Hacker Team Discovers Security Risks in Common SD and microSD Memory Cards


An SD card is just a piece of plastic with some flash memory in it, right? And flash memory is a pretty safe way to store data, right? And formatting an SD card is enough to erase all sensitive data on it … right? No, absolutely not. As a matter of fact, common flash memory devices such as SD and microSD cards are much more than just the memory that holds your data, and they’re much less safe than we’d all wish them to be. At least that’s what a hacker team recently reported at the Chaos Computer Congress.

What “Team Kosagi” found out when they took a closer look at the internal architecture of SD cards is more than just concerning–it’s downright frightening. Just like most other integrated circuits, the flash memory chips are getting smaller and smaller with each new generation, while at the same time offering more and more space. This trend of downsizing the circuits while providing better performance comes with a huge drawback, though, and that is reliability. As Team Kosagi put it in their blog post,

“with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.”

However, said compensation does not happen in the device reading the memory card, it happens in the memory card itself. In fact, every SD card comes with its own controller that runs a firmware that does the actual writing to and reading from the flash memory, and that contains the algorithms necessary to work around the specific problems of each SD card–some of which come with flash chips that contain up to 80% (sic!) bad sectors.

How does that come? Not every SD card contains silicon that comes fresh out of the factory, you see. Actually, many SD cards on the market use chips that have been refurbished. And the older electronics get, the more likely they are to fail. Unfortunately, it’s impossible to detect whether a newly purchased SD card runs on good or bad (i.e. deteriorated) flash memory.

But it gets worse. Due to the fact that each card comes with its own microprocessor that does the computing necessary to keep your data together, it could eventually be hacked to run malicious code once provided with power. It’s not entirely clear from the report in what way that could be used, but it’s frightening enough that it is even possible.

Oh, and when you thought you could just delete sensitive data by formatting your SD card–it’s even possible for the card’s firmware to hide parts of the memory from your computer or camera, and secretly copy all your data to that hidden area. So in order to make sure that your data is really gone, there’s only one way: smash the card to pieces. Really really tiny pieces.

Also, make sure you only buy from a reputable dealer. Or you could accidentally end up with a fake card that comes with bad flash memory, less actual capacity than advertised, and in the worst case a hacked firmware that runs malicious code once you put it into your computer or camera.

Via TechCrunch

Please Support The Phoblographer

We love to bring you guys the latest and greatest news and gear related stuff. However, we can’t keep doing that unless we have your continued support. If you would like to purchase any of the items mentioned, please do so by clicking our links first and then purchasing the items as we then get a small portion of the sale to help run the website.

Also, please follow us on FacebookGoogle+Flickr and Twitter.