A study by researchers at the University of California San Diego (UCSD) has found that USB flash drives and solid state disks pose a security risk because there's no way to fully wipe them with current data erasing techniques.
To test various erasing techniques the researchers took the disks apart and tested the individual pins of the flash memory to see how much data they could recover. Over a dozen of data wiping methods were tried, but even the most succesful method in the test left about 10 percent of the data intact.
Until a way is found to remove all data on a SSD without physically damaging the device, users are advised to use encryption to protect sensitive data.
Researchers Laura Grupp and Michael Wei comment, "Our results show that naïvely applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact. Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive."
Of course, if you encrypt all the data on the SSD to start, you make it harder to access. The researchers note this and suggest that to completely prevent data loss, users then destroy their keys and use new technology to directly overwrite all of the drive's pages.
Chester Wisniewski, a senior security advisor for Sophos Canada, blogged on the study praising its accuracy. He writes, "To properly secure data and take advantage of the performance benefits that SSDs offer, you should always encrypt the entire disk and do so as soon as the operating system is installed... [S]ecurely erasing SSDs after they have been used unencrypted is very difficult, and may be impossible in some cases."