SSD security: the worst of all worlds

Data security on SSDs is a mess. Good luck removing data! Preserve it for digital forensics? Uh-oh. Secure erase might work, but it that good enough?
Written by Robin Harris, Contributor

Data security on SSDs is a mess. Good luck removing data! Preserve it for digital forensics? Uh-oh. Secure erase might work, but it that good enough?

SSD data recovery SSD security is important because data recovery is so much easier than for hard drives. For less than $1k you can buy the equipment that will read flash chips.

Flash SSD architecture leaves sensitive data at risk. Unlike hard drives, when flash SSDs rewrite a block, they don't overwrite a fixed block: they grab some empty block and write over that, leaving the original data untouched.

Architectural insecurity Flash is written to the first free 128k or 256k blocks. Rewriting means making a copy of the block and writing the old data plus the new data to another block.

Flash drive controllers virtualize the flash capacity through the flash translation layer (FTL). The blocks your OS sees are not the blocks that are being written. In addition, flash SSDs maintain a large pool of capacity that is not seen by the operating system.

Which leaves your old data on the old block. New writes are written to the first free location, not, as on a disk, to a specified physical location.

Garbage collection eventually overwrites the old block to adds it to the free block pool. Cheaper MLC drives avoid aggressive garbage collection because it wears out the drive sooner.

In addition, the flash failure mode is that the block cannot be written. As blocks reach their end of life, they may not get rewritten at all - leaving sensitive data there for years.

In the meantime you can have 10's of gigabytes of data sitting on capacity that your OS can't see. And like hard disks, "deleting" a file does nothing of the sort.

File deletion As a result, OS-based file erasure doesn't work well. None of the tested methods - including US DoD 5220.22-M using multiple overwrites - succeeded in always erasing all of a file.

File system deletes left anywhere from 4 to 91% of a file on an SSD. Even free space overwriting left a majority of the data intact on all the drives.

(In)secure erase The ATA command set has a secure erase function - disabled by most BIOS's - that will wipe a hard drive. But the researchers found that SATA SSD implementations of secure erase ranged from dire to successful.

3 of 7 tested drives did not properly execute the secure erase command. One drive reported a successful erase but didn't erase anything.

In a paper (pdf) presented at FAST - File And Storage Technology - '11, Michael Wei, Laura M. Grupp, Frederick E. Spada and Steven Swanson of UC San Diego discuss their research into SSD security. They found that techniques that work on disks - other than physical destruction - don't work on SSDs.

That includes multiple overwrites - which do nothing of the sort on SSDs - the single most popular method on hard drives. If data security is vital, physical destruction is the only sure method today.

The flip side Another paper by academic researchers Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? (pdf) finds that

. . . solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.

The Storage Bits take In SSDs we have the worst of both security worlds: we can't reliably remove or preserve data. It won't take long for horror stories to start popping up.

Comments welcome, of course.

Editorial standards