Forgot your password?
typodupeerror
Data Storage Privacy Security Hardware

Confidential Data Not Safe On Solid State Disks 376

Posted by timothy
from the tim-wants-targets-you-want-privacy-win-win dept.
An anonymous reader writes "I always thought that the SSD was a questionable place to store private data. These researchers at UCSD's Non-Volatile Systems Laboratory have torn apart SSDs and have found remnant data even after running several open source and commerical secure erase tools. They've also proposed some changes to SSDs that would make them more secure. Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
This discussion has been archived. No new comments can be posted.

Confidential Data Not Safe On Solid State Disks

Comments Filter:
  • It's the only way to be sure.
    • by DigiShaman (671371) on Thursday February 17, 2011 @04:41PM (#35236592) Homepage

      Or in a microwave. That seems to destroy the gates on the chip. 10 seconds on High should be enough. Just be sure to only place the PCB and not the entire drive as they can contain lots metal.

      • by MachDelta (704883) on Thursday February 17, 2011 @04:59PM (#35236806)

        The most fun I ever had disposing of a HDD was when I worked as a mechanic. One of the POS systems was being replaced and the drive in it was going to be shredded. It was a slow day then, so I bugged our IT guy to let me have a crack at it. With an evil grin, I took it out to a workbench, stuffed it in a vice, and beat the piss out of the casing with a hammer. Once it was suitably mangled I started taking it apart with a prybar and screwdriver (gotta save those magnets!) until all I had left was the stack of platters. I took them to the 10 ton press in the back and squished it into a platter-pizza. Then I went to the corner and took the Oxyacetylene torch to that sum'bitch, entertaining myself by doodling molten penises and happy faces in it.

        Best day at work EVAR.

      • by perpenso (1613749)

        Or in a microwave. That seems to destroy the gates on the chip. 10 seconds on High should be enough. Just be sure to only place the PCB and not the entire drive as they can contain lots metal.

        And why can't an attacker just attach a good PCB from a different drive of the same make/model? Assuming of course that the attacker is targeting you specifically and is not just a dumpster diver / recycler who sees a drive and wonders if it works and what is on it. Just removing and breaking the PCB is fine for the later. Although it wouldn't hurt to repeatedly drop drives from 6ft onto concrete until they land flat and rattling noises begin to come from inside the drive.

    • by lxw56 (827351) on Thursday February 17, 2011 @04:41PM (#35236594)
      I challenge anyone to find my MicroSD card. I've conducted extensive security audits to verify that no attacker, even one with inside information, can gain electronic or physical access to the disc.
    • by rossdee (243626)

      That may be a little expensive, what about nuking it in a microwave oven?

  • by MetalliQaZ (539913) on Thursday February 17, 2011 @04:16PM (#35236198)

    1 electric drill, 1 work bench, and some bored interns.

  • Blend it... (Score:3, Funny)

    by Goffee71 (628501) on Thursday February 17, 2011 @04:17PM (#35236202) Homepage
    ... try reading anything from the ensuing dust.
  • How about (Score:5, Insightful)

    by Anrego (830717) * on Thursday February 17, 2011 @04:17PM (#35236204)

    Encrypting it?

    Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.

    • by initdeep (1073290) on Thursday February 17, 2011 @04:19PM (#35236248)

      STOP USING LOGIC ON /.

    • by timeOday (582209)
      I don't know why all vendors haven't adopted hardware full disk encryption [ibm.com]. This has become an absolute must in my opinion. And compared to software-based encryption, it works so well, and seamlessly - the bios asks for the passphrase at boot time, and after that it's transparent to the OS and doesn't degrade performance either. I would certainly appreciate some security researchers throwing their efforts into validating or debunking these.
      • by Guspaz (556486)

        SandForce SSD controllers encrypt all data as it hits the SSD. That does nothing to protect against plugging the drive into a computer and using it (a secure delete would handle that), but it *does* protect against people accessing the NAND chips directly. That and the fact that SandForce drives use compression/deduplication/other tricks and properly support secure erase would make it exceedingly difficult to recover data.

      • A problem with full-disk encryption is that it's hard to verify that it's really encrypted on the disk. You have to trust that the manufacturer didn't cut corners and just fake encryption, or botch implementation.
    • by camcorder (759720)
      What if you want to delete some portion of data, but still want to use the drive? If it's only one file that you need to get rid of, it doesn't sound like a brainer to destroy all the media, does it? Read the article, it's mostly about this kind of usage.
  • no reading anything after you smash it.
  • by Brett Buck (811747) on Thursday February 17, 2011 @04:17PM (#35236212)

    The solution is the same as hard drives in any secure system - use it, and when you are done, destroy it. Say you get 3 years out of an SSD, the cost of replacing it is trivial over the long haul. Nobody serious about security erases conventional platter HDs and hopes that's good enough.

    • Exactly. When we recycle computer gear (several tons a year), we wipe the drives first but then I go to the recycling/smelting facility and watch them shred the drives (we have an agreement with the vendor). Trust but verify.

      • "Trust but verify"? Verification results from the exact opposite of "trust" :p You're right to verify, but saying stuff like that sounds silly..

        • by causality (777677) on Thursday February 17, 2011 @04:35PM (#35236512)

          "Trust but verify"? Verification results from the exact opposite of "trust" :p You're right to verify, but saying stuff like that sounds silly..

          Verification is after-the-fact. Prior to that, the vendor could still do something dishonest like fail to deliver on its promises. You're trusting them not to do that as indicated by your willingness to do business with them in the first place. Verification is an attempt to check against not only dishonesty on their part but also well-intentioned mistakes that wouldn't strictly be issues of trustworthiness.

          It's sort of like when I deposit cash at a bank. If I tell them "this is 200 dollars, please put it into my account" they are going to count the money. I don't take that as an accusation that I am trying to deceive them, because it isn't. It's a standard practice because multiple pairs of eyes are more likely to catch both honest mistakes and deliberate deception. That's an example of "trust but verify".

          It's not really so silly and it's far less extreme than "I want to be involved in each step of the process so I can watch your every move". That would be distrust.

        • Trust should never be absolute.Trust is an analog scale, not a digital bit.

          Trust but verify is prudent behavior. This is why we pull ever Nth item off a production line, to test and verify that it is worthy of the trust we've placed in the process as a whole.

          • You should pull every $RANDOMth item off a production line because if your production process has a fault cycle that is a multiple of N items long you'd never catch it.
      • by Onuma (947856)
        Well said. Just like destroying COMSEC in the military -- you can have the two privates complete and sign the blocks for destruction, but the supervisor should always be verifying. After all, it is his ass if things turn up missing.
    • by Solandri (704621) on Thursday February 17, 2011 @04:28PM (#35236392)
      From what I've seen, it's not the end-of-life disposal of drives which leads to this type of data leak. It's when a drive dies under warranty and you send it to the manufacturer for a replacement. Since it's non-functional, you can't erase it. Since you need to return it without any signs of abuse for a warranty replacement, you can't destroy it.

      The manufacturer usually just fixes it, and sells it as a refurb / sends it out as a replacement drive for others which have failed under warranty. They just do a quick format, or sometimes even don't bother formatting, before sending the fixed drive out. Meaning the new recipient of your old drive has all your data.
      • If you are that concerned about the security of your data, then you either encrypt all of your data, in which case it probably doesn't matter what happens to the drive after you get rid of it; or you destroy the drive and suck up the cost of a new one (or you are a large customer, and have an agreement with the vendor which allows you to destroy the drive and get a replacement). Security, convenience, or low cost---pick one.
        • If you are that concerned about the security of your data, then you either encrypt all of your data, in which case it probably doesn't matter what happens to the drive after you get rid of it; or you destroy the drive and suck up the cost of a new one (or you are a large customer, and have an agreement with the vendor which allows you to destroy the drive and get a replacement). Security, convenience, or low cost---pick one.

          Exactly. Large companies generally have agreements to cover this. A lot of them
    • by jittles (1613415) on Thursday February 17, 2011 @04:31PM (#35236434)
      The lack of security of SSD's is not new! So unoriginal, in fact, that Truecrypt.org [truecrypt.org] doesn't even recommend that you encrypt an SSD drive!
      • by jp102235 (923963)
        Wait...what??? So they(SSD's) lack security, so truecryot reccomends AGAINST encryption? Shouldn't they brcrdccomending the opposite?
      • by Nadaka (224565)

        Truecrypt recommends you encrypt everything... twice. Even your grocery list.

  • Encryption (Score:3, Insightful)

    by Fackamato (913248) on Thursday February 17, 2011 @04:18PM (#35236224)

    It doesn't matter if you can get hold of ALL of the data, if it's encrypted you're fucked. Nothing to see here, move along.

    • by amiga3D (567632)

      What's secure encryption today may, a few years down the road, be trivial to break. Best to destroy the drive whether it be mechanical or digital. Most of the time a 3 year old drive is worth a fraction of what it cost new.

  • Solution: Don't copy any data to an SSD unless you're copying it into an encrypted volume.
  • I thought we'd already agreed that the only way to be really sure that your data is gone is to physically destroy the drive. If you've got data that's really so sensitive that someone's going to spend serious resources to extract it, the actual price of a drive is nothing. Smash it and call it good.
  • by gad_zuki! (70830) on Thursday February 17, 2011 @04:19PM (#35236246)

    I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.

    That said, it would be nice if there was some standard way of doing this.

    • by mlts (1038732) *

      What would be nice is to have the ATA erase command standardized, so this can be easily done.

      Command gets handed to the drive controller, controller does the erasing the right way, where on a hard drive, it zeroes out sectors, even the ones on the bad sector relocation table, and sectors marked as bad. On a SSD, it zeroes out everything regardless of the status with regards to wear leveling.

      Even better would be having the drive controller encrypt all data, storing the key as a value in NVRAM. Then when it

    • by causality (777677) on Thursday February 17, 2011 @04:43PM (#35236634)

      Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable.

      If people were never surprised by predictable things the entire news industry would take a nosedive and be reduced to a shadow of its current self. It'd fuck up the economy!

  • It is a commonly known fact that the only way to ensure data is never retrieved from a physical disk whether spinning or SSD is to physically destroy the drive. All other methods short of that have flaws and some data can be retrieved.

    • You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?

      • by Zironic (1112127) on Thursday February 17, 2011 @04:27PM (#35236386)

        It's because the bits in the harddrive aren't actually binary but rather values that are intepreted as 1 or 0. For instance a value of 0.6 would be interpreted as 1 and 0.4 would be 0.

        This means that if you look at the exact value rather then the interpretation you can make a guess at what values it has been before.

        • If you write out 0s to a disk, and the disk EVER read back a 1 because it was 0.6 then the disk has larger problems than what you're suggesting. You couldn't ever rely upon the bits stored. And by "ever" I mean EVER.

          The newer drives, if you wrote 0s out, the density of the data on the platter is so high that it is virtually impossible to recover any data. So writing out 0s is and should be acceptable for 99.99% of the drives. If you are that scared of what is on your drive, just put it into a Magnetic Pulse

          • by Chris Burke (6130)

            If you write out 0s to a disk, and the disk EVER read back a 1 because it was 0.6 then the disk has larger problems than what you're suggesting. You couldn't ever rely upon the bits stored. And by "ever" I mean EVER.

            Right, which is why that doesn't happen and isn't the technique used.

            The point is that just because the disk (correctly) interprets anything over the threshold as a 1, you can still infer additional information about previous writes based on the actual analog value. Remember, the disk is trying

        • by blueg3 (192743)

          This means that if you look at the exact value rather then the interpretation you can make a guess at what values it has been before.

          In theory, maybe. In practice, it's simply not possible. The conventional wisdom that you need to overwrite multiple times, or with patterns, or with random noise, or anything other than just a single pass of zeros is nothing but a myth.

      • by Rashkae (59673) on Thursday February 17, 2011 @04:31PM (#35236436) Homepage

        By scanning the surface of the platter with specialized equipment, it's possible to detect residual magnetization 'around' the area written by the drive head and determine where there used to be a bit. Actually using this technique to recover anything outside of a laboratory experiment (where the drive was only written to and erased with 0's once) is a myth, however. No one does this, not even CTU.

        • by TheCarp (96830)

          Even so, has it even been demonstrated in a lab environment on a disk manufactured in the past decade or so? I was under the impression (from other discussions) that the "area around" that which is written has become so small as to render this pretty much impossible.

          • by BetterSense (1398915) on Thursday February 17, 2011 @04:58PM (#35236800)
            It IS pretty much impossible, but that's not going to stop people from perpetuating the wive's tale for decades to come.

            I actually have seen Magnetic Force Microscopy used as a tech demo to image the bits on a floppy disk. I asked the process owner if it could be used to extract data, and he just rolled his eyes. He said that besides the issues with modern hard drives having bits that are orders of magnitude smaller both in size and in magnetization, it's just impractical to extract any data, which should be obvious since it takes like 10 minutes to image a handful of bits. A handful of bits that could mean anything, and be anywhere on the disk platter, and anywhere in the file system, and which could represent erased or scrambled or encypted data anyway. I think the idea that you could go beyond even that and divine what bits were written "UNDER" the current ones is just fantasy. I have heard rumors that NSA has made purchases of a large quantity of scanning probe microscopes for this purpose, but they could have just been buying some for testing...manufacturing volume for scanning probe microscopes is such that an order of a half-dozen of them would be an overwhelmingly large order.
          • It is impossible with know tech, but you can't be sure that some unknown tech will not exist at some point. Therefore it is still safer to destroy the disk.

      • by click2005 (921437) *

        I didn't RTFA but I'm guessing the wear levelling on SSDs messes up the 'every sector' part. Some sectors get wiped multiple
        times while others dont get touched. Writing all zeros is also bad as the magnetic fields from previous data can still be read
        (not easily but it is possible). Most modern secure wipes do multiple runs of all zeros, all ones and random data many times.

      • by gstoddart (321705) on Thursday February 17, 2011 @04:36PM (#35236530) Homepage

        You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?

        Essentially, residual magnetism [wikipedia.org] and other sciency-bits.

        Suffice it to say, simply writing a bunch of zeros doesn't erase all traces of what was on. With old school HDs, you needed to write random data to each location multiple times -- there's a DoD spec for doing it (DoD 5220.22-M).

        I believe the article is saying that it doesn't seem to work with SSDs.

        • It is important to note the section on feasibility in that Wikipedia link... Peter Gutmann did the original (public sector) research on recovering overwritten data on MFM hard drives with very low byte densities (by today's standards). Peter revisited the subject [auckland.ac.nz] and found that a single overwrite pass, even if only zeroing out every bit, was sufficient to defeat the technique on "modern" drives (i.e. drives larger than 15GB and made in the past 5-7 years).
        • by Guspaz (556486)

          No, it wouldn't work, but only because SSDs are copy-on-write by nature, and have large amounts of spare space hidden from the OS. However, using an SSD's built-in secure erase functionality, which triggers an erase cycle on every single block of the SSD, would be sufficient; a flash cell with no electrons in the floating gate isn't going to reveal any secrets.

          It should be noted that the multiple rewrites thing is only require for "old school" HDDs. Modern magnetic HDs only need a single pass (as referenced

          • by gstoddart (321705)

            It should be noted that the multiple rewrites thing is only require for "old school" HDDs. Modern magnetic HDs only need a single pass (as referenced by the wikipedia article that you cite).

            Well, the DoD still seem to prefer more 'aggressive' techniques, and apparently don't agree with NIST on this (I believe this is what you were referencing):

            As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not

            • by Firethorn (177587)

              Well, the DoD still seem to prefer more 'aggressive' techniques, and apparently don't agree with NIST on this (I believe this is what you were referencing):

              1. We're paranoid
              2. We still have old discs laying around. 10GB? Hah! I've seen 40 MB units, still operational, within the last year.
              3. We want to be *SURE*, and the human factor is taken into account - we're willing to overkill on modern drives(and modern is relative), in order to make sure the older ones get wiped properly.

        • The great zero challenge was never accepted, so I'd say it's safe to say that spinning hard disk data can reliably erased. I've never seen it done, that's for sure.

          http://hardware.slashdot.org/story/08/09/06/189248/The-Great-Zero-Challenge-Remains-Unaccepted [slashdot.org]

      • You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?

        Because digital is just a convenient abstraction for our analog reality. Here's a gross simplification. A bit is just a magnetic blob on a large plane of magnetic media. When a read/write head returns to a particular spot it does not return to exactly that same position, close but not exact. As the platter spins and it lays down a track of these magnetic blobs it may write the new track a little bit to the side of the old track. This partly motivates wiping software writing data seven or more times, it want

    • Wear leveling for flash....

      my 120GB OCZ disk has 128GB of space, 8 reserved for dead cells and for wear leveling.

      so write 120GB of data to the disk (fill it) remove a text file full of passwords, fill the disk.

      the result (if all cells have the same number of uses) would/could be that the SSD in the interest of wear leveling will take lower used cells from the reserve
      and leave the cells that I just erased unused.

      but heres the problem.

      1. all secure data should be, well, secure, encrypted or otherwise
      2. this m

  • excellent tool for neutering storage. build up a roaring fire with about 6 inches of coals, and then toss the hard disk into it. retrieve in morning, dump in trash. done.

    • excellent tool for neutering storage. build up a roaring fire with about 6 inches of coals, and then toss the hard disk into it. retrieve in morning, dump in trash. done.

      Don't be so sure [universetoday.com] of that.

      And now, data recovery experts announced they were able to salvage scientific data from a charred hard drive.

      Said hard drive deorbited on the Columbia.

      What NASA sent to Kroll Ontrack was almost unrecognizable as a hard drive. Jon Edwards, a senior clean room engineer at the company said that the circuit board on the drive was burned beyond recognition and that all its components had fallen off. Every piece of plastic on the 400 MB Seagate hard drive had melted, and the chips were burned.

      • by tragedy (27079)

        Sure, but the drive casing probably didn't break open. It would have been made of aluminum, most likely, which isn't the best heat sink, but is better than nothing. The heat it was exposed to was probably intense but brief. So, the platters inside the drive were probably only exposed to a small amount of heat for a short period of time. The overnight fire that the grandparent post referred to would be hundreds of times longer and probably hotter too.

      • but this was a 400mb radiation hardened disk with magnetic domains a few magnitudes bigger than modern 2TB disk

  • by WhiteDragon (4556) on Thursday February 17, 2011 @04:22PM (#35236310) Homepage Journal

    Thermite will fix everything! [s/fix/destroy] :-)

  • truecrypt (Score:5, Insightful)

    by SharpFang (651121) on Thursday February 17, 2011 @04:25PM (#35236344) Homepage Journal
    encrypt the data before writing. at no point in its existence will it appear anything but white noise to unauthorized parties.
    • by pentalive (449155)
      The "unauthorized parties" will use a $5.00 wrench to beat you until you tell them the password or as in the case of Great Britain, throw you in jail until you remember it.
  • I guess what concerns me the most about SSDs is data recovery. Is that any harder on SSDs than regular disks? Or is data recovery a moot point since there are no moving parts?
    • by dgatwood (11270)

      Well, it's a wash, based on the last stats I read. (I forget where I read the article.) With SSDs, you have no moving parts, which makes them much, much more reliable in portable devices (laptops, iPods, and so on). However, you have many more solder joints to crack, so you have a much greater chance of a thermally-induced failure than you would with a hard drive.

      The real advantage of SSDs as far as data recovery goes is that you don't need a clean room to work on them. The majority of failures in elect

    • I guess what concerns me the most about SSDs is data recovery. Is that any harder on SSDs than regular disks? Or is data recovery a moot point since there are no moving parts?

      That's the other side of the data security coin, isn't it? Getting it back after some "unfortunate incident". Wei and Grupp seem to suggest that it's easier, at least how I read it. And it sounds like they're just hacking around the control logic: "we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips". Whether or not they mean "ICs" when they say "chips", I dunno. Kinda makes a big difference if you've got to saw, pry or etch off the p

  • by crow (16139) on Thursday February 17, 2011 @04:32PM (#35236454) Homepage Journal

    You can't do a secure erase from software, because data may still exist in blocks that were remapped by the firmware due to errors or for write leveling. When you write to an SSD, the new data goes in a free block, and the old block is marked free. To do a real secure erase, you have to work with the SSD firmware, and even then, you can't be sure if data may still exist on bad blocks that can't be written to.

    So the only way to be sure is to physically destroy it, and flash is reliable enough that it's difficult to be certain that you've truly destroyed it.

    So as everyone else is saying, the only good solution is to encrypt everything, and don't store the keys in flash.

  • A couple whacks with a hammer still works great. Remove the circuit board from the case, give each chip a little love tap with a ball peen hammer. Problem solved without waiting hours for the thing to "secure erase".

    Concerned about losing resale value? Security costs money, period. If you want real security, sometimes you have to take some financial responsibility and accept the loss of resale value in exchange for real security. Price of doing business.

    • by Guspaz (556486)

      SSD secure erases are almost instant. The SSD might not be able to write to every cell simultaneously, but it *can* erase them all at the same time.

  • For once I've read the paper :-)

    But I could not find a description of the technique utilized to recover the files.

    They say that an "advanced hacker" will be able to recover the files, but I'd like to know how.

  • Summary (Score:5, Informative)

    by Orgasmatron (8103) on Thursday February 17, 2011 @04:42PM (#35236620)

    Block storage devices have more capacity than they report. Magnetic disks keep a small reserve of unallocated blocks as a hedge against blocks that fail in use. SSDs keep a much larger reserve because they can only erase in increments that are relatively large compared to their block size.

    If you overwrite a sector on a magnetic disk, you will almost always destroy all traces of the old data. The exception is when the drive thinks the old sector has failed or is about to fail, in which case you get an entirely new sector, and your old data is still (possibly) on the old sector. Attacks using magnetic force microscopes to read data from track fringes were possible a decade ago, but there is no reason to think it is possible on a modern drive.

    If you overwrite a sector on a SSD, the SSD gives you a whole new block from a list of free blocks, and adds the address of the old block to the list of deleted blocks. Blocks are moved from the deleted list to the free list when the SSD has some free time, or when one is really needed. There is currently no mechanism to force the SSD to actually erase a sector.

    This is all known, and there are mechanisms built into the specs to provide a secure erase. What their research is showing, however, is that these mechanisms don't always work. A number of them are buggy, and at least one just plain lies, claiming to have done the secure erase, but actually just doing the normal pointer update trick just like any other write.

  • This sounds like a good thing to me. Better chances of getting data back from failed hardware. Or getting data from a device that a numbskull disgruntled employee thinks they've intentionally ruined.

    If you actually WANT to destroy the data, others here have mentioned the proper methods. I like to rely on the .45 at high velocity, but open flames work well too.

  • I find 165 gains going about 3000 fps is a very effective data destruction device. It is also a great way to relieve stress.

A bug in the code is worth two in the documentation.

Working...