Security | Features
How--and Why--to Destroy Old Flash Drives
- By Emmett Dulaney
The value of the ubiquitous flash drives that many of us carry in our pockets or on our key chains is much more than the $10 we pay for them at the big box store. Rather, they're worth as much as all the data they have ever held. A couple of instances involving Bowling Green State University and the Oregon food stamp program illustrate the danger.
In the first case, an accounting professor could not locate a flash drive containing several years of student records--only one year of which students were identified by social security numbers instead of student IDs, and he was forced to pay for LifeLock protection for those students and undergo a public relations nightmare. The cost of the protection was nearly $10,000.
In the second case, a flash drive was taken from a vehicle belonging to an employee of Portland Community College. That flash drive contained information on 2,900 recipients of the Oregon Food Stamp Employment and Transition program, run by PCC. Since the information contained names and social security numbers, DebixCredit Protection had to be offered to each of the affected individuals.
In both of these instances, the drives were stolen or misplaced. Similar troubles could befall, however, if the drives fell into the wrong hands after being tossed away.
The Popularity of the Drive
As the capacity of flash drives (also known as thumb drives, memory sticks, jump drives, and USB drives) has grown, so has their popularity. Many professors now store almost all their files on a flash drive that they transport with them everywhere rather than save files to hard drives on one or more computers. The technology is stable enough that this scenario works well and there are few problems until they outgrow the size on an older drive, or otherwise need to dispose of it.
Imagine that a flash drive has student records or demographic information on it. Deleting the files isn’t a good solution since what actually gets deleted is the reference to the file--the data still remains until it is overwritten. Someone armed with the right tools (there are even shareware programs available) and knowledge could recover the file without too much trouble.
A number of programs can be found online that purport to permanently delete the files by wiping the free space. Trust them if you want, but according to research by the University of California, San Diego's Michael Wei, after erasing files with Mac OS X's secure erase feature, up to 67 percent of the data was still recoverable. Other overwrite operations showed similar results.
Given that, the only reliable method of knowing the evidence is safely eradicated is to destroy the flash drive in such a way that no part of it can be recovered. The steps that follow walk through an approach to this process which delivers definite results.
Step One: Crack Open the Drive
The first order of business is to remove the case. Since flash drives come in a variety of shapes and sizes--from simple rectangles to those shaped like animals, candy, or almost anything else--you may have to vary the tools that you use, but usually a screwdriver or scissors will do the trick.
Crack open the case and toss the parts of it away--you don’t care if anyone sees those items in the trash. The focus needs to be on the circuit board and the chips connected to it. In addition to an LED and any circuitry associated with it that are mounted on the board, you should see a large chip about half the size of a postage stamp--this is the flash memory chip.
There should be other chips visible as well (the storage controller chip, for example), but the flash memory chip is identifiable as the largest of the group and the one to concentrate on.
There is no harm in destroying the entire drive, but above all else, it is that memory chip which must be rendered worthless.
Step Two: Turn the Chip to Powder
The objective is to turn the chip into powder that cannot be recognized as a former flash drive. A number of tools can be used to accomplish this, but one of the most effective is a hand drill and a series of bits ranging from 1/32 inch to ¼ inch.
If you have a drill press, you can use it in place of the hand drill, but a ¼ inch hand drill works just as well. Be sure to hold the drive securely with pliers and adhere to all safety precautions you would with any other project involving power tools and fine dust, such as wearing eye protection and a dust mask.
Put a large piece of paper down to catch the dust and remnants, and then use the smallest drill bit to put a hole directly through the center of the memory chip. Replace the drill bit with a larger one and put it through the same hole. Continue to do this until you have used the ¼ inch bit to turn the remains into powder. If the memory chip breaks prior to finishing, pick up the remains with the pliers and continue the operation. Remember that having a few recognizable pieces of the circuit board or controller chip left over is not terrible as long as there are no recognizable pieces of the memory chip remaining.
When you finish, the remnants should resemble finely ground pepper or gunpowder.
Step Three: Finish it off
The final step is to gather the paper holding the remnants and wad it into a loose ball. This can now be tossed into a fire as a final strike and you can sleep well comforted by the knowledge that the contents of that flash drive are now nothing more than a memory.
Securing the Drive You Still Use
It is strongly recommended that you protect the data on flash drives you still use in case they mistakenly fall into the wrong hands.
On the cheaper end, you can add passwords and encryption to the flash drives. While you can add many types of encryption, for considerably more than the cost of a regular drive, you can buy ones that already have these features from companies such as Kanguru or Kingston. While this is far from a flawless solution, it does add reasonable protection for the data should the drive fall into the wrong hands.
On the more expensive end, IronKey markets a line of flash drives secure enough for sensitive government use and more than sufficient for what most people are trying to protect. A password must be given to access the data and if you give the wrong password 10 consecutive times, the unit self-destructs. The case is waterproof and tamper-resistant: if you break it open, it self-destructs. Data is secured with Advanced Encryption Standard (AES) encryption that cannot be turned off.