Andrew “bunnie” Huang and Sean “xobs” Cross have discovered a way to hack even the small microSD cards that go inside current smartphones and tablets to increase their storage, as well as other flash-based memory solutions, presenting their findings at the Chaos Computer Congress (30C3). In a detailed blog post on bunnie:studios, Huang explained how the hack works, and why many flash cards are susceptible to being hacked and used for malicious purposes by people who are aware of this particular potentially serious security vulnerability.
The problem with flash memory is that it’s not flaw free, and the companies that make flash-based devices are likely to “fix” the hardware issues with the help of sophisticated software that runs on a microcontroller and is able to deal with errors and bad sectors. The firmware that makes the “fixes” possible resides in an ARM-based microcontroller that operates at speeds of up to 100MHz, and that costs only around $0.15 to $0.30 to include in each flash storage device.
However, the preloaded software is not bug free, and therefore flash storage makers need to be able to update it. In some cases, the microcontroller and its firmware are not secured either, so that’s where hackers who know how to take advantage of these series of “flaws” come in. They would be able to replace the default firmware on the microcontroller with malware that is be able to deliver “man in the middle attacks” – the flash storage unit would behave in one way, but it would so something else instead. Compromised cards can’t be detected with custom security protocols, as there aren’t standard protocols in place to deal with such hacks. The only way to deal with a compromised card would be to physically destroy it.
In addition to microSD cards, other type of flash memories can be affected by such hacks, including SD and MMC cards, “as the eMMC and iNAND devices typically soldered onto the mainboards of smartphones and used to store the OS and other private user data,” Huang writes. Even USB flash drives and SSDs could have similar vulnerabilities.
In a recent Der Spiegel report that detailed some of the NSA’s spying operations, it was revealed that the company can take advantage of the firmware of hard drives manufactured by various companies to install spy malware.
A video of the microSD teardown presentation at 30C3 (“30C3: Exploration and Exploitation of an SD Memory Card”) follows below.