Skip Links

SD cards are hackable, but probably not on a mass scale

By Taylor Armerding, CSO
January 14, 2014 01:07 PM ET

CSO - All threats are not equally threatening.

Those microSD cards that provide flash memory storage to your smartphone or tablet, along with the new SD cards you just bought from your local electronics store could be a malware attack vector, setting up your device for a Man-in-the-Middle (MitM) attack as soon as you put one in the slot.

[SIM flaw boosts mobile data container argument]

Could be -- as in, it is demonstrably possible -- but also unlikely, unless you are a high-value target like a major corporation or a nation state. So, even though two researchers demonstrated recently the unnerving reality that it is possible to break into and take control of the micro controller in SD cards, other experts say there is little reason for average consumers to worry.

The hack, explained in late December at the Chaos Communications Congress in Hamburg by Sean "xobs" Cross and Dr. Andrew "bunnie" Huang, is, "much more useful for targeted attacks against an individual or a company than a broad attack against consumers," according to Samuel Bucholtz, cofounder of Casaba, a security analysis consulting firm.

"In most cases the data can only be harvested if the SD card is physically retrieved afterwards or it is connected to a previously compromised system," he said.

Kevin McAleavey, cofounder of the KNOS Project and a hacking expert, agreed. "It can be done, but as long as there are more practical methods less likely to be detected than the case of the product being ripped apart and re-glued, the much more likely scenario would be manufacturing a device from scratch with that kind of functionality built in by a wayward manufacturer," he said.

"NSA (National Security Agency) and DoD (Department of Defense) have worried for years about foreign chipmakers doing precisely this in parts for military products, and the practice goes back decades," he said.

That does not mean the risk is not real. Cross and Huang told their audience that the vulnerability exists in large measure because flash memory is unreliable -- "incredibly unreliable" in Huang's words -- and a microcontroller is the best means to correct it.

"You don't want to look under the hood and see the sausage inside," he said.

Because the devices are unreliable, degrade over time, are unpredictably fragmented and contain bad memory blocks, the manufacturers install a relatively powerful microcontroller that delivers the illusion of correct data to the user.

[Symantec: Google Glass still vulnerable to Wi-Fi attack]

Huang did not respond to a request for comment, but in a recent post on his blog, bunnie:studios, he wrote that, "the illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions," done by microcontrollers, adding that this applies to the entire "family" of managed flash devices, including microSD, SD, MMC, eMMC, and iNAND.

The problem, Huang wrote, is that the firmware loading and update mechanism of those microcontrollers is not secured. He said in observing electronics markets in China, he had seen shop keepers, "burning firmware on cards that 'expand' the capacity of the card -- in other words, they load a firmware that reports the capacity of a card is much larger than the actual available storage."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News