Two researchers have demonstrated an attack that could allow malware to alter and steal data direct from MicroSD cards, using tiny microcontrollers on the cards themselves. The attack could be used to copy or steal data – and even modify sensitive data such as encryption keys.
Even cards that have, in theory, been ‘erased’ could carry such malware, independent researchers Andrew “bunnie” Huang and Sean “xobs” Cross warned in a talk and blog post this week, and say that in high-sensitivity environments, the best way to dispose of such cards is with a “mortar and pestle”.
In a video demonstration, they describe the vulnerability, which could allow attackers access to “keys” used to access sensitive data, as perfect for “man in the middle” attacks. “Man in the middle” attacks intercept or alter data as it is transmitted, for instance by working within internet browser software, and are used in malware such as the advanced banking Trojan Hesperbot, analyzed by ESET researcher Robert Lipovsky here.
The researchers, who unveiled their technique at the Chaos Computer Congress in Berlin,say that the attack may well be possible against the solid-state drives increasingly used as a replacement for hard drives in PCs, or against the embedded memory in mobile devices such as smartphones, according to CNET’s report.
“Some SD cards contain vulnerabilities that allow arbitrary code execution — on the memory card itself,” the researchers write. “On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else.”
The researchers claim that current memory cards are so riddled with errors that each ships with a microcontroller – and on some models, it is possible to force this controller to execute code. The controllers are put in place to manage the fact that flash memory is “riddled with defects” – the downside of such cheap, portable storage.
“Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception. The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions,” the researchers say.
This means that every “managed flash” device – including, the researchers claim, “microSD, SD, MMC as well as the eMMC and iNAND devices typically soldered onto the mainboards of smartphones and used to store the OS and other private user data,” has a microcontroller that can be subverted, and that “similar classes of vulnerabilities exist in related devices, such as USB flash drives and SSDs.”
“Even the diminutive microSD card contains not one, but at least two chips — a controller, and at least one flash chip (high density cards will stack multiple flash die).”
The vulnerability comes due to the fact that manufacturers need to update code on these controllers, according to Boy Genius Report.
“In some cases, the microcontroller and its firmware are not secured,” the site reported, “Hackers who knew how to take advantage of this series of flaws… would be able to replace the default firmware on the microcontroller with malware.”
The researchers demonstrated an attack against two models of Apppotech SD card which would allow a simple sequence of commands to ‘force’ the card to run the next 512 bytes of information it received as code – enough, the researchers say, to take over the card and run programmes of their own.
“From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller,” the researchers say.
“Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data. Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”
Author Rob Waugh, We Live Security