Flash disks lack secure deletion, researchers find

Contemporary methods used by enterprises to irreversibly erase data from flash memory may not be 100-percent reliable, academics have found.

Researchers in the University of California at San Diego's non-volatile systems laboratory have found that the methods used to totally remove data from hard disk drives (HDDs) beyond even forensic recovery — a process known as sanitisation — are not guaranteed to work on solid-state drives (SSDs).

Furthermore, manufacturer-designed data sanitisation packages may not be implemented correctly, according to the paper Reliably Erasing Data from Flash-Based Solid State Drives (PDF) delivered on Wednesday at the USENIX file and storage technologies (Fast) conference in San Jose.

"The complexity of SSDs relative to hard drives requires that they provide built-in sanitisation commands," the researchers wrote. "Our tests show that since manufacturers do not always implement these commands correctly, the commands should be verifiable as well.

"Current and proposed ATA and SCSI standards provide no mechanism for verification and the current trend toward encrypting SSDs make verification even harder," they added.

Existing techniques used on HDDs to delete individual files — such as financial or legal documents — while preserving the rest of the drive's data were ineffective on SSDs, the research found.

The researchers said that overwriting the entire address space of an SSD is not guaranteed to succeed in sanitising the drive and that manufacturer-designed built-in commands for file erasure are sometimes implemented incorrectly. The problem occurs because SSDs do a great deal of hidden data copies between physical areas of their chips, in order to even out drive wear and optimise data transfer speeds, and old data can be left behind in areas invisible to high-level drive commands.

Sanitisation test

In a test of built-in ATA sanitise commands on 12 drives, eight drives claimed the ability to erase all user-accessible areas on the drive. Four were successful, three failed to reliably erase data and one was unknown because it encrypted the data.

Additionally, five of the 12 drives supported the secure erasure of all drive data, including non-accessible areas, of these, four were successful and one was unknown — again because it encrypted the data.

The researchers concluded that the erase procedures provided by manufacturers should be verifiable as well, so that users could easily check post-sanitisation that their data had been removed.

Data from the drives was extracted and tested by a custom-built field-programmable gate array named Ming the Merciless.

Established techniques for deleting all data on HDDs failed when used on SSDs, the researchers found. One method, known as degaussing, involves exposing the drive to strong alternating magnetic fields to scramble the data held on the drive. However, when researchers degaussed the SSDs using an NSA-evaluated HDD degausser they found that "in all cases, the [SSD] data remained intact".

Although solid state drives do not store data in a format that can be erased magnetically, the researchers had thought that high induced eddy currents in the chips' internal conductors could have physically put the data beyond reach; this did not happen.

No single method exists for the reliable erasure of a single specific file, the researchers found. Within the paper, the researchers proposed three methods that would make single file erasure fast and effective.

"Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitisation operations," the researchers said.