At the Chaos Communication Congress (30C3), researchers “bunnie” and “xobs” have revealed the existence of vulnerabilities in Secure Digital (SD) memory cards that can be exploited for arbitrary code execution.
The security holes in memory cards can be leveraged for man-in-the-middle (MITM) attacks. In addition, the flaws can be used by hardware enthusiasts to gain access to the microcontrollers integrated into such devices
The researchers have performed their tests on products from AppoTech, particularly the AX211 and AX 215 models. However, other brands might contain similar vulnerabilities.
“We discover a simple ‘knock’ sequence transmitted over manufacturer-reserved commands (namely, CMD63 followed by ‘A’,’P’,’P’,’O’) that drop the controller into a firmware loading mode. At this point, the card will accept the next 512 bytes and run it as code,” bunnie noted in a blog post published after their presentation.
By reverse engineering the function specific registers in the 8051 microcontroller, they’ve managed to create new applications even without access to documentation from the vendor.
It’s worth noting that the experts have used the open source hardware platform Novena and some custom flexible circuit adapter cards.
“From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller,” bunnie added.
So what can users learn from all this? The most important lesson is that there’s no guarantee that by secure-erasing a card, the sensitive information that’s stored on it is completely deleted. This should be taken into consideration particularly in “high-risk, high-sensitivity situations.”
Experts recommend the physical destruction of memory cards to ensure that sensitive information is erased before disposing of them.