As Solid State Drives (SSDs) gradually replace hard disks over the coming years, particularly in laptops, security experts are warning about the additional security risks of using SSDs. It turns out that SSDs are vulnerable to physical hacking against both the flash memory and the chips that secure the SSDs and that traditional data shredding software is ineffective due to the wear-levelling process SSDs use to prolong the life of the flash cells.
Most SSDs use NAND chips much like those found in flash memory cards for digital cameras, which can be easily desoldered by a hacker and read using a flash chip programmer to get around locked SSDs, e.g. where the drive is password protected, but not encrypted. Afterwards, it is just a matter of using a disk recovery utility to reassemble the files from the data read out from the chips.
For controllers that use lock bits or encryption locks, another hack involves using a UV laser to wipe out the lock bits from fuses on the chip that secures the SSD. According to a chip hacker, nicknamed Bunnie, it is just a matter of using a conventional ROM reader to interface with the hacked chip once unlocked. However, SSDs that use an additional layer of hardware level encryption are resistant to the attack, unless the hacker manages to unlock the encryption keys.
As SSDs use wear-levelling to write data evenly across all the flash cells to avoid some cells being written to more times than others, this opens up another security risk for those that rely on traditional software based data shredding tools to destroy files, where hardware level encryption is not in use. A data shredder traditionally works by overwriting all bytes of a file with random data to prevent a data recovery tool from "undeleting" it.
However, due to the wear-levelling process on an SSD, overwriting a file with random data will likely result in different physical flash cells being written to, leaving the original flash cells that were used by the file untouched. As a result, these flash cells could potentially be read back at a later stage. So unless the data shredding software is designed to work with the wear-levelling process on SSDs, it can make it difficult to completely wipe sensitive data from an SSD, at least without carrying out a full low level format of the flash drive.
5 Comments
- guest
- Posts: 15288
- Posted on: 26 Aug 08 19:45
But i do see the bad thing in using password on a private pc. :P
- guest
- Posts: 15288
- Posted on: 26 Aug 08 20:45
- guest
- Posts: 15288
- Posted on: 30 Aug 08 00:55
I assume that there would be at least some residual data on those as well.
Understand of course that a low-level would wipe those too, but that's no different than their suggestion for SSD, no?
- JCS
Most popular headlines
Grandmother is falsely accused of file-sharing (11)
- Wed 3 Feb 03:00 by JaredNewman
- Piracy
A woman falsely accused of downloading copyrighted movies might've lost her Internet connection had she not taken her case to the media.
PS3 closing ground on Xbox 360 (1)
- Sat 6 Feb 14:00 by Randomus
- Game Consoles
After years of trailing the Nintendo Wii and Microsoft Xbox 360 on the sales charts, the Sony PlayStation 3 continues to close the gap on the Xbox 360.
Blame Blu-ray for lack of PS3 game downloads (14)
- Thu 4 Feb 09:00 by JaredNewman
- Game Consoles
Don't expect Sony to offer its full game catalog for download over the Playstation 3 any time soon.
Murdoch: Avatar DVD won't be 3D (17)
- Thu 4 Feb 00:00 by Randomus
- Blu-Ray writers & players, LCD TV
News Corp. CEO Robert Murdoch confirmed the DVD release of Avatar won't have 3D support, with no word on a possible 3D Blu-ray version.
