the laptop under warranty.

      Also, it is not always clear that the warranty is actually transferable. If this TP was bought second-hand, Lenovo may also refuse to service it. Whether this is legal or not is debatable, and has been discussed elsewhere on the Register.

  36. Anonymous Coward
    Anonymous Coward

    Bulk encryption

    The reason is simple - Lenovo (IBM as was) laptop + Hitachi (IBM as was) hard disk = bulk encryption of hard disk. Thinkpads have been able to do this (with the right h/d) for a decade or so. Nothing to do with the operating system AT ALL.

    Whats the point in bulk encrypting the hard drives if a phone call to some muppet in support permits you to reset the password and gain access to the data?

    I don't expect Truecrypt/Bestcrypt/whatever to be able to circumvent encryption with a "master reset" password so why would I expect Lenovo to do it?

    Can't remember the password you set DESPITE the dire warnings about the hard drive? If so then you shouldn't have been allowed access to the machine's BIOS in the first place.

    Oh and you're a fuckwit :-)

    1. Anonymous Coward
      Boffin

      Hard disk

      In a Thinkpad, the disk is not encrypted with the HD password, the disk controller just refuses to work as a disk controller if the password check fails. You're thinking of something like a Flagstone disk, which are not fitted to TP's

      In theory, it would be possible to change the drive electronics and get access to the data on the disk, but this is way beyond a casual thief, and requires a controller board with the same revision and firmware as the original.

      The option with TravelStar (and other) disks is to use an IOCTL to cause the disk to forget the password, but this also then clears the disk. The disk becomes usable again, but the data is lost.

  37. Anonymous Coward
    Flame

    Bah kids today.....

    ....Forgot the BIOS password and still under warranty....?

    By pass the power brick and send 240 straight into it. One f**ked laptop.

    Geeezzz some people have no imagination these days.....

  38. SquashNuts

    AFAIK Fujitsu laptops are the only ones with a secure BIOS

    Caveat: This info was true as of 2005 and is entirely from memory so it may contain some slight inaccuracies regarding the hardware.

    I have never encountered a BIOS that could not be bypassed some way or another until a few years ago. Usually there will be a tool/utility/info on one of the more unscrupulous forums dedicated to such tasks (admin backdoor/ password reset or removal/brute forcer/hex editor/jumper short - old skool). However, after a particularly hasty bid on two cheap Fujitsu laptops listed on FleaBay for spares or repair, I found out the hard way that this is not always the case.

    You see those clever chaps over in Singapore realised what most have already posted on here: Give someone a scope and enough time and they will prod and poke your BIOS until they find a way in.

    So they developed a proprietary daughter chip that sits alongside the BIOS chip. This chip creates a secure communication channel between the user and BIOS using proprietary encryption. The result if you forget your BIOS password? You need to send the laptop board to Singapore to have the password reset by a Fujitsu engineer. Or buy a replacement board yourself for about £100 more and save yourself 6 weeks wait. Suffice to say, the car-puter project didn't warrant that sort of expenditure and one of those two laptops is still available should anyone want a 1ghz Athlon lappy that can only boot from live CD's or HDD (caddy not included).

    Further research (at the time) confirmed Fujitsu were the ONLY manufacturer to produce laptops with a secure and unbreakable BIOS password policy (thanks to the daughter chip). It would surprise me not if this were still true today.

    1. Anonymous Coward
      Anonymous Coward

      @SquashNutz - Standard TPM 'Fritz chip" behaviour

      I don't believe that Fujitsu are unique. I believe that a Thinkpad with an enabled TPM Security Module is pretty much the same. (Fuji copied so much of the design features of some of their Lifebooks from IBM Thinkpads, it's scary).

      Earlier TP's, or later ones without the TPM Security Module fitted (it was optional on many models) can be hacked. Ones with the Security Module fitted and enabled can't.

      You can't boot the TP without the security module installed, and it enforces encryption of the various passwords when it is enabled. This is part of the function of the TPM module, which also has a good (albeit a bit slow for the early ones) hardware random number generator, and also offers hardware based encryption to speed up SSL, and encrypted password storage for an OS and applications that support the API.

      I believe that if ShaunP's Thinkpad is indeed a T61, with the security module enabled, then he will not get it working again without replacing the motherboard.

      BTW. Shaun has been complaining that he did not 'forget' the password, but the original article title is at odds with that assertion.

  39. Ben Tasker
    Thumb Up

    And your point is?

    Personally I think Lenovo are right to do this. Some of us actually need devices that are secure if some scroat nicks them.

    What next, complaints that you have to re-install Windows if you forget your password and haven't made a recovery disk?

    I've very little sympathy for anyone who gets hit by this, and it's not exactly clear how a webbased reset could work on a supervisor password, much less how you could avoid knackering your security reputation.

    Anyone who gets hit by this will certainly remember to keep a backup of their password next time!

    1. Anonymous Coward
      Anonymous Coward

      How do you backup the password?

      I know what the password is, I never 'forgot it', but Lenovo don't have a policy for this other than buy a new motherboard.

  40. Anonymous Coward
    FAIL

    Supervisor password is relatively trivial to obtain...

    At least on my T42 it was!

    Build a relatively simple circuit with a few components from Maplink, and solder the whole thing on to the mobo, along couple of bits of software installed on a computer with a serial port, and you can read the password in plain text...

    and, no, I'm not a surface soldering expert, again a £15 soldering iron from Maplink will do...

    If you can't follow the simple instructions online, you really shouldn't be allowed near a computer... IMHO...

  41. Daniel B.
    Boffin

    Ooooh, they still have that policy?

    One guy at high school had the misfortune of setting his password, and he immediately forgot his password.

    He then spent MONTHS trying to get IBM to reset his password... he eventually had to buy another laptop. That was back in 1998, seems like that policy has remained in Lenovo.

  42. Scott 71

    How much is your data worth?

    The whole point is that IBM, and now Lenovo, are doing what they can to make it extremely difficult to break drive security. Resetting a power-on password is no big deal. It doesn't unlock any data, it's a very superficial level of security.

    I would put forth that, if the confidentiality of your data isn't worth more than the price of your laptop, you probably shouldn't set that password. There are DIRE WARNINGS that inform the user of these consequences prior to setting the supervisor password. No, a field tech can't do anything with the encryption chips on the system board. IBM and Lenovo seem to be of the mind that they won't even trust a board once they've messed with jumpering and resetting the chip, so they won't even mess with trying to "rehab" boards with that password set. The selling point is that it's so non-trivial to reset one of these passwords (which would enable the recovery of the data) that your average burglars or laptop snatchers are simply not going to have the skills to compromise the data. They might be able to sell the machine for parts, but your business or agency is likely not going to be embarrassed by having all your clients' or patients' personal information sold off. Your company secrets are less likely to find their way into the hands of your competition. Your data is really as safe as it's going to get on a device that is ostensibly going to be exposed to leaving secure facilities and is rather easy to walk-off with.

  43. david 7
    FAIL

    T400 booted up asking for a password.

    My office Lenovo woke up one morning asking for the administrator/bios password... I never had it. IT finally figured it out after 3 days someone (not Lenovo) showed up with the right password.

    I used to like Think pads and own a couplefor myself until til I got this T400 in the office - its a rather large, heavy piece of crap, has blue screened on me more than a few times, doesn't wake up properly etc. etc.

    I won't be buying any more Lenovos.

  44. Anonymous Coward
    Pirate

    Laptop unbricking...

    hehe.. i remember doing the old tosh*ba "parallel port" hack back in uni days..

    Interestingly on the A*pire1 the cmos/etc password is stored within the 8 pin flash, so much for security here.

    Yes, the biggest problem seems to be that those who steal laptops/etc would rather scavenge what they can (screen. DVD drive,case, etc) and dump the rest rather than fiddling with them, a variant on the car stripping scam.

    Beware used motherboards, they are usually locked. Guess how i found that out :(

    So it would seem that the solution here is to implement "secure inactivation", incorporate a feature in the screen controller etc rendering it permanently unusable if a password is set except on the machine it was originally installed on.

    Bonus if it displays "STOLEN!!!!" in red flashing letters for good measure.

    I still like my idea, a device in the hard drive which if not disarmed permanently blows the head amplifier and scores the platters (koff reverse biased tantalum /koff) thereby rendering the drive a paperweight.

    AC, because this is probably too much information...

  45. pitagora
    Dead Vulture

    I think the author is hasn't done his research

    "a variety of password recovery tools will do the job for around $80"

    The tools exist, but they don't do the job. Resetting the superviser password involves replacing an EEPROM chip on the motherboard, among others. This is very risky to do by hand even by a specialist. The board has a very high density and even the slightest mistake will destroy that board. There is also the question of resetting the TPM chip if one exists. Now these chips are designed so that they can't be reset. At least the procedure is a very close guarded secret. Can't say the superviser password can't be reset with the right equipment and expertize, but it would definitely cost more then a brand new laptop.

This topic is closed for new posts.

Other stories you might like