New to CAPEC? Start Here
Home > CAPEC List > CAPEC-402: Bypassing ATA Password Security (Version 3.9)  

CAPEC-402: Bypassing ATA Password Security

Attack Pattern ID: 402
Abstraction: Detailed
View customized information:
+ Description
An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.
+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.401Physically Hacking Hardware
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to the system containing the ATA Drive so that the drive can be physically removed from the system.
+ Mitigations
Avoid using ATA password security when possible.
Use full disk encryption to protect the entire contents of the drive or sensitive partitions on the drive.
Leverage third-party utilities that interface with self-encrypting drives (SEDs) to provide authentication, while relying on the SED itself for data encryption.
+ Example Instances

The A-FF Repair Station tool is a data recovery utility that can be used for ATA password removal (both High and Maximum level) and firmware area recovery. An adversary with access to this tool could reset the ATA password to bypass this security feature and unlock the hard drive. The adversary could then obtain any data contained within the drive. [REF-702]

An adversary gains physical access to the targeted hard drive and installs it into a system that does not support ATA security features. Once the drive is installed in the feature-lacking system, the adversary is able to reset the hard drive password via the BIOS. As a result, the adversary is able to bypass ATA password security and access content on the drive.

+ References
[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
[REF-701] Oliver Tennert. "Using the ATA security features of modern hard disks and SSDs". Admin Magazine. 2014. <>. URL validated: 2022-02-16.
[REF-702] "Breaking ATA Password Security". The University of Texas at Austin Information Security Office. <>. URL validated: 2022-02-16.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Mitigations, References
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018