SD Cards Aren’t As Secure As We Think

SD Cards Aren’t As Secure As We Think: The hardware hacker Bunnie Huang gave a talk at the Chaos Compute Club Congress where he offered some good news and some bad news. The good news? SD cards contain powerful, handy micro controllers that are useful to hackers and hobbyists. The bad news? SD cards are woefully insecure.

In a detailed and readable post, Huang describes the exact problems with Flash memory. In order to reduce the price and increase the storage space, engineers have to fight a never-ending form of internal entropy that slowly but surely scrambles the data on every Flash drive.

Huang writes:

Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception. The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions. This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.
To take up arms against these errors, SD cards are essentially over-engineered to ensure an acceptable level of data retention. They also contain firmware that can, for example, change the visible available space on the card without changing the actual available space. This means you could sell a 2GB card as a 4GB card – your computer wouldn’t notice a difference until it started filling up that fake space. You can, incidentally, check your cards with this tool.

Here’s the worse news: because these cards contain firmware, this firmware can be updated. Huang reports that most manufacturers leave this update feature unsecured. In other words, don’t ever assume a Flash device is empty after you wipe its contents. For example, the card could make a copy of the contents in a hidden memory area or it could run malicious software while idle.

And the good news: Huang also notes that these cards could be reprogrammed to become Arduino-esque open source microcontroller and memory systems. “An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price,” he writes.

So, in short, destroy your SD cards if you have any dirty info on them and keep your eyes peeled for ultra-small, ultra-fast Arduino hacks.