Various versions of SD flash memory cards are usually used in portable devices such as digital cameras, recorders, tablets and mobile phones, but also in some PCs, video game consoles and embedded systems.
Unfortunately, as the two researchers showed to the crowd at the 30th edition of the Chaos Computer Congress held last week in Hamburg, some of these cards contain vulnerabilities that can be exploited to remotely execute malicious code on the cards themselves, allowing attackers to mount a Man-in-the-Middle type of attack.
To be able to explain how the attack works, they first had to explain how an SD flash card is structured:
Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception. The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions. This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.
These algorithms are too complicated and too device-specific to be run at the application or OS level, and so it turns out that every flash memory disk ships with a reasonably powerful microcontroller to run a custom set of disk abstraction algorithms. Even the diminutive microSD card contains not one, but at least two chips — a controller, and at least one flash chip (high density cards will stack multiple flash die).
Unfortunately, the combinations and the quality of these chips varies widely, and the complexity of the implementation process guarantees that firmware bugs will be popping up.
"The crux is that a firmware loading and update mechanism is virtually mandatory, especially for third-party controllers. End users are rarely exposed to this process, since it all happens in the factory, but this doesn’t make the mechanism any less real," Huang explained.
"In my explorations of the electronics markets in China, I’ve seen shop keepers burning firmware on cards that 'expand' the capacity of the card — in other words, they load a firmware that reports the capacity of a card is much larger than the actual available storage. The fact that this is possible at the point of sale means that most likely, the update mechanism is not secured."
The two researchers proved that the unsecured firmware updating sequences can be exploited to add new applications to the controller, and make it do something that it was initially not intended to do.
They tested this approach on several cards equipped with a microcontroller by Appotech, "a relatively minor player in the SD controller world," but say that there are many more out there, and research should be made into their offerings as well.
"From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller," Huang pointed out.
"Those in high-risk, high-sensitivity situations should assume that a 'secure-erase' of a card is insufficient to guarantee the complete erasure of sensitive data. Therefore, it’s recommended to dispose of memory cards through total physical destruction."
For those interested in more details, the video of the researchers' presentation can be found here.