AMITIAE - Monday 20 January 2014
Cassandra: The Illusions of Perfect Data and Perfect Security - Risks with SD Cards
By Graham K. Rogers
Illusions DeconstructedIn an outline of problems with flash memory, xobs & bunnie (Andrew Huang and Sean Cross) pointed out at a presentation that took place at the recent Computer Chaos Club Conference in Hamburg, that a controller incorporated into most SD memory cards that costs around 25c is a compromise, but one that can cause security and data safety problems for users. A video of the presentation is available online at SecurityTube along with an extended summary of the concepts.
SD memory is rather unsafe he said, partly because of the economics of producing such cards. There are frequently bad blocks: sometimes up to 80%; so 16GB chips are sold as 2 GB. To some applause bunnie mentioned that what is stored is a "probabilistic approximation of your data". Some of the latest cards are only good for less that 1,000 erase cycles.
The inclusion of the microcontroller on the chip, sets up the technology for the possibility of the "man in the middle" attack. Having discovered the potential for such weaknesses, the pair set out to develop the tools for an attack that would enable the SD card to be controlled.
Having bought an assortment of SD cards in a market in China - some of which were fake - the cards were pulled apart to reveal the circuitry. He outlined some of the components and the ways that some of the fake cards are made.
Having deconstructed the chips, they used some of the equipment they developed to test the cards. A later development used flexible PCB boards. bunnie also described some of the other equipment that was used in the analysis.
They assumed that firmware on the controller had to get there somehow and xobs explained about how a flashing tool was acquired: using Baiudu they were easily able to download the (Windows) software to program the card. It was the top hit when I tried (below), with the 4th entry a reference to the conference presentation, including some of their screenshots.
While using the software, they made some discoveries as to how the card could be programmed, including the point that three of the 64 SD codes were reserved for the manufacturer. By sending random commands, they were able to discover where there were weaknesses that could be exploited. They were subsequently able to reverse engineer the card.
While the earlier cards that had used AX211 were initially used, they updated their research to examine the AX215 which does have slightly stronger processes. They did bring a couple of bags of SD cards so that those interested at the conference would be able to try out the processes themselves.
Time for Tinfoil HatsHaving outlined the weaknesses and the ways that cards might be accessed, it was time for the possible scenarios. As SD cards are so massive (bunnie said), there is lots of space to hold files for malicious purposes:
We have always trusted that these controllers have been running properly, but "there is no method to attest to the code that is running inside. . . ."
There are similar cards inside some Samsung phones and when the manufacturer pushed out a firmware update, some were able to find that these were also capable of being compromised. Other cards (like TLC) also have weaknesses that have the potential for being exploited.
These problems may apply to SD cards, micro-SD cards, EMMC, SSD USB controllers. The controller program is modifiable and is therefore open to a number of attack scenarios. On the plus side, the open nature of these controllers allow their use in projects, for example as inexpensive data loggers.
The presentation had enough time to allow a well-received demo (start 41:57) and they showed how the exploit could work using hardware they had built themselves.
Later in the day, Andrew Huang and Sean Cross (xobs and bunnie) were to outline some of the new developments on the Novena project they are involved in. Someone should snap up this talented pair right away.
Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.
For further information, e-mail to