30C3: SD card tricks can deliver MITM attacks

Jan 01, 2014 by Nancy Owano weblog
30C3: SD card tricks can deliver MITM attacks
Credit: bunniestudios

(Phys.org) —This year's 30th Chaos Communication Congress (30C3) in Hamburg from December 27 to December 30 carried numerous informative presentations, including a reverse-engineering story about SD cards, which two investigators explored for malware potential. The presenters were identified as "bunnie" and "xobs," taking center-stage to discuss their work. The presentation was titled " The Exploration and Exploitation of an SD Memory Card." (SD cards are the small flash-memory cards used to store data on phones, digital cameras and other portable devices.) As Gizmodo put it, "the next time you plug in an SD card, just remember that it's actually a tiny computer of its own." In short, some cards' embedded microcontrollers can be exploited. The two found that some SD cards contain vulnerabilities that allow arbitrary code execution—on the memory card itself. They talked about reverse-engineering and loading code into the microcontroller within a SD memory card.

"All "managed FLASH" devices, such as SD, microSD, and SSD, contain an embedded controller to assist with the complex tasks necessary to create an abstraction of reliable, contiguous storage out of FLASH silicon that is fundamentally unreliable and unpredictably fragmented. This controller is an attack surface of interest."

In bunnie's blog he wrote more on the topic, and said, "From the security perspective, our findings indicate that even though look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card's microcontroller." (The "MITM" refers to the man in the middle attack, where, they said, the card may seem to be behaving one way, but in fact does something else.) "Those in high-risk, high-sensitivity situations should assume that a "secure-erase" of a card is insufficient to guarantee the complete erasure of sensitive data. Therefore, it's recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle)."

At the same time, they said, understanding the inner workings of the controller enables opportunities for data recovery in cards that are thought to have been erased, or have been partially damaged. "Bunnie" is Andrew "bunnie" Huang. He has a Ph.D in electrical engineering from MIT and authored the book, Hacking the Xbox: An Introduction to Reverse Engineering. Xobs is Sean Cross.

This video is not supported by your browser at this time.

The Chaos Communication Congress is described as an annual meeting of the "international hacker scene," organized by the Chaos Computer Club, where computer experts gather for lectures and workshops.

Explore further: SD Association adds faster UHS Speed Class

More information: www.bunniestudios.com/blog/?p=3554

Related Stories

SD Association adds faster UHS Speed Class

Nov 09, 2013

(Phys.org) —The SD Association this week announced a new high-performance option and symbol in support of 4K2K television and video products. A new Ultra High Speed (UHS) Speed Class 3 (U3) symbol will ...

SanDisk Introduces 4GB micro SDHC

Feb 13, 2007

SanDisk today introduced a 4-gigabyte microSD High Capacity (SDHC) card —the largest capacity of the world’s smallest removable flash memory card.

Toshiba to launch industry's largest 16GB microSDHC

Nov 26, 2008

Toshiba Corporation today reinforced its memory card line-up with the launch of a 16GB microSDHC card offering the largest capacity available in the market. At the same time, the company extended its range ...

Toshiba to Launch First SDXC Memory Card

Aug 04, 2009

Toshiba Corporation today announced the launch of the world's first 64GB SDXC Memory Card with the world's fastest data transfer rate compliant with the new SD Memory Standard Ver. 3.00, UHS 104.

Recommended for you

Security CTO to detail Android Fake ID flaw at Black Hat

10 hours ago

Where have you heard this before: A team of security researchers discover a security flaw in Android devices. This is, however, news. This time, experts are talking about a flaw that involves a widespread ...

Chinese smartphone makers win as market swells

12 hours ago

Chinese smartphone makers racked up big gains as the global market for Internet-linked handsets grew to record levels in the second quarter, International Data Corp said Tuesday.

Full appeals court upholds labels on meat packages

12 hours ago

(AP)—A federal appeals court has upheld new government rules that require labels on packaged steaks, ribs and other cuts of meat to say where the animals were born, raised and slaughtered.

User comments : 9

Adjust slider to filter visible comments by rank

Display comments: newest first

Returners
1 / 5 (8) Jan 01, 2014
Now that you've told all the criminals how to do this...
antialias_physorg
5 / 5 (7) Jan 01, 2014
Now that you've told all the criminals how to do this...

As opposed to letting everyone stay in a false sense of security and manufacturers not caring, you mean?

What you advocate is 'security by obscurity' - which is the worst possible way of going about securing anything.
Returners
1 / 5 (6) Jan 01, 2014
Now that you've told all the criminals how to do this...

As opposed to letting everyone stay in a false sense of security and manufacturers not caring, you mean?

What you advocate is 'security by obscurity' - which is the worst possible way of going about securing anything.


No, the prudent course of action would have been to tell the manufacturers discreetly, so it could be corrected, and the criminals need never know it happened.

Too much transparency is indeed a very bad thing. I hope you can see why.
antialias_physorg
5 / 5 (4) Jan 01, 2014
If you just tell the manufacturer in secret they can opt not to change anything...accepting the risk, since it is not their problem if your data gets compromised. They'll only make their own product more costly (read: less competitive) compared to competitors that may decide to continue selling the old kind.

This way they are forced to act because they cannot afford continued bad press. And the first one to bring out a more secure SD card will make a killing on the market. Now that the issue is in the open it is a viable advertisiing strategy to market "secure SDs".

Keeping weaknesses secret is ever a good idea. If the guys at the CCC can figure it out, so can black hat hackers (because additionally to the hacking fun they are motivated by money and don't need to sweat a day job like the white hat hackers do)
Mayday
not rated yet Jan 01, 2014
The video was extremely eye-opening, even mind-blowing. This kind of a look behind the curtain into these little devices that are quickly finding their way into every corner of our lives is very much appreciated. We all are coming to live in an intricately connected electronic ecosystem built on nothing more than blind trust. Happy New Year.
antialias_physorg
5 / 5 (3) Jan 01, 2014
The video was extremely eye-opening, even mind-blowing.

True. I just sat through it and the possibilities for malicious hacking/spying seem to be pretty broad.
One thing they mentioned only in another context is that one could intentionally label good blocks as bad blocks and use those to dump spied data or executables.
Since the computer would never look at these bad blocks (as the microcontroller won't let it) there's no way that one could detect that they are there. With the added problem that you don't know how big the RAM on the inside actually is as compared to what the microcontroller tells you this is pretty hackable.
Virus protection software can scan drives for malicious files - but a file hidden there (and auto run on connect) would never be found.

Scary stuff.
davidivad
5 / 5 (1) Jan 01, 2014
i've been able to do this on pretty much anything with memory for years now. this is common data forensics.
Captain Stumpy
5 / 5 (1) Jan 02, 2014
i've been able to do this on pretty much anything with memory for years now. this is common data forensics.


@davidivad
you work in forensics?
Mike_Massen
not rated yet Jan 12, 2014
Fascinating Specs on the specific die version of the micro-controller would be of interest, the suggestion by "Bunny" in the dissertation re low cost data loggers raised my interest, well thought out there could be a good number of commercial opportunities to consider and especially so for the microSD form factor where space is a real premium...
Also plugin SD for things like EFI etc in my case is a great advance...