SSD drives difficult to wipe securely, researchers find

Current methods for securely wiping data from magnetic hard disks simply aren't reliable enough to use on solid state drives (SSDs), a detailed study by engineers at the University of California has found.

The techies at the university’s Department of Computer Science and Engineering uncovered a range of problems in secure SSD ‘sanitisation’ of both whole drives and individual files, starting with problems in the way some drive firmware implemented the ATA/SCSI commands to conduct the erase function.

The researchers tested twelve unnamed SSD drives, and found that only four of them successfully erased the test whole-drive fingerprint image. Of the remaining eight, four did not support data erasure (three of these were removable USB drives), one was encrypted and so erasure could not be verified.

Three drives failed, two because of bugs in the firmware, and one reported success despite the fact that all data on it remained intact and accessible.

The results for wiping a single file from an SSD using a range of common sanitisation protocols were even worse, with between 4 percent and 75 percent of the data recoverable. USB drives fared poorly as well, with between 0.57 percent and 84.9 percent of data still accessible.

The team even tried a recommended NSA degaussing machine against the drives just to confirm that this technique does not work against flash memory cells. As expected, the degausser had no effect on any of the drives.

The core of the problem is that unlike magnetic media, SSD drives save data to physical pages but erase from logical block addresses (LBAs), a process which is managed through a flash translation layer (FTL).  This creates a mismatch between where the ATA or SCSI drivers think the data is and where it physically resides which the drives compensate for by copying data around. It is this copying that leaves insecure traces littered around the drive.

“These differences between hard drives and SSDs potentially lead to a dangerous disconnect between user expectations and the drive’s actual behaviour,” comment the researchers. “An SSD’s owner might apply a hard drive-centric sanitisation technique under the misguided belief that it will render the data essentially irrecoverable. In truth, data may remain on the drive and require only moderate sophistication to extract.”

In other words, the assumption that established wiping techniques will simply work on SSDs and flash media in general turn out to be flawed. Sometimes they work, sometimes they fail due to poor implementation and in the case if single files, some new thinking will be required.

The degree of difficulty in securely wiping single files from SSDs will alarm IT admins most because this is an everyday requirement, for example when trying to destroy encryption keys, spreadsheets and other important files without nuking the whole drive.

The researchers conclude by suggesting several techniques through which the SSD FTL could be modified to take account of the need for security.