Myce.com Latest Updates

Experts warn about SSD security risks

Posted 26 August 2008 11:11 CET by Seán Byrne

As Solid State Drives (SSDs) gradually replace hard disks over the coming years, particularly in laptops, security experts are warning about the additional security risks of using SSDs.  It turns out that SSDs are vulnerable to physical hacking against both the flash memory and the chips that secure the SSDs and that traditional data shredding software is ineffective due to the wear-levelling process SSDs use to prolong the life of the flash cells.

Most SSDs use NAND chips much like those found in flash memory cards for digital cameras, which can be easily desoldered by a hacker and read using a flash chip programmer to get around locked SSDs, e.g. where the drive is password protected, but not encrypted.  Afterwards, it is just a matter of using a disk recovery utility to reassemble the files from the data read out from the chips.  

For controllers that use lock bits or encryption locks, another hack involves using a UV laser to wipe out the lock bits from fuses on the chip that secures the SSD.  According to a chip hacker, nicknamed Bunnie, it is just a matter of using a conventional ROM reader to interface with the hacked chip once unlocked.  However, SSDs that use an additional layer of hardware level encryption are resistant to the attack, unless the hacker manages to unlock the encryption keys.

As SSDs use wear-levelling to write data evenly across all the flash cells to avoid some cells being written to more times than others, this opens up another security risk for those that rely on traditional software based data shredding tools to destroy files, where hardware level encryption is not in use.  A data shredder traditionally works by overwriting all bytes of a file with random data to prevent a data recovery tool from "undeleting" it.  

However, due to the wear-levelling process on an SSD, overwriting a file with random data will likely result in different physical flash cells being written to, leaving the original flash cells that were used by the file untouched.  As a result, these flash cells could potentially be read back at a later stage.  So unless the data shredding software is designed to work with the wear-levelling process on SSDs, it can make it difficult to completely wipe sensitive data from an SSD, at least without carrying out a full low level format of the flash drive.  

guest
No longer with us
Posted on: 26 Aug 08 17:45
I don't see the bad thing about ones data being SAFE and can be recovered But i do see the bad thing in using password on a private pc. :P
0 Agree

guest
No longer with us
Posted on: 26 Aug 08 18:45
The first risk is the same as regular hard drives so I don't see how it needs warning actually I think it's a lot easier then you think. If your using a ssd like goes in your sata slot then your oh so much more vulnerable then you think. If the chip is soldered as part of an mp3 player then your still pretty safe cause most people in the world don't have the intelligence or technology to circumvent such obsticals. The second one is kinda worriesome but most people don't swipe there content anyway and if they did this important information should be encrypted since it seems your so important that someone is actually looking for said information.
0 Agree

RTV71
MyCE Member
Posted on: 27 Aug 08 01:36
Most security experts agree that both SSDs and other recordable media can be effectively erased with thermite (http://en.wikipedia.org/wiki/Thermite).
0 Agree

AlexSGV
CD Freaks Rookie
Posted on: 27 Aug 08 07:28
OK, that last one definitely deserved a LOL.
0 Agree

guest
No longer with us
Posted on: 29 Aug 08 22:55
How exactly would this be different than reallocated sectors on existing platter hard drives?

I assume that there would be at least some residual data on those as well.

Understand of course that a low-level would wipe those too, but that's no different than their suggestion for SSD, no?

- JCS
0 Agree

Register
Login

Register to Myce.com

Register in 10 seconds, pick a username, enter your mail address and proof you're human, that's all!

An username is required and can only contain letters and numbers
Email is required, we'll send the password there

Welcome back

Sign in with your Myce account. Not a member yet? Create an account

A username is required and can only contain letters and numbers
A password is required

Post your comment

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×