Slashdot Mirror
Confidential Data Not Safe On Solid State Disks
An anonymous reader writes "I always thought that the SSD was a questionable place to store private data. These researchers at UCSD's Non-Volatile Systems Laboratory have torn apart SSDs and have found remnant data even after running several open source and commerical secure erase tools. They've also proposed some changes to SSDs that would make them more secure. Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
It's the only way to be sure.
Faster! Faster! Faster would be better!
It's easy to get the data off; it's just hard to get the data off and keep the disk usable.
done.
1 electric drill, 1 work bench, and some bored interns.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
... try reading anything from the ensuing dust.
If he's the Walrus then can I be a penguin please?
Encrypting it?
Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.
no reading anything after you smash it.
The solution is the same as hard drives in any secure system - use it, and when you are done, destroy it. Say you get 3 years out of an SSD, the cost of replacing it is trivial over the long haul. Nobody serious about security erases conventional platter HDs and hopes that's good enough.
It doesn't matter if you can get hold of ALL of the data, if it's encrypted you're fucked. Nothing to see here, move along.
Solution: Don't copy any data to an SSD unless you're copying it into an encrypted volume.
I thought we'd already agreed that the only way to be really sure that your data is gone is to physically destroy the drive. If you've got data that's really so sensitive that someone's going to spend serious resources to extract it, the actual price of a drive is nothing. Smash it and call it good.
I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.
That said, it would be nice if there was some standard way of doing this.
It is a commonly known fact that the only way to ensure data is never retrieved from a physical disk whether spinning or SSD is to physically destroy the drive. All other methods short of that have flaws and some data can be retrieved.
excellent tool for neutering storage. build up a roaring fire with about 6 inches of coals, and then toss the hard disk into it. retrieve in morning, dump in trash. done.
if this is supposed to be a new economy, how come they still want my old fashioned money?
If you use the proper erase methods (solid state or other) then it doesn't matter. If you need to destroy the data simply put it on a cookie sheet and put it in the over on broil for 30 minutes.
Okay so it's not so secure, for secure data use secure highly encrypted mediums. If you encrypt the data on the SSD does it matter how much is left, if you end up with encrypted data how can anyone use it with no clue on how it was encrypted, for going good crackers and hackers. I'd assume there not pulling off full data, just fragmented data so that's even harder to put together.
Thermite will fix everything! [s/fix/destroy] :-)
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Didn't RTFA, but how dding zeros to the device?
dd if=/dev/zero of=/dev/sdb should work on everything...
I remember something about a prize for recovering data from a zeroed HD...
\m/
encrypt the data before writing. at no point in its existence will it appear anything but white noise to unauthorized parties.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Don't know about you, but I don't have any problem getting your wife off!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
What are you doing? Why are you writing confidential data to unencrypted storage?
I prefer a mixture of magnesium dust and gunpowder; but to each their own.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I guess what concerns me the most about SSDs is data recovery. Is that any harder on SSDs than regular disks? Or is data recovery a moot point since there are no moving parts?
The diversity and expression of human opinion is essential to human survival.
Don't know about you, but we don't have any problem getting your wife off!
No doubt.
dd if=/dev/urandom of=/dev/sda
You can't do a secure erase from software, because data may still exist in blocks that were remapped by the firmware due to errors or for write leveling. When you write to an SSD, the new data goes in a free block, and the old block is marked free. To do a real secure erase, you have to work with the SSD firmware, and even then, you can't be sure if data may still exist on bad blocks that can't be written to.
So the only way to be sure is to physically destroy it, and flash is reliable enough that it's difficult to be certain that you've truly destroyed it.
So as everyone else is saying, the only good solution is to encrypt everything, and don't store the keys in flash.
Don't know about you, but after the paper bag fell off, getting me off your wife was easy!
A couple whacks with a hammer still works great. Remove the circuit board from the case, give each chip a little love tap with a ball peen hammer. Problem solved without waiting hours for the thing to "secure erase".
Concerned about losing resale value? Security costs money, period. If you want real security, sometimes you have to take some financial responsibility and accept the loss of resale value in exchange for real security. Price of doing business.
"Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
My 12 gauge begs to differ. Pull!
For once I've read the paper :-)
But I could not find a description of the technique utilized to recover the files.
They say that an "advanced hacker" will be able to recover the files, but I'd like to know how.
Utinam logica falsa tuam philosophiam totam suffodiant!
bring the hammer down!
I don't know about any of you and I'd like to keep it that way...
Remember to maintain your supply of
Simple solution: overwrite.
I challenge anyone to find my MicroSD card. I've conducted extensive security audits to verify that no attacker, even one with inside information, can gain electronic or physical access to the disc.
Block storage devices have more capacity than they report. Magnetic disks keep a small reserve of unallocated blocks as a hedge against blocks that fail in use. SSDs keep a much larger reserve because they can only erase in increments that are relatively large compared to their block size.
If you overwrite a sector on a magnetic disk, you will almost always destroy all traces of the old data. The exception is when the drive thinks the old sector has failed or is about to fail, in which case you get an entirely new sector, and your old data is still (possibly) on the old sector. Attacks using magnetic force microscopes to read data from track fringes were possible a decade ago, but there is no reason to think it is possible on a modern drive.
If you overwrite a sector on a SSD, the SSD gives you a whole new block from a list of free blocks, and adds the address of the old block to the list of deleted blocks. Blocks are moved from the deleted list to the free list when the SSD has some free time, or when one is really needed. There is currently no mechanism to force the SSD to actually erase a sector.
This is all known, and there are mechanisms built into the specs to provide a secure erase. What their research is showing, however, is that these mechanisms don't always work. A number of them are buggy, and at least one just plain lies, claiming to have done the secure erase, but actually just doing the normal pointer update trick just like any other write.
See that "Preview" button?
You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?
Because digital is just a convenient abstraction for our analog reality. Here's a gross simplification. A bit is just a magnetic blob on a large plane of magnetic media. When a read/write head returns to a particular spot it does not return to exactly that same position, close but not exact. As the platter spins and it lays down a track of these magnetic blobs it may write the new track a little bit to the side of the old track. This partly motivates wiping software writing data seven or more times, it wants to increase the likelihood of getting the old data.
Try this: Take two hilighters, one yellow and one a darker color. Draw a yellow line. Now draw on top of that line with the other color. See any pure yellow peeking through on the edges? That yellow is like the area where data recovery people will use highly specialized equipment to read "overwritten" data.
I actually own an SSD myself. As I understand it, the drive is encrypted by default, and the "Security Erase" method simply drops the internal encryption key from the drive. Without that encryption key, all the previous data is encrypted using AES-128 which would just appear to be white-noise.
I don't understand why this method wouldn't work, unless the unit leaks that key?
This sounds like a good thing to me. Better chances of getting data back from failed hardware. Or getting data from a device that a numbskull disgruntled employee thinks they've intentionally ruined.
If you actually WANT to destroy the data, others here have mentioned the proper methods. I like to rely on the .45 at high velocity, but open flames work well too.
No sig for you. YOU GET NO SIG!
You couldn't possibly seriously mean we should start reading the entrails? That is soo medieval.
"once you put it on, getting it off isn't so easy." - That's what she said?? ZINGGGGGGGGGGGGGGGGG!
Presumably this is because of the optimization techniques that SSD's use to achieve high performance and increase lifespans.One of these measures is having 64GB of flash on a 60GB SSD, leaving extra flash to act as for intesive operation and wear leveling. Since the disks werent designed for secure erasure, no method erases the extra space, and what conventional program do is just trigger the controller to sometime overwrite some of the extra flash space.
This isnt endemic to SSD technology, just the way the controllers are implemented. At some point controller will probably support this secure erase of all flash.
TL; DR : new tech doesnt have all the features, can recover atleast 1% of your data until better tech comes out
The best, most effective way to guarantee, without a single doubt, that no data can ever be recovered from a drive is rather simple. Instead of using deletion tools, merely immerse the drive in thermite.
I find 165 gains going about 3000 fps is a very effective data destruction device. It is also a great way to relieve stress.
For a system drive you have to at least install the OS before being able to encrypt it with TrueCrypt or its fork DiskCryptor.
That's not a problem if you don't save any personal data to the drive after installing the OS and before a system encryption, but nevertheless this depends on how wide you define personal data. Is the choice of OS, any registry key, choice of software, isn't that personal information, too?
Isn't this why we all own a microwave oven? ...just don't inhale the fumes
The great zero challenge was never accepted, so I'd say it's safe to say that spinning hard disk data can reliably erased. I've never seen it done, that's for sure.
http://hardware.slashdot.org/story/08/09/06/189248/The-Great-Zero-Challenge-Remains-Unaccepted
Well I finally did read TFP referred to by the abstract in TFA mentioned in TFS. And it sure looks like they just de-soldered the ICs and popped them into a dead-bug socked on their "Ming the Merciless" custom controller board.
I am not a crackpot.
My solution? About half a dozen rounds of 20ga at close range. Good luck reading the entrails. If you're that desperate, I suppose I could introduce the remains of the device (and maybe some of the stray shot) to HI, the friendly acid.
Whether it's an hd, ssd or optical disc only a few people really care enough to secure their data and in the end if you want to make sure no one gets it the physically destroy the media when you're done. It's the safest way for all of them.
Do rare earth magnets work on SSD? Or does magnatise and destroy no longer work on today's tech?
They come in the dark, only in the darkest.
Someone once told me that I should use RSA encryption because it was developed by the NSA. I thought to myself "why would the NSA produce and give away an encryption algorithm they can't break". I concluded that they wouldn't. So yeah, probably not secure.
For the sake of argument lets assume the NSA can break it. So what? The government already has my SSN, bank account numbers and credit card numbers. I only need to stop the thieves, finder keepers, dumpster divers, computer recyclers, etc.
Encrypting it? Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.
Also if its so hard to delete then maybe SSD drives are a good place for long term backup/storage of those encrypted volumes. Just wondering, not claiming it is so.
I bet this doesn't work on drives that use the SandForce controller that AES-encrypts all of the flash.
I wonder what the value of "remnant data" could be when the data were, say, AES encrypted?
You are encrypting your confidential data, correct? Or should I say, unencrypted data are not "confidential" in the first place?
-fb Everything not expressly forbidden is now mandatory.
Would doing a 'dd if=/dev/zero of=/dev/sda' a few times not do it?
They later amended the platter removal terms with the following text, but still nobody accepted it.
AFAIK, they did not do whole disk wipe.
The website says "Individual file sanitization techniques, all of which failed and left at least 10MB of a 1000MB file." Does not say what happens when you do a full disk wipe. #Fail.
Well, if you put clear text anywhere it's unsafe. I put encrypted data on flash all the time without concern.
What am I missing here? I have a drive/card/chip labeled 16 GB storage. I save 16 GB of data to it. I overwrite the entire volume with 1s.
Now I can read 16 GBs of 1s. And some l33t hacker can retrieve the 16 GB of secret sauce I thought was overwritten. So a drive labeled 16 GB really has 32 GB capacity, it's just that second 16 GB is hard to access?
And what if I then go back and overwrite those 1s with 0s or random bits? Is it possible to retrieve the layer of 1s and the original data? So a 16 GB disk can hold 48 GB? And that last 32 GB is just really, really hard to access?
Of course, I didn't RTFA. But I presume we're not just talking about delete/undelete of single files. If they didn't wipe the whole disk, why would this be on /.?
This is why I store all my important confidential data on a piece of paper taped inside my top desk drawer.
Why is Slashdot posting these inane articles?
Everybody who knows anything about SSDs knows that they have significantly more raw storage than logical capacity, and that the extra storage capacity is used for redundancy. Because of the wear levelling systems used, writes don't go back to the same place, so data can't be overwritten. This has been well known and obvious to everyone for years.
Pro Tip: Full Disk Encryption. Problem. Fucking. Solved.
Why are we even talking about this?
Just mount the flash drive and put a bullet in your computer's monitor. If it works for hard drives in the movies, then it should work for solid state as well.
As it has been pointed out, modern drives overlap various bits quite a bit and there really is no such residual magnetism. It is below the noise floor of the natural variations in a platter's magnetism.
Some of this research is even from the same guy (Guttmann) who published the technique 25 years ago, but states it is impossible with modern drives.
And even if you can read this residual magnetism, think of what you must do next:
First, a drive head isn't enough. You have to get the platter under an electron microscope or such incredibly specialized device owned by what, 10 labs in the whole world?
Next, you spend months (from what I heard of the speed you get out of those) copying the platter, generating several times more data than the official disk's capacity.
Once you're done with that you can get to decoding. But, there's a laboratory proof of concept, and there's the real thing. On a real drive, you won't get a laboratory setting of showing you can read sector #1 and then figure out what the previous value was. You'll have to find something interesting in millions of sectors.
On hard disks data doesn't get written in neat tidy ways. Files get fragmented all over the platter, and when deleted their sectors may get reused. So you'll have to find your interesting file by piecing it together. You'll have to make sense of the former filesystem metadata that says where it was, then read the now overwritten file. Both of which are probably not neatly overwritten once, but a different amounts of times on each sector, and you'll have to figure out which of those is the good one.
It sounds like way, way too much trouble.
What's an even bigger concern is that when an SSD fails, your whole disk is still available read-only. I've got one sitting around like that, and have been too lazy to physically destroy it (none of the data is sensitive). What I should have done is just turn it into super-fast installation media for a few versions of Windows, but I wasn't thinking at the time.
Of course, that failure model is a *feature* of SSDs. With a HDD, the drive just randomly fails someday, and you lose the ability to read, write, or securely erase data. If you have sensitive data, it shouldn't be stored on any media unless it's encrypted or physically/remotely secure and will be throughly destroyed when it dies. That's common sense. Blocks being difficult to securely erase due to wear leveling and such doesn't change that.
It's easy to get the data off
Much easier than spelling the inventor's name
Of course they can always get the data off. Everyone knows that. They do it all the time on CSI. Sheesh!
Proverbs 21:19
Once you put it on, getting off isn't so easy.
Yes, that's what In tell security when walk around our server room with fire arms.
Or maybe shooting doesn't actually solve all your problems.
The Kruger Dunning explains most post on
You take the drives to the range, not go shooting in the server room.
1. Buy a steamroller.
2. Get government contract for SSD data destruction.
3. Profit!
And it's not the NSA.
To everyone crying encryption: I think encryption is good, you should be actively encrypting your drives. However, you should make sure that all the data is actually gone - what if sometime down the line there is a weakness in the cryptosystem or you used a bad random number generator - remember the PS3? The problem is encrypting SSDs just dump the key, and the encrypted data is still there (or maybe you're using truecrypt, and the data gets leftover on the SSD).
The authors actually make this point in the previous paper SAFE: Fast, Verifiable Sanitization for SSDs. They find that you can fully erase a SSD in 10s of seconds, and then you can actually verify that the data is actually gone. There will be some people out there that say that encryption is enough unless you're uber paraonoid. Possibly: But why not do it right if it's not even that difficult in the first place?
In actually reading up more on this issue, I contacted the author and he posted the slides from his talk on his website.
Suggested Alternative Headline: "Confidential, Unencrypted Data Not Safe on Solid State Disk, Conventional Disk, or Anywhere Else Now That I Think About It"
but have you considered the following argument: shut up.
I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.
Even mechanical disks need this - if you get a sector re-mapped, you're not going to zero it out ever again.
Some SATA drives support a Secure Erase ATA command extension. I asked Seagate to send me a list of their drives that had this support in firmware, so I could write a tool to do this. They refused. Even as a "Seagate Partner".
So, in the general case, you can't trust your drives. LUKS is easy enough to set up on Linux that you can work around drive vendors you can't trust (but set swappiness to 0 on a netbook!).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Call the Marines.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
It eats some of the speed advantages but whole disk encryption works for me. It's still way faster than a magnetic disk.
'secure erase tools' - ridiculous.
No it is not.
dd was was fine in the year 2000.
It does not work today for the following reasons:
Harddrive do re-maps for bad blocks. These bad blocks are not touched by OS tools.
SSD does this even more aggressive and even by default keeps a pool (10%) of flash just to recover form material defects and might alos compress data (e.g. write all zero bytes and it will compress the data) to minimize the number of writes.
In theory the security erase tools send the disk a low level command that will really zero all data, but the investigators did show that this optional STA command was not implemented correctly in some cases.
dd if =/dev/urandom of=/dev/sdxxx will probably erase the data, BUT NOT ALL OF THE DATA ON A SSD, rewriting with zero's might be a non-productieve idea with advanced disk firmwares.
PS, I agree that overwriting the data multiple times that some old tools did is just a waste of time, on a SSD it will only cause more wear.
SSD is also too easily wiped for important historical data, I think optical media is much better for long term storage of data.
The purpose of existence is to make money.
the old tried-and-true method of 'securing' your data still applies: woodchipper.
Is it possible to recover data after running the following a number of times?
$dd if=/dev/urandom of=/dev/hda
Is what the story title should've been. Confidentiality, not data, is the subject of "safe". Much like copyright doesn't "protect" creative works, rather it protects revenue streams and feelings of copyright holders and authors.
To truly delete or protect the info on the SSD, after copying all the pertinent data, remove the SSD from the slot, place it on a solid object (such as a brick) and administer a strong concussive blow with a nail-driving device (ie Hammer). The SSDs are cheap enough and if your data is as valuable as you think it is, there is no great loss (of the SSD). If you think this is a waste, then perhaps your data is really not that valuable after all......