At Chaos Communication Congress (30C3) – the 30th iteration of an annual hacker conference that took place in Hamburg, Germany from Dec. 27, 2013 to Dec. 30, 2013 – two researchers disclosed vulnerabilities that allow for arbitrary code execution on a variety of SD cards.
Andrew “bunnie” Huang and Sean “xobs” Cross spent an hour on stage demonstrating exactly how they were able to reverse engineer SD cards to perform surreptitious attacks. The duo posted the details of their research in an extensive blog, written by Huang.
“On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else,” Huang wrote in the blog. “Significantly, the SD command processing is done via a set of interrupt-driven call backs processed by the microcontroller. These callbacks are an ideal location to implement an MITM attack.”
What that means, ultimately, is that a hacker can rig the card to perform an attack against any device it is plugged into, all while appearing to be completely harmless. The researchers explained that an attacker can pull this off for about $20, making this a cheap and accessible threat.
“While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C- or SPI-based sensors,” Huang wrote in the blog.
The two researchers explained that this applies to all “managed flash” devices, including SD cards, microSD cards and MultiMediaCards (MMC), as well as eMMC and iNAND devices that store operating systems and private data. They added that similar exploits exist in USB drives and solid-state drives.