Thought exercise: destroying data on an SSD  

On other pages of this site, I discussed practical ways to irretrievably delete data on hard disks and memory cards. This page discusses possible ways to completely delete data from a Solid State Disk (SSD), which functions in ways significantly different from traditional hard disks and memory cards.

SSDs are becoming increasingly popular in personal computers. Compared to traditional (electromechanical) hard disks, SSDs offer the following advantages:

  • No moving parts, totally silent, no sensitivity to impacts and vibrations.
  • Much faster access to stored information. For instance, a hard reboot of a PC takes seconds instead of minutes.
  • No rotational delay, and essentially no latency time. It does not matter where on the disk data is stored, and whether a file is fragmented.

The main drawbacks are:

  • SSD capacity is smaller than traditional hard disks of the same price range.
  • A given memory location can be overwritten a limited number of times (much fewer than on a traditional hard disk) before becoming unreliable. To alleviate this problem, when a file is overwritten, as a rule it is stored at a different, previously unused address range than the original file. In time, this uses all memory locations and increases the lifetime expectancy of the drive. Eventually, failed memory regions are marked as bad and never used again, which means that the capacity of the drive slowly decreases with time.

In the context of privacy, all this means that SSDs pose special problems:

  • Especially in SSDs with a lot of empty space, many subsequent versions of the same file still exist on the hard disk, and therefore overwriting a file any number of times is no guarantee that it has been deleted.
  • A special concern applies to disk encryption software and SSDs: some of this software seems to first store a large incoming file as plaintexton the disk, to avoid holding up disk access during the time-consuming encryption process. Only subsequently, the plaintext file is overwrittento in encrypted format. For the reasons discussed above, this often leaves the "temporary" plaintext data non-overwritten and still available to forensic tools on the SSD after the encryption process is completed.
  • It is difficult or impossible to get rid of the contents of disk areas marked as bad, which may still contain sensitive information. These areas are simple tagged as non-accessible without wiping their contents, and may be untagged and read by forensic inspection tools even if the read process results in a checksum error. In the worst cases, only a few bytes in a "bad" cluster may be corrupted and truly unreadable.

Privacy concerns have been addressed by a few makers of SSDs. I do not know whether the actual technical solutions implemented in SSDs offer a true protection against all attacks, nor whether some or all of these solutions include intentional or accidental, exploitable weaknesses. Since these technical solutions are proprietary, there is no way for a user to assess the actual extent to which they protect data against recovery. I am discussing below the most common among these protection mechanisms.

A common way employed by drive manufacturers to protect data stored on an SSD against recovery is encryption of the data immediately before it is written to SSD flash memory, usually by firmware running on the electronics contained in the drive. The data is subsequently decrypted immediately after being read and before being sent to the computer. The encryption/decryption key(s) are stored in a dedicated flash memory location on the drive. This is not necessarily a part of the drive's storage area, and could be a physically separate flash memory area implemented as part of the controller circuits, and accessible only by specialized utilities.

This protection scheme is completely transparent to the user, and completely ineffective in protecting the recorded data (and much of the deleted data) until the user takes action by manually running a utility, provided by the drive manufacturer, that erases or changes the decryption key. This makes the data inaccessible to the user. Therefore, this is done only once the user no longer needs the data or the drive. Until then, the data remains accessible to anyone with physical or remote access to the drive. Therefore, this encryption is no protection against the drive being seized or stolen, or the system access being compromised.

After the decryption key has been destroyed, the encrypted data is still present on the disk, and can still be decrypted by the usual cryptographic attacks exploiting specific intentional/accidental weaknesses or using brute force and dictionary/guessing attacks. Possible weaknesses of this protection scheme that remain unknown to the user may be, for instance:

  • The manufacturer has designed the decryption algorithm to accept one or more backdoor keys known to the manufacturer but not to the user.

Such keys may be either complete, allowing an immediate decryption of the drive contents after the user has erased his/her key, or partial, making cryptographic brute-force attacks significantly easier for an attacker with access to considerable computing facilities (e.g., a government). The extra key(s) and/or compromised cryptographic algorithms can be generated by the manufacturer and deposited by the latter with secret services or other authorities (either routinely, or after the authorities require the backdoor key for one specific device.

Backdoor keys can alternatively be generated and stored by secret services and provided by the latter, in batches, to the drive manufacturer for use in new products.

  • The cryptographic algorithms have intentionally been weakened, so that they are still strong enough to protect agains a casual intruder, but not against a concerted attack with substantial computer resources. This seems to be the case with some versions of cryptographic algorithms used in commercial products.
  • As suggested by incomplete information recently made public, it is possible that some of the most used decryption algorithms, although not intentionally crippled, have been broken by secret services and are no longer secure from their attacks.

It is only a matter of time until knowledge of these techniques becomes more widespread. Crime syndicates, for instance, are likely to pay a top cryptanalyst a lot more than a state department is willing to, and there is a well-documented tendency for authorities to extend to many other fields of investigation and snooping the cryptographic breakthroughs originally developed to provide legitimate access to information for national security reasons.

It may be noted that changing the SSD encryption key may not protect against the above weaknesses. Since changing this password is done by calling a function in the SSD firmware, it is sufficient for the SSD firmware to add the backdoor keys once again when the new key is entered, thus making the key-change operation useless in terms of additional security against the holder of the backdoor keys.

In practice, physical destruction of an SSD is the most secure way to prevent the recovery of data stored on an SSD. Specifically, this is done by grinding the memory chips. In practice, however, the large number of memory chips in a typical SSD, the lack of large metal parts and the usually small physical size (3.5" or, increasingly commonly, 2.5") mean that it is practical to grind an SSD as a whole. Precautions must be taken to protect one's eyes and avoid inhaling the toxic dust and fumes, as well as protecting against spark showers caused by internal metal fastenings and screws. Some SSD drive casings may contain a "gunky" or oily heat-conductive paste or gel, and therefore it is a good idea to collect the ground material in a non-combustible bucket as it leaves the grinder.

If the SSD drive must be re-used or sold, completely removing all data (as opposed to changing the encryption key) is less likely to succeed. In particular, the only way to remove any data stored in memory regions marked as bad is by first un-marking these regions. This is only possible by using special utilities, which with present SSDs may be manufacturer-specific and not widely available (Intel and OCZ, for instance, make these utilities available for their drives). Generic tools are available, for instance TechSpot, HDAT2, KillDisk and DBAN, but I am not certain whether they are effective with all SSD types. This is equivalent to a low-level format on a traditional hard disk, and is not guaranteed to actually overwrite the "bad" clusters.

Utilities designed to low-level format traditional hard disks may not work on SSDs. What is worse, these utilities may appear to work, but may not have the intended effect.

In principle, all functioning memory locations on an SSD can be overwritten by filling the drive with random data. I recommend first filling the drive with large files, then formatting it, and subsequently filling it once more with a large number of small files (in a manner similar to the procedure for deleting memory cards). The formatting operation is not for added safety. It is only a faster way to start once more with an "empty" disk than deleting the files one by one.

In principle, a secure SDD could be designed by enhancing its firmware. One possibility would be by physically overwriting with pseudorandom data all disk locations that the operating system requests to mark as free, or requests to overwrite, before the new data is written somewhere else on the disk. The most obvious drawbacks are that this would make disk operations slower, and roughly halve the lifetime of the disk.

Since I first wrote this page, I found support for the above ideas from a number of sources. In particular, not all SSDs have built-in, native encryption (which may be a partially useful solution to privacy concerns), and many have potential loopholes in their encryption or wipe routines that may leave the original contents accessible for recovery. See, for instance:
Cnet
Apple
NVSL
ComputerWorld

It remains possible to use external, open-source encryption software to protect the data stored on an SSD (or any other type of mass storage device). This approach requires no intervention by the user prior to the drive changing hands, as long as the decryption key is not stored anywhere on the system and is chosen to be impossible to guess. This does protect the data stored on an SSD, and largely removes concerns about the degree of protection afforded by internal encryption. It does not address other types of privacy attacks (e.g., weaknesses in the choice of keys, unknown weaknesses in cryptographic algorithms or their implementation, data interception and forwarding to an external party by software or hardware installed in the system without the knowledge of the user).

Conclusions

SSDs pose special privacy concerns. At this time, I don't regard the option of completely wiping a generic SSD drive before selling it as a secure option, and recommend physical destruction by grinding as the only secure solution. Disk encryption by external, open-source software remains a usable solution to protect data while the drive is still in use, but only as good as the total security of the system against intrusions.


web counter