A pair of security researchers uncovered a way to hack some SD cards and potentially go undetected.
The researchers, Andrew ‘bunnie’ Huang and Sean ‘xobs’ Cross, unveiled details of their research at the Chaos Communication Congress (3OC3). According to the duo, a hacker could implement an attack that allows them to execute arbitrary code on certain memory cards. The research focused on Appotech and its AX211 and AX215 models.
“We discover a simple “knock” sequence transmitted over manufacturer-reserved commands (namely, CMD63 followed by ‘A’,’P’,’P’,’O’) that drop the controller into a firmware loading mode,” blogged Huang. “At this point, the card will accept the next 512 bytes and run it as code.”
“From this beachhead, we were able to reverse engineer (via a combination of code analysis and fuzzing) most of the [8051 microcontroller’s] function specific registers, enabling us to develop novel applications for the controller, without any access to the manufacturer’s proprietary documentation,” he explained. “Most of this work was done using our open source hardware platform, Novena, and a set of custom flex circuit adapter cards (which, tangentially, lead toward the development of flexible circuit stickers aka chibitronics).”
“Significantly, the SD command processing is done via a set of interrupt-driven call backs processed by the microcontroller,” he added. “These callbacks are an ideal location to implement an MITM [man-in-the-middle] attack.”
It is not clear, he blogged, how many other manufacturers have unsecure firmware updating sequences.
“From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller,” Huang explained. “Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data. Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”
“From the DIY [do-it-yourself] and hacker perspective, our findings indicate a potentially interesting source of cheap and powerful microcontrollers for use in simple projects. An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.”
A video presentation on the attack is embedded below.