[Thinkpad] Removing CMOS battery bypasses power-on password
Jon Etkins
jon at snikte.net
Mon Oct 2 15:18:38 CDT 2006
In the process of attempting to resolve the problem with my T40, I
removed the CMOS battery for an extended period (Batteries Plus couldn't
attach the wiring harness to a new battery until the next day).
To my surprise, when I booted the machine without the CMOS battery
present, it didn't ask me for the Power-On password, asking only for my
HDD password. If I hadn't had a password on my hard drive, the machine
would have been completely unprotected at the hardware level.
Once I replaced the CMOS battery, the POST sequence reported that the
machine had been "tampered with" and wouldn't boot without the BIOS
Administrator password. Once into the BIOS setup, I found that sure
enough, the Power-On password had been cleared.
I'm not sure if this is SOP for all modern Thinkpads, but it certainly
seemed like a security hole to me. Anyone who has eschewed the HDD
password in the belief that the power-on password is sufficient might
like to think again, too.
________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
More information about the Thinkpad
mailing list