An SD Card (Secure Digital Card) is a type of non-volatile memory card that is often used in most mobile devices today ranging from smartphones, cameras, and laptops. It is a cheap way to store massive amounts of data that has been used since 1999. Its name itself has the word “secure” but how secure really is this memory type?
Over at the Chaos Compute Club Congress hardware hacker Bunnie Huang spoke about SD cards. The good news is that these cards come with tiny micro controllers that make it useful for hackers. The bad news is that they are not secure.
Huang says that
“Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception. The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions. This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.”
Manufacturers have come up with ways to ensure that these cards can retain data at acceptable levels. These cards also come with firmware that can be updated however this update feature is mostly left unsecured.
The firmware is usually updated by manufacturers at the factory. There are instances however, like in China, where the SD card firmware is being updated at shops to “expand” its capacity. This way an original 4GB card will appear to be a 16GB card which can then be sold at a higher price. This situation proves that firmware access to the SD card is not secure.
A person with malicious plans could change the firmware to allow it to copy the contents of the card in a hidden space. It can also be used to run malicious software on an Android smartphone when the hardware is left idle.
The good news is that DIY enthusiasts and hackers now have access to a cheap and powerful micro controller for their projects. “An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.”