A recent development in Russia has seen a NAND flash drive fitted with a self-destruct button no dissimilar to those seen in Hollywood films. Why is non-volatile memory challenging, what did Rostec develop, and what other methods exist to protect data?

Why is non-volatile memory particularly troublesome?

Computers have undergone many changes since the first machines were developed; hard disks went from being the size of a coffee table to a few inches across, CPUs that would take up whole rooms fit on a small 1mm x 1mm die. Data transfer rates have gone from bits per second to gigabits per second. In this time, the nature of computing has also undergone significant changes; the first computers were primarily for scientific research, a few generations afterwards saw them being used by businesses, and then just about everyone had a computer in their home.

This changing nature of computer use has also seen digital information become increasingly personal. Computers of the 90s found in the home would sometimes be used to calculate the household budget and hold various contact numbers and names, but fast forward to 2020, and computers hold banking information, passwords, and even personal interests.

Protecting this information is critical in modern computing, and many security solutions have been developed to prevent this. For example, data in transit (i.e., over the internet) is protected using encryption methods, while data in storage (i.e. stored on a computer) is protected from outside intrusion using firewalls and passwords.

However, data stored on non-volatile memory (such as flash and hard disks) is highly vulnerable when discarded in the trash. Even if files are “deleted” by a user, this deletion is generally just an operating system reference removal whereby the file entry in the file table is removed. However, the physical information that makes up the file is still on the disk.

This can lead to criminals being able to recover deleted files found on old flash drives and hard disks found in landfills, recycling centres, and even when dropped accidentally.

Russian company Rostec creates self-destructing flash drive

Recently, a Russian tech company called Rostec has released a new NAND flash drive that integrates a self-destruct system to ensure that data cannot be recovered. The new device integrates multiple components, including a NAND memory chip, processor, bridge controller, battery, and electric detonator, allowing the system to continue operating even when away from a USB port.

A small button on the side of the flash drive triggers the onboard detonator, which burns the internal PCB using a strong electric arc. However, the device itself is left unaffected, meaning that a destructed device shows no sign of destruction. This allows the device to be held safely during the self-destruction process (albeit a boring process).

The complete destruction of the NAND flash ensures that it is impossible to recover data from the silicon die. While the device is still in the prototyping phase (as it requires long-term testing), it could be the ultimate solution for those concerned about data theft from unknowing parties.

Less dramatic alternatives to data protection

While there is no doubt that the device developed by Rostec will keep information safe, it is also somewhat dramatic (one good application for it would be the protection of government files in transit). Far less destructive methods currently exist that can be just as good as detonating a device.

One method encrypts all data with an AES 256-bit key whose key location is also in memory. The memory can easily be encrypted and decrypted using the onboard key during regular operation. If the information needs to be made unrecoverable, only the key must be securely deleted. This is because 256-bit keys are so large that trying brute force to guess the key using classical computers (i.e. non-quantum), is practically impossible. This is also advantageous because only a few bytes of information need to be removed securely for the entire memory chip to be unusable.

Data protection can also be realised using secure deletion methods in operating systems. Instead of removing a file entry, the file contents are wiped to ensure that recovery is impossible. This is not possible in off-the-shelf operating systems by default but can be implemented in smaller operating systems and firmware used in devices potentially holding personal information.

Engineers must consider the life cycle of their devices from production to destruction so that personal data is never recoverable. Implementing a few basic security measures such as secure boot and memory encryption can go a long way to protecting customers from increasingly more sophisticated cyberattacks.