SSD, Flash Memory, USB Stick, Phone Memory, Tablet Memory Destruction Guidance
Even the most modest household or small business in the United States has more than a few non-functional small electronic devices, phones, smart phones or even computers that have personal or business data on them. Big business and government create mountains of eWaste and much of it is not properly sanitized of actionable data. Like in other fields, our leaps in technology create unanticipated problems, including methods of destruction or sanitization of memory media.
Flash memory in all its forms is the next big security threat. Non-volatile memory or Flash memory is the memory media of choice for most small electronics and what powers the speed of cloud computing. In just ten years, we have become uncoupled from Local Area Networks (LAN) and most of our computing and safekeeping of data is not only on our devices but also stored in the cloud. The Internet of Things (IoT) also has created a huge demand for inexpensive and fast memory chips to support everything from smart phones to smart thermostats, doorbells, video surveillance, and a host of other items that require compact data storage. The good news is that these things make life easier for us and more convenient; the bad news is that they record our personal information and the information that we create through business and government, as well.
Why is this such a problem now? Simply, it is a numbers game. The year 2010 was a landmark year for data storage. According to Seagate, more data was created in 2010 than all the data created before 2010 going back to the beginning of time.1 In the same article from Seagate, since 2010, data creation has doubled every two years.1 In an IDC study from 2007, the average hard disk drive (HDD) size was 120 Gb.2 Today, the average HDD or Solid State Drive (SSD) is over ten times the capacity of units sold in 2007 to 1600Gb or 1.6TB. To put the capacity into perspective, a 1TB capacity drive, whether SSD or HDD, could contain up to 71 million printed pages of data.
Clearly, the key to keeping up with this mountain of information is constant evaluation of processes and methods to align with shifts in technology. In sports terminology, you can’t stop it; you just hope you can contain it. Each piece of memory media has so much information on it, companies and governments are finally realizing they should be treated with the same security level assigned to gold bars, if not higher. The amount of data being created doubles every year, and according to HGST, one of the leading HDD manufacturers, 86% of Data Center Decision Makers, when surveyed recently, believe that ALL data has value.
Technology often exceeds the planning capacity of even the most forward thinking organizations. For example, Flash memory has been used for over thirty years since it was introduced by Toshiba in 1984. Flash became commonplace in corporate, government, and enterprise computing after 2008 but it was not until 2013 that the U.S. National Security Agency (NSA) released guidelines and evaluated equipment to sanitize end of life cycle and failed Flash and SSD media.3 The U.S. National Institute of Standards and Technology (NIST) guidelines have been at least ten years between updates, with the most recent issued in 2016 but none prior to that since 2006. Today’s question is how to be both secure and compliant when one component – namely, security – is a constantly moving target, while compliance requirements often are static. Merely following the major compliance guidelines is clearly not enough.
The starting place is understanding the technology itself: in this case, flash memory. Understanding the design of flash memory provides insight into its safe sanitization or destruction. In personal computers as well as enterprise systems and networks, flash memory has taken more than a foothold of the memory market in the last ten years. Performance is the main reason as SSDs are at least 100 times faster in reading and writing data than a conventional HDD. SSDs are truly working at the speed of light as they operate as a transistor rather than a map of magnetic particles. The main type of chip used in an SSD is a NAND chip, which is named after the type of floating gate it uses to permanently retain electrons even when powered off. The NAND chip consists of the chip itself with its millions of transistors containing data and the “Package” which is slightly larger than the chip, is a silicone or ceramic encasement that protects the chip and its connections.
Current recovery of data from NAND or any other flash chip technology requires removal of the chip from the failed memory device and transplanting it into a functioning memory device of the same make and model. Unlike recovery methods for HDDs which require a sizable investment nearing $1 million in clean room and other specialized equipment, SSDs can be forensically examined for less than $1,000.00 worth of equipment, according to Dr. Steven Swanson of the Non-Volatile Systems Laboratory at the University of California San Diego.5 Even when the outside protective cover of the chip, the package, is damaged, the chip itself can be “deprocessed” from the package and given new bonding wires to provide complete access to the data. This makes SSDs a prime target for data theft even when they are destroyed using methods that work for HDDs.
In a perfect world, there would be an external source of negative current with some type of magic wand that could erase all the contents of a NAND chip without destroying it. That technology has not yet been established, so the chips must be destroyed or smelted to eliminate the possibility of data recovery. The environmental costs of smelting make that method a serious challenge here in the United States and the conversation about data elimination from NAND chips necessarily comes back to physical destruction. The requisite level of destruction has generated significant disagreement. Herein lies the difficulty for a company’s regulatory compliance manager and its risk manager, since there is very little guidance on how to prevent data recovery through destructive means or any other means. The highest level of high security guidance is provided by the U.S. NSA. NSA provides guidance for destruction of Top Secret media and their processes and evaluated equipment have become the “gold standard” for data elimination. However, Top Secret information, whether generated by government or private enterprise, accounts for a tiny percentage of all the information generated each year. NSA provides guidance directed at its own operations, which for example could include media with nuclear missile code information.
NSA’s guidelines and directives are appropriately stringent for the data classes covered in its own materials but incredible overkill for most other classes of information and security levels. The amount of confidential information that would need to comply with Health Information Portability and Accountability Act (HIPAA), the Payment Card Industry (PCI) or even NIST is staggering in comparison to NSA Top Secret data (1,000 to 1) and the compliance requirements as vague as the NSA is detailed.
This is the point where knowledge counts, and that knowledge can give a risk manager an edge in finding the point where both security and important budget resources are maximized to get the best security value for the dollar spent.
To understand the risks of data being pulled out of an SSD, one must know what can be recovered and the process to recover it. Earlier we touched on the process of recovering information from an intact NAND chip or even a slightly damaged chip package. If a chip is broken inside the package, there is very little that can be done to recover information without unlimited funds, unlimited time, and excellent skill. The flash chip layer is an array and each array is composed of pages containing bytes of memory. Each page could contain between 2048 and 16384 bytes.5 Because the modern NAND chip has such an extremely small cell size (measured on the nano scale) they must examine the layer using an atomic force microscope (AFM). Because the potential recovery lab is analyzing a broken chip and its internal wiring is in disarray, the only theoretical method of recovery is to grind the chip particle layer by layer and then examine each layer page by page and cell by cell under the atomic force microscope to determine the value of each cell (Image 26). If the chip is broken and has any damage that makes the surface uneven, even the most skilled technician would have a difficult time separating each layer. To add to the difficulty, if the scanning tip of the AFM touches the surface of the chip, the scan head of the AFM is destroyed and must be replaced at a cost of $8,000.00 every time. Each broken chip particle must be ground perfectly to make a smooth surface to analyze.
In addition, the technician must overcome the difficulties of how the data was written and if it was encrypted. A new NAND design, 3D (now commonplace) also adds a level of difficulty to get the AFM to read voltages internal to the 3D design. To summarize, it is theoretically possible to pull data from a broken NAND chip as long as it is broken nearly perfectly so that it can be precisely ground and examined. To overcome even this far-fetched recovery protocol, a chip would have to be broken into particles smaller than a page size. On legacy/current NAND chips, according to Dr. Swanson, that particle would have to be less than 2mm and on future chips as small as 0.2mm to bisect a page in a chip array.
We now know the theoretical and functional limits of recovery. We can now determine a chip particle size that makes recovery extremely unlikely and the chip size that makes it impossible. The smallest current package available in flash memory applications, according to data from the Open NAND Flash Interface standard version 4.0, is the BGA- 63 (Image 38) with package dimension of 7.2mm x 8.8mm. Remember that the chip is slightly smaller than the package so particle size should ensure that the chip will be broken. Dr. Swanson recommends 75% of the package size as a conservative particle size.5 In this case, the broken chip particle would need to be less than 6mm. Because of the difficulty, time and resources expended to get information from a 5-6mm chip particle, the only plausible entities with that level of resources and expertise would be a large state funded organization, if it could be done at all. The theoretically impossible (which is far more difficult than just impossible) to recover information chip particle size would be granular and in the 0.2mm to 0.5mm size as discussed above (NSA guidance, surprisingly, is 2mm x 2mm). A 2mm chip particle in 3D NAND would have a minimum of 64,000 cells (32 cells per micrometer) full of information to potentially recover (Image 49). This is another example of how compliance standards lag technology, even at the NSA. Processing NAND chips down to the 0.2mm granular level is an incredibly expensive proposition and only for the incredibly cautious or state level entities. This level will likely be the next guidance from NSA but currently there is no document to date.
The table below summarizes the current recovery capability versus the level of destruction. In sum, chip destruction to particles less than 6.0 mm offers the best protection for the least investment in equipment until the next change in technology.
One thing is for sure when it comes to technology: it will change often. It is incumbent upon decision makers to make every effort to understand past, current, and future technology to adequately address security concerns. We have shown that relying on compliance directives as a security policy leaves wide open vulnerabilities. To be “Secure and Compliant” is to use knowledge and common sense to keep current with technology and its corresponding security liabilities. Having a good end of life cycle/failed media plan ensures that risk can be reduced greatly or completely nullified. Part of that plan should be a regular analysis of procedures to eliminate data from every type of media. For flash media, as we have discussed here, size matters.
Posted: December 2017