Flash drives dangerously hard to purge of sensitive data In research that has important findings for banks, businesses and security buffs everywhere, scientists have found that computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques. Even when the next-generation storage devices show that files have been deleted, as …
If you overwrite a piece of data on an SSD, the wear levelling algorithm will write the data to a block that is not full, and record that the original data is cruft to be forgoten when the block it is stored on gets moved to create free space by the garbage collector. Overwriting multiple times and overwriting the entire disk adds lots of extra wear and will eventually activate the garbage collector. The garbage collector creates a lot of internal activity within the SSD, so there will be less performance available to the host computer.
One trim command will mark the data as cruft, and leaving the drive powered up and idle will activate the garbage collector. This method will make more space available to the wear levelling algorithm so it will be able to make better choices to prolong the life of the SSD.
If you are concerned that the police will bang on your door, and you will have to wipe an entire SSD full of incriminating data in a hurry, check the manufacturer's web site for a tool that will re-flash the firmware. The chances are the instructions will say something like: 'Back up and test that you can restore your data before you use this tool because it will erase every block in the SSD.'
One thing that I do not note being mentioned in the article is doing an Erase Free Space (ie: Overwriting the blocks that are not shown in the Directory as containing files). Will that target the physical blocks that contain the old data? How about writing one large file (until there is no more Free Space) with the random data that normally gets written for a secure erase. Since I am ONLY writing to Free Space when I write the large file I should hit a new physical block each time (unlike the erase free space which MIGHT map the same physical block more than once as the backing for the logical blocks while not affecting other physical blocks).
but aren't you at least reading the posts here? The issue is the redundancy the drive makers build into the SSD drives to ensure your 1T drive still has 1T of memory cells 10 years from now. With at least 4 times the data space as the "native" capacity and a controller in the SSD controlling which memory pieces are overwritten, there's no way for a software program to guarantee the data has been overwritten.
I hate it when academics "discover" something commonly known in the industry. The issue is that the wear leveling algorithms that make it so that NAND cells which can only be written to maybe 100,000 times before they die, don''t render a flash drive useless in a day or two as the FAT can easily be written to that number fo times in days. And those wear leveling algorithms mean that while logically it appears you are overwriting a file, you physically are not.
As EVERYONE in the flash business has known from the get-go, the only way to "wipe" a flash drive is to fill the entire drive up with randon data until it is entirely full. That is the only way to insure that all blocks were physically overwritten.
How do you know? Did they give you the source code? Can you compile it yourself and download it into the device?
There was a story on here about a big name tape company that promised 256bit AES encryption on their tape drives - turns out they simply AES encrypt the password and then XORed the 256bit result with the data!
With one of these baby's you can dice a hard drive if you fancy. I know someone with a CnC plasma cutter, he opens every window, door and the big bay door when he runs it because vaporized metal is decidedly unhealthy.
Here's a video of one :)
http://www.youtube.com/watch?v=aFT__gESOfc
I agree that the only solution (until someone comes up with devices that include a guaranteed self-erasure feature) is destruction. But doesn't the Weeeee! directive have something to say about how you do it? Could drop them off at the local waste transfer station, I suppose, but that doesn't seem quite right. How does the average person get access to the necessary secure and environmentally-friendly destruction faciity?
Interestingly I also figured this problem out myself yesterday after reading an article describing results from the independent reverse engineering of some of these devices: http://lwn.net/Articles/428584/ (warning: subscription needed until 28 Feb 2011).
Here we have hardware being developed under closed source/trade secrecy which violates all of our previous assumptions about how storage works in relation to data cleanliness, very likely leading to loss of privacy for individuals (a human right) and loss of data which to be protected by organisations under data protection laws.
Security by obscurity is no security at all once the cat is out of the bag. Didn't the industry creating these devices understand that customers needed to know about this dangerous inbuilt device behaviour before these devices were marketed and sold ?
Self regulation of manufacturer behaviour didn't seem to work here, and this massive failure creates a strong argument for forcing publication of design details (circuit diagrams and source code) prior to supply, if the supplier expects to benefit from normal commercial assumptions providing legal protection (e.g. in relation to related copyrights, patents etc.).
Another conclusion is that the only way to keep much of this activity accountable to the wider consumer and public interest is to scrap laws which restrict reverse engineering.
...by momentarily powering them with 240VAC instead of the usual whimp-like 12v & 5v DC.
Using a 'SSD Destructo-Harness' (TM*) - A SATA power plug, in an open-ended enclosure, with a mains lead wired to 'power' the inserted SSD. A push switch will be required, operated after drive insertion, to 'connect' the drive with some raw, alternating mains voltage power.
Quick and secure.
I love the smell of fried chips in the morning...
*TM - Ged T, 2011 Pat Pending...
a blast furnace or thermite.
http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_up_32.png
http://www.theregister.co.uk/Design/graphics/icons/comment/boffin_32.png
http://www.theregister.co.uk/Design/graphics/icons/comment/black_helicopters_32.png
http://www.theregister.co.uk/Design/graphics/icons/comment/alert_32.png
http://www.theregister.co.uk/Design/graphics/icons/comment/paris_hilton_32.png
Paris because some men end up with a blast furn..
I had not considered this from a security point of view before.
But do drives not have an "Erase everything" now? I have heard them mentioned alot for performance reasons (i.e. as performance degrades due, you can backup, fully erase, and restore, setting the drive back to "factory" performance levels) and I was fairly sure that this performed an erase on all flash chips in the device.
One thing I do think should be done is allow the drive to be set as a "pure" flash device, maybe using an extension to the ATA/SCSI command set. That way, these devices could be managed using traditional flash filesystems. Or something similar... I'm sure ZFS could easily be tweaked to work well on semi-raw flash. It would be nice if we were given the option, at least, to have more control below the emulated-hard-disk layer (and if drives would stop pretending to have 512b sectors, reporting the true sector size or page size to the OS),
And suggest that maybe, the real solution is one that the manufacturers could implement? Surely, all it needs is a jumper on the drive board that instructs the electronics to perform a complete erasure of the flash chips as soon as power is applied ... y'know, like we used to have for wiping BIOS settings on motherboards?
... right, I'll get my coat now ...
... yes, that's right - it's the sensible, beige mac hanging in the corner.
It's sloppiness on the part of the SSD controller firmware that the ATA security erase command does not directly translate to an erase all pages command to each nand flash chip. The operation takes about 3-5 seconds to complete on the nand flashes I'm familiar with and every last bit can be guaranteed to have been reset to a 1 unless it is already worn out, in which case the odd zero in a sea of ones is hardly going to convey meaningful data.
Ok so previous posts have established that heat works (eg. thermite) but VERY few people or companies have access to the ability to dispose of drives in such a way.
So for myself at home how do I wipe/destroy usb drives ?
Working and non functional since I have a broken drive which my pc no longer reconises but I'd like to "destroy" the data on the chips before I bin it. Any suggestions that don't include specialist chemical supplies, oxy torches or a furnace ?
I think this is a much bigger issue for home users than corperate !
So hitting something very hard solves all problems mentioned in earlier posts and also destroys data held on the silicon ?
I'm going to resist a sarky response and simply say that I'm not convinced you do more than bend a few pins and maybe destroy the board the chips are attached to. Yes, you're making like hard for someone but no the data isn't destroyed.
I spoke to EMC, our disk supplier, about this a couple of months ago, I was curious but not really concerned because we (major UK bank) shred all our disks anyway. The EMC guy said that their arrays self-erase functionallity (as of a certain version in firmware) deal with this on their self erase. However SATA drives have their own self-erase command, this deals with proper erasure. I believe that SAS/SCSI/FC drives will be getting a proper self erase, indeed they may already have one.
Use the same methods which allowed the researchers to recover the data and overwrite it.
No problem.
Unlike magnetic media, where heads can take slightly varying paths, leaving trace of previous data, we're dealing with a digital medium.
Or, as one of the posters said - always encrypt your all drives, without the key they're random data.
If you bothered to read the real paper (http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf) , rather than the Register's Reader's Digest version, you'd know that:
"First, built-in [sanitation] commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs."
So much for your "comprehension".
Thank you for your attention.
"Wiping happens by deleting the encryption keys from what's known as the key store, effectively ensuring that the data will remain encrypted forever."
That is absolutely NOT wiping the data. That's merely removing the encryption keys! Just because you've lost the keys to the safe doesn't mean the contents of the safe disappear. If someone can extract the data and get the correct encryption key using brute force or exploits in the key's cryptographic algorithm, then they can get the data.
Like encrypt the whole drive of an uncrypted ssd drive. Also put it a press and just crush it. I have seen flash drive where the chips are cracked and it no worky at all. No dangerous flames, no dangerous gases but wear a gas mask for the dust produced.
1) Marko Rogge discovered this effect trying to wipe out an USB stick, a flash device like a SSD. He published his discovery in https://www.xing.com/net/priedb263x/sicherheit/application-layer-bio-crypto-pen-voip-uce-was-19413/verschlusselung-kann-trugerisch-sein-28202781/p0 and published a white paper http://www.marko-rogge.de/truecrypthinweis.pdf.
2) I was able to verify this effect with older USB sticks and was able to explain this effect due to wear levelling procedures, see https://www.xing.com/net/priedb263x/sicherheit/application-layer-bio-crypto-pen-voip-uce-was-19413/verschlusselung-kann-trugerisch-sein-28202781/28223883/#28223883.
During research against SSD the ATA command set enlightened the background:
3) ATA command 0xf3, "security erase unit", requires only overwriting of USER DATA AREAS, cite "....When Normal Erase mode is specified, the SECURITY ERASE UNIT command shall write binary zeroes to all user data areas (as determined by READ NATIVE MAX or READ NATIVE MAX EXT). IDENTIFY DEVICE or IDENTIFY PACKET DEVICE word 89 gives an estimate of the time required to complete the erasure."
Bingo. They just use their routines for "write sectors" / "erase sectors", writing only to "user data areas" obeying their own wear levelling strategies... See point 2) ;->
4) "The Enhanced Erase mode is optional" and "In Enhanced Erase mode, all previously written user data shall be overwritten, including sectors that are no longer in use due to reallocation..."
To make it clear. Only if and if a feature beyond the standard ("optional") has been implemented, AND the device driver checks against a bit pattern and sets it, the ATA-drive might indeed clear all previously written data .....
5) To summarize it:
Above mentioned behaviour is correct in the sense of the ATA command set.
Everyone could have learned it if they read the data sheets and standards.
Best, Hans Adams
Your security is only as good as it's weakest link.
When I decommission HDDs I wipe the drive with random data, take it apart, score the platters, take them out, dispose of the electronics separately, and then if I don't need a new coaster I use a pair of pliers to bend the platters.
It's possible that someone could still get data from that drive - but really, how much effort would that be? How much would that cost - just following the tracks round a warped surface that you could never flatten would be bad enough.
It would, I suggest, be much cheaper and easier to break into my office and steal the HDDs from the running servers, or to hack in.
On the other hand if you carrying missile plans etc then your office is probably more secure than most. In that case, destroy it. utterly.
The thing is that most data loss (at least that which we hear about) is due to leaving unencrypted devices on trains or sending CD's through the post, or selling on old PCs without making sure that they are wiped first. Flash drives don't get decommissioned - they get lost.
All this making sure there are no large chip fragments is rubbish except for the highest grade - if you have broken the devices electronics then you've eliminated all except those that are prepared to solder. If you break each chip then my guess is that you'd need some pretty hefty hardware along with some dedicated boffins and a large payroll to get anything out of it.
Anyone got an idea of the technique, an approximate price list for the equipment?
Im lucky to have a 275lb drop forging hammer that can fall under gravity about 1 yard some 5 times a minuite. When you stop it dead in say 1/16th in ,
It delivers some 50 tons of instant energy between 2 hardened steel heads some 5in square. Thats 10 tons a square inch.
Ok its a minting tool and I can make pound coins on it ,thats not economic, but it is economic to flatten hard drives or SSD's crushing any chip to powder,
I had 250 verisign terminals to destruct recently. Completely reduced to 1/4in thick. inc all plastics, circuit boards chips etc.
customer was happy.
Cost to destroy, £1.00 each .
time taken 1 hour.
Get your hard drives or SSD's to me plus payment, work guaranteed.
Hope this helps.
.
It's pretty clear the confusion here is that some are talking about overwriting ALL the files on the disk, where a reformat (as long as it's not "quick") or complete sector overwrite enough times would likely do the job, and others talking about a single file erase, where all unallocated sectors would also have to be overwritten to insure wear levelled copies are hit as well. Wear levelling need not include "extra" space, only the smart reuse of the space you have. Extra space is only necessary if you expect a high failure rate. In any case, a whole filesystem erase is somewhat simpler than a single file erase.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
