After the story came out about factory resets not adequately clearing flash memory in phones and tablets, one of my college buddies asked me if a similar problem exists in SSDs.
Depending on the SSD, it definitely can.
Many SSDs have a secure erase function. But overwriting the SSD enough times to guarantee all the data was erased would shorten the life of the chips, so what they do instead is encrypt the data with AES encryption. Then, when you issue a secure-erase command (usually using a utility provided by the manufacturer), it throws out the old AES key and generates a new one. The old data is still there, but it’s reduced to gibberish.
Theoretically AES can be cracked, but realistically, it will be a couple of decades before it’s practical, especially for someone who isn’t a spy agency for a select few powerful nations. Some people believe AES has been broken and some believe it has not. I think since the NSA is still actively stealing keys, that suggests it is not.
The problem occurs when a drive lacks an encryption feature–very inexpensive drives like the Crucial BX100 leave it out. Drives like a BX100 are very difficult to erase securely.
I wouldn’t have any problem with reselling a drive that has secure erase functionality and built-in encryption. I doubt I’ll be reselling my BX100 though.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.