Slashdot Mirror
Confidential Data Not Safe On Solid State Disks
An anonymous reader writes "I always thought that the SSD was a questionable place to store private data. These researchers at UCSD's Non-Volatile Systems Laboratory have torn apart SSDs and have found remnant data even after running several open source and commerical secure erase tools. They've also proposed some changes to SSDs that would make them more secure. Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."
It's the only way to be sure.
Faster! Faster! Faster would be better!
1 electric drill, 1 work bench, and some bored interns.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
... try reading anything from the ensuing dust.
If he's the Walrus then can I be a penguin please?
Encrypting it?
Is taking data off really an issue anyway. If it's confidential data, destroy the disk when you need to dispose of it. Not repurposing or re-selling hardware with sensitive information on it sounds like a no-brainer.
The solution is the same as hard drives in any secure system - use it, and when you are done, destroy it. Say you get 3 years out of an SSD, the cost of replacing it is trivial over the long haul. Nobody serious about security erases conventional platter HDs and hopes that's good enough.
It doesn't matter if you can get hold of ALL of the data, if it's encrypted you're fucked. Nothing to see here, move along.
I thought we'd already agreed that the only way to be really sure that your data is gone is to physically destroy the drive. If you've got data that's really so sensitive that someone's going to spend serious resources to extract it, the actual price of a drive is nothing. Smash it and call it good.
I know OCZ has its own wipe utility and I believe intel too. Using wiping software designed for mechanical disks makes absolutely no sense and the results from this study are 100% predictable. Oh your Gutmann wipe pattern for circa1991 MFM drives doesn't wipe SSDs? You don't say! If you needed to securely wipe one, use the proper tool.
That said, it would be nice if there was some standard way of doing this.
You know, I've never understood this one. If you have written a zero to every sector on the hard drive, including the hidden space, how in the world is it possible to recover any data at all?
Thermite will fix everything! [s/fix/destroy] :-)
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
encrypt the data before writing. at no point in its existence will it appear anything but white noise to unauthorized parties.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
It's because the bits in the harddrive aren't actually binary but rather values that are intepreted as 1 or 0. For instance a value of 0.6 would be interpreted as 1 and 0.4 would be 0.
This means that if you look at the exact value rather then the interpretation you can make a guess at what values it has been before.
According to RTFA they can recover almost 100% of the data from a 0'd HD, 90% of the data from a randomed HD and 1-10% from a HD that has run extremely extensive random HD passes (Like Gutmann)
This is due to SDD's working differently then the standard HD's.
By scanning the surface of the platter with specialized equipment, it's possible to detect residual magnetization 'around' the area written by the drive head and determine where there used to be a bit. Actually using this technique to recover anything outside of a laboratory experiment (where the drive was only written to and erased with 0's once) is a myth, however. No one does this, not even CTU.
You can't do a secure erase from software, because data may still exist in blocks that were remapped by the firmware due to errors or for write leveling. When you write to an SSD, the new data goes in a free block, and the old block is marked free. To do a real secure erase, you have to work with the SSD firmware, and even then, you can't be sure if data may still exist on bad blocks that can't be written to.
So the only way to be sure is to physically destroy it, and flash is reliable enough that it's difficult to be certain that you've truly destroyed it.
So as everyone else is saying, the only good solution is to encrypt everything, and don't store the keys in flash.
Essentially, residual magnetism and other sciency-bits.
Suffice it to say, simply writing a bunch of zeros doesn't erase all traces of what was on. With old school HDs, you needed to write random data to each location multiple times -- there's a DoD spec for doing it (DoD 5220.22-M).
I believe the article is saying that it doesn't seem to work with SSDs.
Lost at C:>. Found at C.
I challenge anyone to find my MicroSD card. I've conducted extensive security audits to verify that no attacker, even one with inside information, can gain electronic or physical access to the disc.
Sure, but the drive casing probably didn't break open. It would have been made of aluminum, most likely, which isn't the best heat sink, but is better than nothing. The heat it was exposed to was probably intense but brief. So, the platters inside the drive were probably only exposed to a small amount of heat for a short period of time. The overnight fire that the grandparent post referred to would be hundreds of times longer and probably hotter too.
Block storage devices have more capacity than they report. Magnetic disks keep a small reserve of unallocated blocks as a hedge against blocks that fail in use. SSDs keep a much larger reserve because they can only erase in increments that are relatively large compared to their block size.
If you overwrite a sector on a magnetic disk, you will almost always destroy all traces of the old data. The exception is when the drive thinks the old sector has failed or is about to fail, in which case you get an entirely new sector, and your old data is still (possibly) on the old sector. Attacks using magnetic force microscopes to read data from track fringes were possible a decade ago, but there is no reason to think it is possible on a modern drive.
If you overwrite a sector on a SSD, the SSD gives you a whole new block from a list of free blocks, and adds the address of the old block to the list of deleted blocks. Blocks are moved from the deleted list to the free list when the SSD has some free time, or when one is really needed. There is currently no mechanism to force the SSD to actually erase a sector.
This is all known, and there are mechanisms built into the specs to provide a secure erase. What their research is showing, however, is that these mechanisms don't always work. A number of them are buggy, and at least one just plain lies, claiming to have done the secure erase, but actually just doing the normal pointer update trick just like any other write.
See that "Preview" button?
It is important to note the section on feasibility in that Wikipedia link... Peter Gutmann did the original (public sector) research on recovering overwritten data on MFM hard drives with very low byte densities (by today's standards). Peter revisited the subject and found that a single overwrite pass, even if only zeroing out every bit, was sufficient to defeat the technique on "modern" drives (i.e. drives larger than 15GB and made in the past 5-7 years).
This means that if you look at the exact value rather then the interpretation you can make a guess at what values it has been before.
In theory, maybe. In practice, it's simply not possible. The conventional wisdom that you need to overwrite multiple times, or with patterns, or with random noise, or anything other than just a single pass of zeros is nothing but a myth.
You couldn't possibly seriously mean we should start reading the entrails? That is soo medieval.
It IS pretty much impossible, but that's not going to stop people from perpetuating the wive's tale for decades to come.
I actually have seen Magnetic Force Microscopy used as a tech demo to image the bits on a floppy disk. I asked the process owner if it could be used to extract data, and he just rolled his eyes. He said that besides the issues with modern hard drives having bits that are orders of magnitude smaller both in size and in magnetization, it's just impractical to extract any data, which should be obvious since it takes like 10 minutes to image a handful of bits. A handful of bits that could mean anything, and be anywhere on the disk platter, and anywhere in the file system, and which could represent erased or scrambled or encypted data anyway. I think the idea that you could go beyond even that and divine what bits were written "UNDER" the current ones is just fantasy. I have heard rumors that NSA has made purchases of a large quantity of scanning probe microscopes for this purpose, but they could have just been buying some for testing...manufacturing volume for scanning probe microscopes is such that an order of a half-dozen of them would be an overwhelmingly large order.
No, that's only for attempting to perform a secure erase of a single file. The results for trying to secure-erase single files are so bad (and since there is no ATA command to securely erase only particular blocks on a drive) that it is unsafe to write data to an SSD and then hope to reliably remove that data from the drive without zeroing the entire drive.
If you'll RTFA carefully, though, you'll note that for all but one drive they tested, zeroing the entire drive was reliable. One drive had about 1% of the original data remaining after 20 passes. One drive was entirely erased in one pass. The other drives were entirely erased within 2 passes.
So, zeroing an entire SSD works as long as you use more than one pass. Zeroing individual files on an SSD doesn't work.
Give her a gift card for a spa or other "nice" thing to do for the day. She will (A) love you for it, (B) never need to know that you had a kiddie porn drive, or (C) that you baked said kiddie porn drive in the oven while downloading midget porn as a replacement.
"His name was James Damore."
This is a very popular myth, but after hunting for comfirmation a few years ago I came up empty. Even the original author no longer stands behind this assertion. It's widely considered to be debunked: http://www.lawtechguru.com/archives/2009/03/11_multipass_erasure_myth_debunked.html
They later amended the platter removal terms with the following text, but still nobody accepted it.
Well, the DoD still seem to prefer more 'aggressive' techniques, and apparently don't agree with NIST on this (I believe this is what you were referencing):
1. We're paranoid
2. We still have old discs laying around. 10GB? Hah! I've seen 40 MB units, still operational, within the last year.
3. We want to be *SURE*, and the human factor is taken into account - we're willing to overkill on modern drives(and modern is relative), in order to make sure the older ones get wiped properly.
I don't read AC A human right
As someone else who's played around with magnetic force microscopes, recovering data off of a disk would be extremely time consuming. As the parent mentioned, you're talking several minutes to capture an image that's maybe 100 square micrometers (10x10 um). A floppy disk has several million square micrometers of surface area to image per side - you're literally talking centuries to read a disk this way.
The other problem is resolution. I haven't seen a microscope yet that can see the bits on a modern hard drive. If you want to see bits, you're generally imaging a floppy disk, or an old MFM/RLL hard drive. Zip disks also work well.
Of course, it could still be the wrong tool for the job. A $100k magnetic force microscope may take centuries to read a diskette, but a cheap $15 floppy drive can do it in about a minute.