Confidential Data Not Safe On Solid State Disks 376
An anonymous reader writes "I always thought that the SSD was a questionable place to store private data. These researchers at UCSD's Non-Volatile Systems Laboratory have torn apart SSDs and have found remnant data even after running several open source and commerical secure erase tools. They've also proposed some changes to SSDs that would make them more secure. Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
Nuke it from orbit (Score:2, Funny)
Comment removed (Score:4, Funny)
Re:Nuke it from orbit (Score:4, Interesting)
The most fun I ever had disposing of a HDD was when I worked as a mechanic. One of the POS systems was being replaced and the drive in it was going to be shredded. It was a slow day then, so I bugged our IT guy to let me have a crack at it. With an evil grin, I took it out to a workbench, stuffed it in a vice, and beat the piss out of the casing with a hammer. Once it was suitably mangled I started taking it apart with a prybar and screwdriver (gotta save those magnets!) until all I had left was the stack of platters. I took them to the 10 ton press in the back and squished it into a platter-pizza. Then I went to the corner and took the Oxyacetylene torch to that sum'bitch, entertaining myself by doodling molten penises and happy faces in it.
Best day at work EVAR.
Re:Nuke it from orbit (Score:5, Funny)
Re: (Score:2)
Or in a microwave. That seems to destroy the gates on the chip. 10 seconds on High should be enough. Just be sure to only place the PCB and not the entire drive as they can contain lots metal.
And why can't an attacker just attach a good PCB from a different drive of the same make/model? Assuming of course that the attacker is targeting you specifically and is not just a dumpster diver / recycler who sees a drive and wonders if it works and what is on it. Just removing and breaking the PCB is fine for the later. Although it wouldn't hurt to repeatedly drop drives from 6ft onto concrete until they land flat and rattling noises begin to come from inside the drive.
Re:Nuke it from orbit (Score:4, Informative)
And what good is that?
Again, this is a SSD, not a hard disk. The PCB contains both the interface and the data storage parts. If you microwave that, you've destroyed everything that was important. It's no use to unsolder anything, the flash chips themselves are destroyed by microwaving.
The part you would skip on microwaving is the metal casing, which contains no data.
I think I'm safe (Score:5, Funny)
Re:I think I'm safe (Score:5, Funny)
I challenge anyone to find my MicroSD card. I've conducted extensive security audits to verify that no attacker, even one with inside information, can gain electronic or physical access to the disc.
Translation: "I lost the tiny little bastard and can't fucking find it!"
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Careful what you wish for...
http://science.slashdot.org/story/11/02/17/1828232/Sysbrain-Lets-Satellites-Think-For-Themselves [slashdot.org]
Re: (Score:2)
That may be a little expensive, what about nuking it in a microwave oven?
Re:Nuke it from orbit (Score:5, Insightful)
TrueCrypt volume inside a TrueCrypt volume
You, dawg, I heard you liked TrueCrypt.
The headline should just read "Confidential data not safe on unencrypted disk". Modern hard drives also arean't as easy to 100% delete as one might think - once a sector gets "spared out" there's no easy way to delete it, and there will still be readible data there. That just happens a lot less frequently than SSD load/wear balancing.
Of course, any media can be adequetly destroyed by shredding - if you really care, this isn't a problem to solve with software.
Re: (Score:3)
The headline should just read "Confidential data not safe on unencrypted disk"
The headline should just read "Confidential data not safe"
My secure erase method still works! (Score:4, Funny)
1 electric drill, 1 work bench, and some bored interns.
Re: (Score:2)
Actually, for an SSD, I'd suggest incineration as a secure wipe method.
Re:My secure erase method still works! (Score:4, Funny)
And here I thought you were going to bore holes in the SSDs. Boring holes in the interns is just cruel.
Blend it... (Score:3, Funny)
you mean reading the entrails? (Score:4, Funny)
You couldn't possibly seriously mean we should start reading the entrails? That is soo medieval.
Re: (Score:2)
Re: (Score:2)
I am absolutely certain that it will blend. If an iphone, ipad, skiis, and a high grade camera suite will blend, I'd be thoroughly surprised if an SSD couldn't. I'm still looking for something they blended with a metal case, though.
http://www.willitblend.com/videos.aspx?type=unsafe [willitblend.com]
How about (Score:5, Insightful)
Encrypting it?
Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.
Re:How about (Score:5, Funny)
STOP USING LOGIC ON /.
Re: (Score:2)
Re: (Score:3)
SandForce SSD controllers encrypt all data as it hits the SSD. That does nothing to protect against plugging the drive into a computer and using it (a secure delete would handle that), but it *does* protect against people accessing the NAND chips directly. That and the fact that SandForce drives use compression/deduplication/other tricks and properly support secure erase would make it exceedingly difficult to recover data.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
if you really that concerned use a hammer (Score:2)
Treat it like any other secure system (Score:3)
The solution is the same as hard drives in any secure system - use it, and when you are done, destroy it. Say you get 3 years out of an SSD, the cost of replacing it is trivial over the long haul. Nobody serious about security erases conventional platter HDs and hopes that's good enough.
Re: (Score:2)
Exactly. When we recycle computer gear (several tons a year), we wipe the drives first but then I go to the recycling/smelting facility and watch them shred the drives (we have an agreement with the vendor). Trust but verify.
Re: (Score:3)
"Trust but verify"? Verification results from the exact opposite of "trust" :p You're right to verify, but saying stuff like that sounds silly..
Re:Treat it like any other secure system (Score:4, Insightful)
"Trust but verify"? Verification results from the exact opposite of "trust" :p You're right to verify, but saying stuff like that sounds silly..
Verification is after-the-fact. Prior to that, the vendor could still do something dishonest like fail to deliver on its promises. You're trusting them not to do that as indicated by your willingness to do business with them in the first place. Verification is an attempt to check against not only dishonesty on their part but also well-intentioned mistakes that wouldn't strictly be issues of trustworthiness.
It's sort of like when I deposit cash at a bank. If I tell them "this is 200 dollars, please put it into my account" they are going to count the money. I don't take that as an accusation that I am trying to deceive them, because it isn't. It's a standard practice because multiple pairs of eyes are more likely to catch both honest mistakes and deliberate deception. That's an example of "trust but verify".
It's not really so silly and it's far less extreme than "I want to be involved in each step of the process so I can watch your every move". That would be distrust.
Re: (Score:2)
Trust should never be absolute.Trust is an analog scale, not a digital bit.
Trust but verify is prudent behavior. This is why we pull ever Nth item off a production line, to test and verify that it is worthy of the trust we've placed in the process as a whole.
Re: (Score:3)
Re: (Score:2)
Re:Treat it like any other secure system (Score:5, Insightful)
The manufacturer usually just fixes it, and sells it as a refurb / sends it out as a replacement drive for others which have failed under warranty. They just do a quick format, or sometimes even don't bother formatting, before sending the fixed drive out. Meaning the new recipient of your old drive has all your data.
Re: (Score:3)
Re: (Score:3)
Exactly. Large companies generally have agreements to cover this. A lot of them
Re:Treat it like any other secure system (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Truecrypt recommends you encrypt everything... twice. Even your grocery list.
Re: (Score:3)
For easy of use, be sure to encrypt everything twice with ROT13
Encryption (Score:3, Insightful)
It doesn't matter if you can get hold of ALL of the data, if it's encrypted you're fucked. Nothing to see here, move along.
Re: (Score:2)
What's secure encryption today may, a few years down the road, be trivial to break. Best to destroy the drive whether it be mechanical or digital. Most of the time a 3 year old drive is worth a fraction of what it cost new.
Encrypt the data (Score:2)
for the truly paranoid (Score:2)
wipes are vendor specific (Score:5, Informative)
I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.
That said, it would be nice if there was some standard way of doing this.
Re: (Score:3)
What would be nice is to have the ATA erase command standardized, so this can be easily done.
Command gets handed to the drive controller, controller does the erasing the right way, where on a hard drive, it zeroes out sectors, even the ones on the bad sector relocation table, and sectors marked as bad. On a SSD, it zeroes out everything regardless of the status with regards to wear leveling.
Even better would be having the drive controller encrypt all data, storing the key as a value in NVRAM. Then when it
Re: (Score:2)
The problem is that the ATA commands are there, except there are no utilities available or maintained today that can use them. There used to be a tool called HDDErase, but it requires MS-DOS and a floppy drive for use.
Re: (Score:3)
That was their question, too, and they address it in the paper.
Re:wipes are vendor specific (Score:4, Funny)
If people were never surprised by predictable things the entire news industry would take a nosedive and be reduced to a shadow of its current self. It'd fuck up the economy!
How is that different than spinning disks? (Score:2)
It is a commonly known fact that the only way to ensure data is never retrieved from a physical disk whether spinning or SSD is to physically destroy the drive. All other methods short of that have flaws and some data can be retrieved.
Re: (Score:2)
You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?
Re:How is that different than spinning disks? (Score:4, Informative)
It's because the bits in the harddrive aren't actually binary but rather values that are intepreted as 1 or 0. For instance a value of 0.6 would be interpreted as 1 and 0.4 would be 0.
This means that if you look at the exact value rather then the interpretation you can make a guess at what values it has been before.
Re: (Score:2)
If you write out 0s to a disk, and the disk EVER read back a 1 because it was 0.6 then the disk has larger problems than what you're suggesting. You couldn't ever rely upon the bits stored. And by "ever" I mean EVER.
The newer drives, if you wrote 0s out, the density of the data on the platter is so high that it is virtually impossible to recover any data. So writing out 0s is and should be acceptable for 99.99% of the drives. If you are that scared of what is on your drive, just put it into a Magnetic Pulse
Re: (Score:2)
If you write out 0s to a disk, and the disk EVER read back a 1 because it was 0.6 then the disk has larger problems than what you're suggesting. You couldn't ever rely upon the bits stored. And by "ever" I mean EVER.
Right, which is why that doesn't happen and isn't the technique used.
The point is that just because the disk (correctly) interprets anything over the threshold as a 1, you can still infer additional information about previous writes based on the actual analog value. Remember, the disk is trying
Re: (Score:3)
This means that if you look at the exact value rather then the interpretation you can make a guess at what values it has been before.
In theory, maybe. In practice, it's simply not possible. The conventional wisdom that you need to overwrite multiple times, or with patterns, or with random noise, or anything other than just a single pass of zeros is nothing but a myth.
Re:How is that different than spinning disks? (Score:4, Informative)
By scanning the surface of the platter with specialized equipment, it's possible to detect residual magnetization 'around' the area written by the drive head and determine where there used to be a bit. Actually using this technique to recover anything outside of a laboratory experiment (where the drive was only written to and erased with 0's once) is a myth, however. No one does this, not even CTU.
Re: (Score:2)
Even so, has it even been demonstrated in a lab environment on a disk manufactured in the past decade or so? I was under the impression (from other discussions) that the "area around" that which is written has become so small as to render this pretty much impossible.
Re:How is that different than spinning disks? (Score:5, Informative)
I actually have seen Magnetic Force Microscopy used as a tech demo to image the bits on a floppy disk. I asked the process owner if it could be used to extract data, and he just rolled his eyes. He said that besides the issues with modern hard drives having bits that are orders of magnitude smaller both in size and in magnetization, it's just impractical to extract any data, which should be obvious since it takes like 10 minutes to image a handful of bits. A handful of bits that could mean anything, and be anywhere on the disk platter, and anywhere in the file system, and which could represent erased or scrambled or encypted data anyway. I think the idea that you could go beyond even that and divine what bits were written "UNDER" the current ones is just fantasy. I have heard rumors that NSA has made purchases of a large quantity of scanning probe microscopes for this purpose, but they could have just been buying some for testing...manufacturing volume for scanning probe microscopes is such that an order of a half-dozen of them would be an overwhelmingly large order.
Re: (Score:3)
As someone else who's played around with magnetic force microscopes, recovering data off of a disk would be extremely time consuming. As the parent mentioned, you're talking several minutes to capture an image that's maybe 100 square micrometers (10x10 um). A floppy disk has several million square micrometers of surface area to image per side - you're literally talking centuries to read a disk this way.
The other problem is resolution. I haven't seen a microscope yet that can see the bits on a modern hard
Re: (Score:2)
It is impossible with know tech, but you can't be sure that some unknown tech will not exist at some point. Therefore it is still safer to destroy the disk.
Re: (Score:2)
I didn't RTFA but I'm guessing the wear levelling on SSDs messes up the 'every sector' part. Some sectors get wiped multiple
times while others dont get touched. Writing all zeros is also bad as the magnetic fields from previous data can still be read
(not easily but it is possible). Most modern secure wipes do multiple runs of all zeros, all ones and random data many times.
Re:How is that different than spinning disks? (Score:4, Informative)
Essentially, residual magnetism [wikipedia.org] and other sciency-bits.
Suffice it to say, simply writing a bunch of zeros doesn't erase all traces of what was on. With old school HDs, you needed to write random data to each location multiple times -- there's a DoD spec for doing it (DoD 5220.22-M).
I believe the article is saying that it doesn't seem to work with SSDs.
Re: (Score:3)
Re: (Score:2)
No, it wouldn't work, but only because SSDs are copy-on-write by nature, and have large amounts of spare space hidden from the OS. However, using an SSD's built-in secure erase functionality, which triggers an erase cycle on every single block of the SSD, would be sufficient; a flash cell with no electrons in the floating gate isn't going to reveal any secrets.
It should be noted that the multiple rewrites thing is only require for "old school" HDDs. Modern magnetic HDs only need a single pass (as referenced
Re: (Score:2)
Well, the DoD still seem to prefer more 'aggressive' techniques, and apparently don't agree with NIST on this (I believe this is what you were referencing):
Re: (Score:3)
Well, the DoD still seem to prefer more 'aggressive' techniques, and apparently don't agree with NIST on this (I believe this is what you were referencing):
1. We're paranoid
2. We still have old discs laying around. 10GB? Hah! I've seen 40 MB units, still operational, within the last year.
3. We want to be *SURE*, and the human factor is taken into account - we're willing to overkill on modern drives(and modern is relative), in order to make sure the older ones get wiped properly.
"Multiple times" is an exaggeration (Score:2)
The great zero challenge was never accepted, so I'd say it's safe to say that spinning hard disk data can reliably erased. I've never seen it done, that's for sure.
http://hardware.slashdot.org/story/08/09/06/189248/The-Great-Zero-Challenge-Remains-Unaccepted [slashdot.org]
Amended platter removal terms (Score:3)
They later amended the platter removal terms with the following text, but still nobody accepted it.
Because things are really analog not digital ... (Score:2)
You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?
Because digital is just a convenient abstraction for our analog reality. Here's a gross simplification. A bit is just a magnetic blob on a large plane of magnetic media. When a read/write head returns to a particular spot it does not return to exactly that same position, close but not exact. As the platter spins and it lays down a track of these magnetic blobs it may write the new track a little bit to the side of the old track. This partly motivates wiping software writing data seven or more times, it want
Re: (Score:2)
Wear leveling for flash....
my 120GB OCZ disk has 128GB of space, 8 reserved for dead cells and for wear leveling.
so write 120GB of data to the disk (fill it) remove a text file full of passwords, fill the disk.
the result (if all cells have the same number of uses) would/could be that the SSD in the interest of wear leveling will take lower used cells from the reserve
and leave the cells that I just erased unused.
but heres the problem.
1. all secure data should be, well, secure, encrypted or otherwise
2. this m
what, you don't have a firepit? (Score:2)
excellent tool for neutering storage. build up a roaring fire with about 6 inches of coals, and then toss the hard disk into it. retrieve in morning, dump in trash. done.
Re: (Score:2)
excellent tool for neutering storage. build up a roaring fire with about 6 inches of coals, and then toss the hard disk into it. retrieve in morning, dump in trash. done.
Don't be so sure [universetoday.com] of that.
And now, data recovery experts announced they were able to salvage scientific data from a charred hard drive.
Said hard drive deorbited on the Columbia.
What NASA sent to Kroll Ontrack was almost unrecognizable as a hard drive. Jon Edwards, a senior clean room engineer at the company said that the circuit board on the drive was burned beyond recognition and that all its components had fallen off. Every piece of plastic on the 400 MB Seagate hard drive had melted, and the chips were burned.
Re: (Score:3)
Sure, but the drive casing probably didn't break open. It would have been made of aluminum, most likely, which isn't the best heat sink, but is better than nothing. The heat it was exposed to was probably intense but brief. So, the platters inside the drive were probably only exposed to a small amount of heat for a short period of time. The overnight fire that the grandparent post referred to would be hundreds of times longer and probably hotter too.
Re: (Score:2)
but this was a 400mb radiation hardened disk with magnetic domains a few magnitudes bigger than modern 2TB disk
thermite will fix that (Score:5, Insightful)
Thermite will fix everything! [s/fix/destroy] :-)
thermite meh (Score:2)
I prefer a mixture of magnesium dust and gunpowder; but to each their own.
truecrypt (Score:5, Insightful)
Re: (Score:2)
Data recovery (Score:2)
Re: (Score:2)
Well, it's a wash, based on the last stats I read. (I forget where I read the article.) With SSDs, you have no moving parts, which makes them much, much more reliable in portable devices (laptops, iPods, and so on). However, you have many more solder joints to crack, so you have a much greater chance of a thermally-induced failure than you would with a hard drive.
The real advantage of SSDs as far as data recovery goes is that you don't need a clean room to work on them. The majority of failures in elect
Re: (Score:2)
I guess what concerns me the most about SSDs is data recovery. Is that any harder on SSDs than regular disks? Or is data recovery a moot point since there are no moving parts?
That's the other side of the data security coin, isn't it? Getting it back after some "unfortunate incident". Wei and Grupp seem to suggest that it's easier, at least how I read it. And it sounds like they're just hacking around the control logic: "we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips". Whether or not they mean "ICs" when they say "chips", I dunno. Kinda makes a big difference if you've got to saw, pry or etch off the p
It is difficult (Score:3)
You can't do a secure erase from software, because data may still exist in blocks that were remapped by the firmware due to errors or for write leveling. When you write to an SSD, the new data goes in a free block, and the old block is marked free. To do a real secure erase, you have to work with the SSD firmware, and even then, you can't be sure if data may still exist on bad blocks that can't be written to.
So the only way to be sure is to physically destroy it, and flash is reliable enough that it's difficult to be certain that you've truly destroyed it.
So as everyone else is saying, the only good solution is to encrypt everything, and don't store the keys in flash.
Secure erase option (Score:2)
A couple whacks with a hammer still works great. Remove the circuit board from the case, give each chip a little love tap with a ball peen hammer. Problem solved without waiting hours for the thing to "secure erase".
Concerned about losing resale value? Security costs money, period. If you want real security, sometimes you have to take some financial responsibility and accept the loss of resale value in exchange for real security. Price of doing business.
Re: (Score:2)
SSD secure erases are almost instant. The SSD might not be able to write to every cell simultaneously, but it *can* erase them all at the same time.
Technique for recovery (Score:2)
For once I've read the paper :-)
But I could not find a description of the technique utilized to recover the files.
They say that an "advanced hacker" will be able to recover the files, but I'd like to know how.
Re: (Score:2)
Presumably dump the contents of each individual chip.
Summary (Score:5, Informative)
Block storage devices have more capacity than they report. Magnetic disks keep a small reserve of unallocated blocks as a hedge against blocks that fail in use. SSDs keep a much larger reserve because they can only erase in increments that are relatively large compared to their block size.
If you overwrite a sector on a magnetic disk, you will almost always destroy all traces of the old data. The exception is when the drive thinks the old sector has failed or is about to fail, in which case you get an entirely new sector, and your old data is still (possibly) on the old sector. Attacks using magnetic force microscopes to read data from track fringes were possible a decade ago, but there is no reason to think it is possible on a modern drive.
If you overwrite a sector on a SSD, the SSD gives you a whole new block from a list of free blocks, and adds the address of the old block to the list of deleted blocks. Blocks are moved from the deleted list to the free list when the SSD has some free time, or when one is really needed. There is currently no mechanism to force the SSD to actually erase a sector.
This is all known, and there are mechanisms built into the specs to provide a secure erase. What their research is showing, however, is that these mechanisms don't always work. A number of them are buggy, and at least one just plain lies, claiming to have done the secure erase, but actually just doing the normal pointer update trick just like any other write.
Good thing? (Score:2)
This sounds like a good thing to me. Better chances of getting data back from failed hardware. Or getting data from a device that a numbskull disgruntled employee thinks they've intentionally ruined.
If you actually WANT to destroy the data, others here have mentioned the proper methods. I like to rely on the .45 at high velocity, but open flames work well too.
Just use a more powerful data descrution device. (Score:2)
I find 165 gains going about 3000 fps is a very effective data destruction device. It is also a great way to relieve stress.
Re:dd (Score:4, Informative)
According to RTFA they can recover almost 100% of the data from a 0'd HD, 90% of the data from a randomed HD and 1-10% from a HD that has run extremely extensive random HD passes (Like Gutmann)
This is due to SDD's working differently then the standard HD's.
Re: (Score:3)
No, that's only for attempting to perform a secure erase of a single file. The results for trying to secure-erase single files are so bad (and since there is no ATA command to securely erase only particular blocks on a drive) that it is unsafe to write data to an SSD and then hope to reliably remove that data from the drive without zeroing the entire drive.
If you'll RTFA carefully, though, you'll note that for all but one drive they tested, zeroing the entire drive was reliable. One drive had about 1% of th
Re: (Score:2)
If you use the proper erase methods (solid state or other) then it doesn't matter. If you need to destroy the data simply put it on a cookie sheet and put it in the over on broil for 30 minutes.
Wifey hates the smell of burning plastic in the oven. Don't ask me how I know this.
Re: (Score:3)
Re: (Score:2)
I don't know about any of you and I'd like to keep it that way...
Re: (Score:2)
Someone once told me that I should use RSA encryption because it was developed by the NSA. I thought to myself "why would the NSA produce and give away an encryption algorithm they can't break". I concluded that they wouldn't. So yeah, probably not secure.
Re: (Score:2)
Because they use it too? Because they would rather no one have the info than everyone?
The NSA does both securing and attacking.
Re: (Score:2)
The problem is that doesn't work due to wear leveling. The virtual area you're overwriting isn't necessarily the same physical area that holds the data you want gone. Even wiping the entire thing doesn't do it, thanks to spare blocks.