Thought exercise: destroying data on an SSD  

On other pages of this site, I discussed practical ways to irretrievably delete data on hard disks and memory cards. This page discusses possible ways to completely delete data from a Solid State Disk (SSD), which functions in ways significantly different from traditional hard disks and memory cards.

Figure 1. Example of a small SSD after removing its casing.

SSDs function in a similar way to hard disks, memory cards and USB sticks in the sense that space on one of these storage devices is allocated in clusters. A cluster is the minimum amount of bytes that can be allocated to a file. For example, if the size of a file is not an exact multiple of the cluster size, the last cluster of the file may contain fewer data bytes than the cluster size, with the remaining bytes after the EOF (End Of File) marker often left unchanged (and therefore potentially containing some data that was originally part of an earlier, now overwritten file).

SSDs are increasingly popular in personal computers. Many laptops, for example, are delivered from factory with an SSD instead of a traditional (electromechanical) hard disk. Compared to traditional hard disks, SSDs offer the following advantages:

  • No moving parts, totally silent, essentially unaffected by impacts and vibrations.
  • Much faster access to stored information. For instance, a hard reboot of a PC takes seconds instead of minutes.
  • No rotational delay, and essentially no latency time. It does not matter where on the disk data is stored, and whether a file is fragmented. Defragmenting an SSD and moving often-used files to a particular region of the storage is not necessary, does not improve file access, and does in fact slightly shorten the life of the SSD.

The main drawbacks are:

  • SSD capacity is smaller than traditional hard disks of the same price range.
  • A given memory location can be overwritten a limited number of times (much fewer than on a traditional hard disk) before becoming unreliable. To alleviate this problem, when a cluster is overwritten, as a rule it is stored at a different, previously unused address range than the original file. In time, this uses all memory locations and increases the lifetime expectancy of the drive. Eventually, failed memory regions are marked as bad and never used again, which means that the capacity of the drive slowly decreases with time.

The prices of SSDs are decreasing, but this is not just due to higher sales volumes and improved manufacturing technology. One of the reasons is that they use flash memory, in which each memory cell is intrinsically capable of storing a voltage, rather than a 0 or 1 bit. This allows manufacturers to store 2, 4 or more bits of data in just one cell.

For example, in a cell that can store a charge from 0 to 1 Volts, it is possible to store 0.00V (representing a logical value of 0), 0.33V (logical 1), 0.66V (logical 2), or 1.00V (logical 3), so this cell stores two bits, and the device can store twice the amount of data in the same amount of flash memory. A small deviation from the nominal voltage, for example 0.39V, does not cause a data corruption. The problem is that, once this voltage has been stored for a long time (years or decades) or the cell degrades by being overwritten a number of times, the voltage changes a little bit. If it changes enough, for example to 0.16V, it may be read either as logical 0 or logical 1, so the data is corrupted. Checksums can be used to transparently correct errors in a small number of bits and to detect corruption in a larger number of bits, but they require additional memory cells.

SSDs that store only one bit per flash memory cell are obviously more reliable, but also more expensive than those made with multi-level flash memory. Although flash memory is slowly becoming better, multi-level flash is always less reliable than single-bit flash. Consider this factor before choosing to buy a cheaper SSD drive.

In the context of privacy, all this means that SSDs pose special problems:

  • Especially in SSDs with a lot of empty space, many subsequent versions of the same file often exist on the device, and therefore overwriting a file any number of times is no guarantee that its earlier versions have been deleted. In fact, overwriting a file only creates more copies of its contents on the SSD.
  • A special concern applies to disk encryption software and SSDs: some of this software seems to first store a large incoming file as plaintext on the disk, to avoid holding up disk access during the time-consuming encryption process. Only subsequently, the plaintext file is overwritten to in encrypted format while the drive is not being read or written. For the reasons discussed above, this may leave the "temporary" plaintext data non-overwritten and still available to forensic tools on the SSD after the encryption process is completed.
  • It is difficult or impossible to overwrite the contents of disk clusters marked as bad, which may still contain sensitive information. These areas may be simply tagged as non-accessible without wiping their contents, and may be untagged and read by forensic inspection tools even if the read process results in a checksum error. Typically, only a few bytes in a "bad" cluster may be corrupted and truly unreadable.

Privacy concerns have been addressed by a few makers of SSDs. I do not know whether the actual technical solutions implemented in SSDs offer a true protection against all attacks, nor whether some or all of these solutions include intentional or accidental, exploitable weaknesses. Since these technical solutions are proprietary, there is no way for a user to assess the actual extent to which they protect data against recovery. I am discussing below the most common among these protection mechanisms.

A common way employed by drive manufacturers to protect data stored on an SSD against recovery is encryption of the data immediately before it is written to SSD flash memory, usually by firmware running on the electronics contained in the drive. The data is subsequently decrypted immediately after being read and before being sent to the computer. The encryption/decryption key(s) are stored in a dedicated flash memory location on the drive. This is not necessarily a part of the drive's storage area, and could be a physically separate flash memory area implemented as part of the controller circuits, and accessible only by specialized utilities.

This protection scheme is completely transparent to the user, and completely ineffective in protecting the recorded data (and much of the deleted data) until the user takes action by manually running a utility, provided by the drive manufacturer, that erases or changes the decryption key. This makes all the data on the SSD inaccessible to the user. Therefore, this is done only once the user no longer needs the data or the drive. Until then, the data remains accessible to anyone with physical or remote access to the drive. Therefore, this encryption is no protection against the drive being seized or stolen, or the system access being compromised.

After the decryption key has been destroyed, the encrypted data is still present on the disk, and can still be decrypted by the usual cryptographic attacks exploiting specific intentional/accidental weaknesses or using brute force and dictionary/guessing attacks. Possible weaknesses of this protection scheme that remain unknown to the user may be, for instance:

  • The manufacturer has designed the decryption algorithm to accept one or more backdoor keys known to the manufacturer but not to the user.

Such keys may be either complete, allowing an immediate decryption of the drive contents after the user has erased his/her key, or partial, making cryptographic brute-force attacks significantly easier for an attacker with access to considerable computing facilities (e.g., a government). The extra key(s) and/or compromised cryptographic algorithms can be generated by the manufacturer and deposited by the latter with secret services or other authorities (either routinely, or after the authorities require the backdoor key for one specific device).

Backdoor keys can alternatively be generated and stored by the government and provided by the latter, in batches, to the drive manufacturer for use in new products. The same backdoor key may even be used by the manufacturer on a whole production batch of SSDs, to make it easier for the government.

  • The cryptographic algorithms have intentionally been weakened, so that they are still strong enough to protect against a casual intruder, but not against a concerted attack with substantial computer resources. This seems to be the case with some versions of cryptographic algorithms used in commercial products.
  • As suggested by incomplete information recently made public, it is possible that some of the most used decryption algorithms, although not intentionally crippled, have been broken by secret services and are no longer secure from their attacks.

It is only a matter of time until knowledge of these techniques becomes more widespread. Crime syndicates, for instance, are likely to pay a top cryptanalyst a lot more than a state department is willing to, and there is a well-documented tendency for authorities to extend to many other fields of investigation and snooping the cryptographic breakthroughs originally developed to provide legitimate access to information for national security reasons.

It may be noted that changing the SSD encryption key may not protect against the above weaknesses. Since changing this password is done by calling a function in the SSD firmware, it is sufficient for the SSD firmware to add the backdoor keys once again when the new key is entered, thus making the key-change operation useless in terms of additional security against the holder of the backdoor keys.

In practice, physical destruction of an SSD is the most secure way to prevent the recovery of data stored on an SSD. Specifically, this is done by grinding the memory chips. In practice, however, the large number of memory chips in a typical SSD, the lack of large metal parts and the usually small physical size (3.5" or, increasingly commonly, 2.5") mean that it is practical to grind an SSD as a whole. Precautions must be taken to protect one's eyes and avoid inhaling the toxic dust and fumes, as well as protecting against spark showers caused by internal metal fastenings and screws. Some SSD drive casings may contain a "gunky" or oily heat-conductive paste or gel, and therefore it is a good idea to collect the ground material in a non-combustible bucket as it leaves the grinder.

If the SSD drive must be re-used or sold, completely removing all data (as opposed to changing the encryption key) is less likely to succeed. In particular, the only way to remove any data stored in memory regions marked as bad is by first un-marking these regions. This is only possible by using special utilities, which with present SSDs may be manufacturer-specific and not widely available (Intel and OCZ, for instance, make these utilities available for their drives). Generic tools are available, for instance TechSpot, HDAT2, KillDisk and DBAN, but I am not certain whether they are effective with all SSD types. This is equivalent to a low-level format on a traditional hard disk, and is not guaranteed to actually overwrite the "bad" clusters.

Utilities designed to low-level format traditional hard disks may not work on SSDs. What is worse, these utilities may appear to work, but may not have the intended effect.

In principle, all functioning memory locations on an SSD can be overwritten by filling the drive with random data. I recommend first filling the drive with large files, then formatting it, and subsequently filling it once more with a large number of small files (in a manner similar to the procedure for deleting memory cards). The formatting operation is not for added safety. It is only a faster way to start once more with an "empty" disk than deleting the files one by one.

In principle, a secure SDD could be designed by enhancing its firmware. One possibility would be by physically overwriting with pseudo-random data all disk locations that the operating system requests to mark as free, or requests to overwrite, before the new data is written somewhere else on the disk. The most obvious drawbacks are that this would make disk operations slower, and roughly halve the lifetime of the disk.

Since I first wrote this page, I found support for the above ideas from a number of sources. In particular, not all SSDs have built-in, native encryption (which may be a partially useful solution to privacy concerns), and many have potential loopholes in their encryption or wipe routines that may leave the original contents accessible for recovery. See, for instance:
Cnet
Apple
NVSL
ComputerWorld

It remains possible to use external, open-source encryption software to protect the data stored on an SSD (or any other type of mass storage device). This approach requires no intervention by the user prior to the drive changing hands, as long as the decryption key is not stored anywhere on the system and is chosen to be impossible to guess. This does protect the data stored on an SSD, and largely removes concerns about the degree of protection afforded by internal encryption. It does not address other types of privacy attacks (e.g., weaknesses in the choice of keys, unknown weaknesses in cryptographic algorithms or their implementation, data interception and forwarding to an external party by software or hardware installed in the system without the knowledge of the user).

Conclusions

SSDs pose special privacy concerns. At this time, I don't regard the option of completely wiping a generic SSD drive before selling it as a secure option, and recommend physical destruction by grinding as the only secure solution.Disk encryption by external, open-source software remains a usable solution to protect data while the drive is still in use, but only as good as the total security of the system against intrusions.