Connect with us

Hi, what are you looking for?



Researchers Demonstrate MicroSD Card Hack

A pair of security researchers uncovered a way to hack some SD cards and potentially go undetected.

A pair of security researchers uncovered a way to hack some SD cards and potentially go undetected.

The researchers, Andrew ‘bunnie’ Huang and Sean ‘xobs’ Cross, unveiled details of their research at the Chaos Communication Congress (3OC3). According to the duo, a hacker could implement an attack that allows them to execute arbitrary code on certain memory cards. The research focused on Appotech and its AX211 and AX215 models.

“We discover a simple “knock” sequence transmitted over manufacturer-reserved commands (namely, CMD63 followed by ‘A’,’P’,’P’,’O’) that drop the controller into a firmware loading mode,” blogged Huang. “At this point, the card will accept the next 512 bytes and run it as code.”

“From this beachhead, we were able to reverse engineer (via a combination of code analysis and fuzzing) most of the [8051 microcontroller’s] function specific registers, enabling us to develop novel applications for the controller, without any access to the manufacturer’s proprietary documentation,” he explained. “Most of this work was done using our open source hardware platform, Novena, and a set of custom flex circuit adapter cards (which, tangentially, lead toward the development of flexible circuit stickers aka chibitronics).”

Advertisement. Scroll to continue reading.

“Significantly, the SD command processing is done via a set of interrupt-driven call backs processed by the microcontroller,” he added. “These callbacks are an ideal location to implement an MITM [man-in-the-middle] attack.”

It is not clear, he blogged, how many other manufacturers have unsecure firmware updating sequences.  

“From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller,” Huang explained. “Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data. Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”

“From the DIY [do-it-yourself] and hacker perspective, our findings indicate a potentially interesting source of cheap and powerful microcontrollers for use in simple projects. An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.”

A video presentation on the attack is embedded below.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.