Thought exercise: destroying data on an SSD
On other pages of this site, I discussed practical ways to irretrievably delete data on hard disks and memory cards. This page discusses possible ways to completely delete data from a Solid State Disk (SSD), which functions in ways significantly different from traditional hard disks and memory cards.
SSDs are becoming increasingly popular in personal computers. Compared to traditional (electromechanical) hard disks, SSDs offer the following advantages:
The main drawbacks are:
In the context of privacy, all this means that SSDs pose special problems:
Privacy concerns have been addressed by a few makers of SSDs. I do not know whether the actual technical solutions implemented in SSDs offer a true protection against all attacks, nor whether some or all of these solutions include intentional or accidental, exploitable weaknesses. Since these technical solutions are proprietary, there is no way for a user to assess the actual extent to which they protect data against recovery. I am discussing below the most common among these protection mechanisms.
A common way employed by drive manufacturers to protect data stored on an SSD against recovery is encryption of the data immediately before it is written to SSD flash memory, usually by firmware running on the electronics contained in the drive. The data is subsequently decrypted immediately after being read and before being sent to the computer. The encryption/decryption key(s) are stored in a dedicated flash memory location on the drive. This is not necessarily a part of the drive's storage area, and could be a physically separate flash memory area implemented as part of the controller circuits, and accessible only by specialized utilities.
This protection scheme is completely transparent to the user, and completely ineffective in protecting the recorded data (and much of the deleted data) until the user takes action by manually running a utility, provided by the drive manufacturer, that erases or changes the decryption key. This makes the data inaccessible to the user. Therefore, this is done only once the user no longer needs the data or the drive. Until then, the data remains accessible to anyone with physical or remote access to the drive. Therefore, this encryption is no protection against the drive being seized or stolen, or the system access being compromised.
After the decryption key has been destroyed, the encrypted data is still present on the disk, and can still be decrypted by the usual cryptographic attacks exploiting specific intentional/accidental weaknesses or using brute force and dictionary/guessing attacks. Possible weaknesses of this protection scheme that remain unknown to the user may be, for instance:
Such keys may be either complete, allowing an immediate decryption of the drive contents after the user has erased his/her key, or partial, making cryptographic brute-force attacks significantly easier for an attacker with access to considerable computing facilities (e.g., a government). The extra key(s) and/or compromised cryptographic algorithms can be generated by the manufacturer and deposited by the latter with secret services or other authorities (either routinely, or after the authorities require the backdoor key for one specific device.
Backdoor keys can alternatively be generated and stored by secret services and provided by the latter, in batches, to the drive manufacturer for use in new products.
It is only a matter of time until knowledge of these techniques becomes more widespread. Crime syndicates, for instance, are likely to pay a top cryptanalyst a lot more than a state department is willing to, and there is a well-documented tendency for authorities to extend to many other fields of investigation and snooping the cryptographic breakthroughs originally developed to provide legitimate access to information for national security reasons.
It may be noted that changing the SSD encryption key may not protect against the above weaknesses. Since changing this password is done by calling a function in the SSD firmware, it is sufficient for the SSD firmware to add the backdoor keys once again when the new key is entered, thus making the key-change operation useless in terms of additional security against the holder of the backdoor keys.
In practice, physical destruction of an SSD is the most secure way to prevent the recovery of data stored on an SSD. Specifically, this is done by grinding the memory chips. In practice, however, the large number of memory chips in a typical SSD, the lack of large metal parts and the usually small physical size (3.5" or, increasingly commonly, 2.5") mean that it is practical to grind an SSD as a whole. Precautions must be taken to protect one's eyes and avoid inhaling the toxic dust and fumes, as well as protecting against spark showers caused by internal metal fastenings and screws. Some SSD drive casings may contain a "gunky" or oily heat-conductive paste or gel, and therefore it is a good idea to collect the ground material in a non-combustible bucket as it leaves the grinder.
If the SSD drive must be re-used or sold, completely removing all data (as opposed to changing the encryption key) is less likely to succeed. In particular, the only way to remove any data stored in memory regions marked as bad is by first un-marking these regions. This is only possible by using special utilities, which with present SSDs may be manufacturer-specific and not widely available (Intel and OCZ, for instance, make these utilities available for their drives). Generic tools are available, for instance TechSpot, HDAT2, KillDisk and DBAN, but I am not certain whether they are effective with all SSD types. This is equivalent to a low-level format on a traditional hard disk, and is not guaranteed to actually overwrite the "bad" clusters.
Utilities designed to low-level format traditional hard disks may not work on SSDs. What is worse, these utilities may appear to work, but may not have the intended effect.
In principle, all functioning memory locations on an SSD can be overwritten by filling the drive with random data. I recommend first filling the drive with large files, then formatting it, and subsequently filling it once more with a large number of small files (in a manner similar to the procedure for deleting memory cards). The formatting operation is not for added safety. It is only a faster way to start once more with an "empty" disk than deleting the files one by one.
In principle, a secure SDD could be designed by enhancing its firmware. One possibility would be by physically overwriting with pseudorandom data all disk locations that the operating system requests to mark as free, or requests to overwrite, before the new data is written somewhere else on the disk. The most obvious drawbacks are that this would make disk operations slower, and roughly halve the lifetime of the disk.
Since I first wrote this page, I found support for the above ideas from a number of sources. In particular, not all SSDs have built-in, native encryption (which may be a partially useful solution to privacy concerns), and many have potential loopholes in their encryption or wipe routines that may leave the original contents accessible for recovery. See, for instance:
It remains possible to use external, open-source encryption software to protect the data stored on an SSD (or any other type of mass storage device). This approach requires no intervention by the user prior to the drive changing hands, as long as the decryption key is not stored anywhere on the system and is chosen to be impossible to guess. This does protect the data stored on an SSD, and largely removes concerns about the degree of protection afforded by internal encryption. It does not address other types of privacy attacks (e.g., weaknesses in the choice of keys, unknown weaknesses in cryptographic algorithms or their implementation, data interception and forwarding to an external party by software or hardware installed in the system without the knowledge of the user).
SSDs pose special privacy concerns. At this time, I don't regard the option of completely wiping a generic SSD drive before selling it as a secure option, and recommend physical destruction by grinding as the only secure solution. Disk encryption by external, open-source software remains a usable solution to protect data while the drive is still in use, but only as good as the total security of the system against intrusions.