[liberationtech] secure wipe of flash memory

oli oli at cryptosms.org
Sun Jul 15 07:59:02 PDT 2012 

hi all,

I came across a problem which seems to reamin unresolved but not taken
seriously by many liberation tech coders. maybe this has been discussed
already some years ago, but i think it might be good to rediscuss it
anyway, since flash memory use is growing rapidly.

Flash memory is using a technique called wear leveling [1], which uses
all physical blocks of the sd card equally to prolong its life time. A
side effect of this smart approach is that it becomes nearly impossible
for wiping applications to overwrite all blocks that were used by one
file since they are distributed almost randomly across the memory card
and the controller between the physical and logical level would not
allow an application to access the physical layer directly.

If it is okay to delete the whole card or whatever incarnation of flash
you have there, the scene is a bit different as the wear leveling logic
will write data on all blocks albeit not in any order you can trace.

There are many applications around that claim to secure wipe flash, I
only pick this one, because I like the guardian project and take
anything happening there seriously: the app Data Wipe (“Poison Pill”) [2].

On http://lab.safermobile.org/wiki/InTheClear it says:

"Data Wipe

While Emergency SMS is designed to send alert messages to your contacts,
Data Wipe helps protect you and your personal network by removing
sensitive information from your device just as easily. A mobile device
is often the first personal article confiscated by authorities, and it
only takes a browse through your list of contacts to discover your
social network. This puts others in your social networks at immediate
risk as well. While some mobile devices provide easy ways to erase or
hide address books, performing this action manually can take time that
is often not available. Data Wipe lets you pre-configure a specific set
of rules to erase or overwrite your personal data at a moment's notice."

This is not possible: to overwrite specific blocks of flash memory. the
controller doesnt allow direct access.

Here you find one of the android version's lines of code that "wipe":

https://github.com/guardianproject/InTheClear/blob/master/projects/android/src/org/safermobile/intheclear/data/PIMWiper.java

I see the point of this app and it might be really helpful vis-a-vis non
trained attacks. But once the phone is in a forensic lab, one can bypass
the flash controller and access the physical layer directly, retrieving
all the data that was "wiped" with this app.

See  "Data Remanence in Semiconductor Devices" for a longer discussion
by Peter Gutmann: http://www.cypherpunks.to/~peter/usenix01.pdf

If I am right, then the only real solution is to safe sensitive data on
e.g. smartphones in an encrypted container from the start. But how can
you make sure, that some dump app doesnt write it into a tmp directory
while you are working on it? Only by full disk encryption, I guess, then
it doesnt matter.

-oli

[1] https://en.wikipedia.org/wiki/Wear_leveling

[2] https://guardianproject.info/apps/

More information about the liberationtech mailing list