Slashdot Mirror
Ask Slashdot: Is Non-USB Flash Direct From China Safe?
Dishwasha (125561) writes I recently purchased a couple 128GB MicroSDXC card from a Chinese supplier via Alibaba at 1/5th the price of what is available in the US. I will be putting one in my phone and another in my laptop. A few days after purchased, it occurred to me there may be a potential risk with non-USB flash devices similar to USB firmware issues. Does anybody know if there are any known firmware issues with SD or other non-USB flash cards that could effectively allow a foreign seller/distributor to place malicious software on my Android phone or laptop simply on insertion of the device with autoplay turned off?
yeah enjoy the rootkit.
Period!
Nope!
It is called the nsa with a cia variant.
Maybe.
I would almost guarantee for that price it's a fake card. It's a pretty common practice. It's either smaller than it says (Try a write test for the full 128gb) or slower than stated etc. Assuming you have an android phone that has the unauthorized sources turned off by default I would think your relatively safe. I would not say it's not possible of an attack though. To my knowledge there is no such thing as autoplay on android.
Well, you've just made the suggestion in a public forum monitored (at a very low-level) by multiple intelligence agencies. Some intern will now write it up and toss it up the chain, and if someone can develop such a thing, they will.
Yes.
Yes, there are big risks. That's why you need to write the manufacturers and insist they make a public statement. Then people can call them on their contract failure.
Also, your phone and laptop are already 0wn3d by the government and the corps.
That scenario is entirely possible, but the more likely scenarios are:
It could be a smaller device hacked to misreport its size, or
It has PC based malware waiting to be activated when you connect it to a computer.
"Directly from China" is exactly as safe as "made in China and assembled in the US", which is pretty much your alternative.
You'll want to check to make sure you are actually getting a 128GB card. I've gotten a couple of fake flash drives and cards over the years which report the proper capacity and will even format, but when you try to write actual data to the device you end up with corrupt files. If the price is too good to be true, it generally is, so I don't buy cards or sticks from vendors that I can't return anymore. Use H2TESTW to test the speed and capacity of your flash card/device: http://forums.sandisk.com/t5/S...
Or search Google or better yet be lazy and do no research at all and then post a question on Slashdot!
Use some Linux tools to examine any partitions that might appear on the card. Also, use these same tools to wipe the card before use; but, doesn't all that manpower negate any savings? Shouldn't we do these things with any SD card?
If you think you're getting a card for 1/5th the price, you're probably getting 1/5th the card. I have personal experience with cards that claim to be 8GB but only have 1GB of actual flash in them. I won't touch on the malware issue, but before you actually try to make use of the cards you need to find a way to very exhaustively exercise the entire card. I haven't looked for such a program but I hear they're pretty easy to find. If I were writing one I would put a pseudo-random sequence across the entire advertised size of the card, then read it back and confirm that the same pseudo-random sequence comes back. The sequence should be longer than the card, or at the very least not repeat on something like a 1GB boundary. I suspect a common trick in these cards is to simply drop the upper address bits, so you'll read the same contents off e.g. the 2nd GB as you will from the 1st, and all the others.
GStreamer - The only way to stream!
You are just getting it from a reseller if you buy outside China.
...about the 128GB size being faked.
Because I guarantee you that somewhere there is a guy buying them from China in bulk, for 1/5 the price, repackaging them and selling them on Amazon for 3/4 the price.
excitingthingstodo.blogspot.com
Do you work in a industry where industrial secrets matter (aerospace, energy or resource supply)? If yes, use your company supplied gear.
If not, then the contents of your laptop are games, pr0n, music. The Chinese Do Not Care. The contents of your phone are pictures of your family, cats, food, and texts saying "please come pick me up" (unless your younger, in which case it's "come to the bar". The Chinese Do Not Care.
For that price, they are undoubtedly counterfeit. They may be 32GB modules tampered with to say they are 128.
First thing you should do is plug them into your PC, mount them and then attempt to fill the entire thing with 0's with 256MB sized files and see if it actually has the stated capacity.
I would tend to agree with other people: There's really no risk that a SD card is a security problem in the same way that USB is, since it's just storage. However, there is a big risk that any SD card you buy through unusual channels, especially at a ridiculously low rate like 1/5 the price, is just a fake which will start overwriting your data after you get past 1G or 8G or whatever. I absolutely refuse to buy SD cards outside a major physical store chain.
About as far as I could throw China!
Nothing from China is safe. Among countless other problems, it's a country that has no standards and takes no pride in their work.
Regarding your question, I'm not aware of any such exploits offhand, but that doesn't mean that they don't exist. That said, I'm not sure why you think getting a flash drive from China would mean it's any more risky. They are all manufactured in China anyway, and US companies are not the least bit trustworthy.
This is my signature. There are many like it, but this one is mine.
Yes, my 64GB MicroSDHC turned out for be 3.5GB of actual memory followed by rewrites that corrupt over the existing data. Apparently this is very common.
That is certainly possible, especially if your phone is rooted and if you accept third party installation sources, but even just moving apps to the SD card may put you at risk. Your bigger worry however should be that you're getting second rate memory, rebranded memory or even fake memory, where most of the capacity is simply made up by the controller. Sandisk cards from China are almost certain to be fake, for example. At the very least, check the card with h2testw before you put any data on it that you care about. (Link goes to the FTP server of Heise Verlag Germany, where this program was written. You can get it elsewhere, but this is the original.)
SD cards can't impersonate a keyboard, so anything like the USB firmware hack you linked to is impossible. There could be malicious files pre-installed on the drive, but then that's happened to big name suppliers plenty of times too.
As far as I know Android has no facility to run code directly from an SD card anyway, and if you're using an antivirus package worth its salt on your PC it would block any autorun attempt.
I have seen some things labeled a 8gb cards and they are 1GB. Bits vs bytes.
It's technically correct! Deceptive, but correct.
In Soviet Russia, girlfriend claps tablet.
The SD* interface doesn't have the _same_ problem that USB does, ie badusb. It has other issues, though, and an SD card could made malicious. The issue with USB is that a USB device can be / act as storage, a keyboard, a mouse, a camera, etc. You can plug in a USB device which you think is just a memory stick, but unbeknownst to you you, it's also acting as a keyboard and "typing" commands to your computer. A pure SD card interface supports _only_ storage devices, so they can't act as keyboards. They therefore can't directly attack the host device in the same way that USB can.
Android does have some support for SDIO, though, which allows a card to act as a camera, wifi card, or keyboard. I *don't* think Android will by default use an SDIO input device. It's possible that it will, though. I may have to emulate such a card with a microcontroller and see what happens when it is plugged in to various iOS and Android devices. If it works, you just witnessed the birth of badsd, as I haven't heard of anyone doing that before.
What an SD card could do on a pure SD storage interface is muck with any files you put on the card. Suppose you installed towelroot or supersu on the SD card. The controller on the card could inject malware into the executable, and that malware would then be run with the same privileges you have - full root access if you root your phone, or the same access the apps have. Along with injecting malware into your files, the trojan SD card could send your files to the attacker. Wifi adapters can be made that small, so any data saved to the card could be sent to the attacker via the built-in wifi.
Your best defense in that case might be "at 1/5th the price of what is available in the US". A trojaned card like that is going to cost some money to make, particularly the version with built-in wifi. It wouldn't make sense to sell a million of them on Alibaba, losing money on all of them. They would more likely be used in a targeted attack - "mistakenly dropped" on the premises of a defense contractor or R&D lab, maybe even advertised on on a forum likely targets tend to visit, such as one related to aerospace engineering or large-scale investments.
One step you could take to protect yourself would be to write and read back some known files of various types and compare their SHA hashes within a VM. The card should return a bit-by-bit identical copy of the file that you copied to it. If you save an .exe or .apk file and it comes back changed, that would be a bad sign. I'd like to hear from anyone who experiences tat so we can investigate further.
I forgot to say, don't completely dismiss the possibility of a targeted attack. A few years ago there was a guy who didn't have access to any top secret information or anything. He worked on software for factory machine parts and stuff. For example, he might work on a large servo, translating the command "turn 30 degrees" to electrical impulses to the motor's magnets. He sure doesn't seem like a high-value target.
He turns out that the motors and stuff he worked on were being used by another company who built larger modules from motors, gears, etc. Those modules were, in turn, used to make chemistry lab equipment such as centrifuges. Centrifuges used in Iran. So servo firmware guy WAS target zero for stuxnet.
* The above narrative is roughly correct. Maybe the firmware-writing employee was a she, not a he, we don't know exactly which employee was hit first. We do know it came in through that company.
Theoretically it also exposes any security vulnerabilities in the filesystem code, as it's free to make it's directory structure as malformed as it wants.
"trojaned card like that is going to cost some money to make"... ...which brings up state-sponsored actors subsidizing these cards to increase distribution.
Don't worry about it. If you got it through Alibaba it is almost certain to be a counterfeit card with the size and even brand name printed on failing rejected cards, and it will have no better chance of retaining malware than it will have of holding your own data. I know a couple of people who bought through Alibaba that this happened to.
I'm an American. I love this country and the freedoms that we used to have.
Its never secure, however buying directly from a supplier who has a good reputation to protect is is safer than buying from a distributor in the US. Simply because if you purchase direct and discover something they would be easily exposed,and that would kill their business. The more hands it gets passed through the more opportunities for someone to sneak something in.
(If at first you don't succeed, do it different next time!)
so, it sounds like you can purchase a legitimate, clean sd card, only to later have its firmware reprogrammed by an infected computer. and, if you buy an sd card at 1/5 the price, that's the sort of thing you have to worry about.
It's already been demonstrated. There's a reason the NSA has forbidden the use of all flash storage on military computers.
These types of "deals" are always some type of trade-off. How much is your time worth? Go with a tried and true distributor and reputable seller off amazon. If you can't afford something at the normal asking price to the point your are willing to dabble with nefarious entities from China, then maybe you should wait and save up for when you can ... or don't and convince yourself you got a great deal from "someone" in China.
Google already put malicious software on your Android phone.
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
As long as you don't swallow it.
You are welcome on my lawn.
I would be more worried about getting into trouble for buying counterfeit or stolen property.
Jack of all trades,master of none
I would almost guarantee for that price it's a fake card. It's a pretty common practice. It's either smaller than it says (Try a write test for the full 128gb) or slower than stated etc. Assuming you have an android phone that has the unauthorized sources turned off by default I would think your relatively safe. I would not say it's not possible of an attack though. To my knowledge there is no such thing as autoplay on android.
http://www.ebay.com/gds/All-Ab...
Make sure everyone's vote counts: Verified Voting
Where do you think your phone and laptop came from?
Nothing from China is safe, least of all the heathen Chinee!
I got a counterfeit USB stick from Aliexpress and gave the item a one star review. The company actually called me up the next night - or should I say morning (3 AM), telling me that they understood the time difference and that they would continue to call me at that time every day until I changed my review.
I will never deal with Aliexpress again. Aliexpress never replied to my complaint. I will stick with something that realizes the importance of reputation.
FYI... Sean "xobs" Cross and Andrew "bunnie" Huang disclosed low-level vulnerabilities in SD cards (as far as I can tell: on par with- and related to- the more recent BadUSB-type hacks) at a 30C3, back in December 2013.
For further details, see:-
http://www.bunniestudios.com/blog/?p=3554
No idea about Alibaba but E-Bay has a dispute system. And when I bought a pack of 18650 batteries 0.25 Ah each instead of at least 2.5 Ah and marked them OK - it's my own problem.
Next time I asked the seller "How many Ah has your 3.0Ah battery?" Answer was "They usually have at least half of that, you understand...". I preferred to buy a cheap notebook battery and disassemble it.
I don't have any experience with malicious flash drives, but since we're on the topic of fakes, F3 is a handy test program:
http://oss.digirati.com.br/f3/
Doesn't matter. They're all going to fail within a week. Discount flash on Alibaba has a notoriously high failure rate.
Companies in China or any asian design shop out east will buy lots and I mean lots of rejected Flash chips or bare dies from a Fab that has failed some method of testing. These are bought for cheap since it isn't in the Fabs interested to debug it.
This Chinese company will take those chips/devices and run tests to see how much of it actually works. They will spin a circuit board with a controller that will only exercise the portion of memory that actually works (and have 100+ variants exercising the IOs/data lines that are functional). So, they get a 64Gbit device that's bad, figure out only 18Gbit of it works and pair it up with other chips and build a board, program the controller and package it up.
This is very common and you have no idea that it has happened. Crack open some generic flash drive if you happen to have 2 that are non-functional, don't be surprised if you see different part markings silkscreened onto the circuit board or you have different flash chips.
This is how they make their money. They don't care if it works or not. They made the sale.
The price makes the item suspect. One must oneself, why is this so much cheaper?
While being malicious is possible, it's probably much more likely its substandard and either won't work very well straight out of the box, or will fail fairly quickly compared to a 'normal' priced one.
Probably you are buying junk. Everyone who is not part of their organizational networks will most likely be given a handful of crap for their good money. Other than that if you're asking if it's a security issue, fret no more than buying it anywhere else in the world. You do have a choice who is spying on you here, hope you realize that.
considering any you are buying locally will be made in china or korea anyway then if you are scared of those cards you should be scared of just about every piece of electronic kit in the modern world. Your only safe bet is to go live in the woods with an abundant amount of tin foil.
It takes effort to put root-kits on these and even the USB-attacks where a publicly available tool-chain exists need customization for the target and specific exploit code. These are not one-size-fits-all attacks.
But safe? Likely these use sub-standard flash and controllers to make that price. Expect data loss and undetected corruption.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
In China everyone knows that a Flash-based USB memory or memory card WILL be fake if it's too cheap.
The SD Association has a special formatter which avoids this problem.
Interesting that the special formatter is only available for Microsoft Windows and Apple Macintosh, and apparently only in binary form. Even if I had such a computer I would not be comfortable formatting my disk with non-free software. Who knows, it might be putting an encrypted child porn picture on a hidden part of the disk, exposing me to the risk of prosecution. No thanks.
Those "128GB" cards are 1/5 the price of a real one because they're fake. The likely actual capacity is 8GB, which you might only realise after copying >8GB of files to it.
There are a couple of programs specifically written to check for fake flash memory:
h2testw for Windows: http://www.heise.de/download/h2testw.html
F3 for Linux: http://oss.digirati.com.br/f3/
You should run them on any new card (even one you don't suspect is fake) before putting it in your phone/camera/whatever, otherwise you risk losing data in future.
Take some tinfoil, form a large hat, a medium hat, and small hat. Put the large one on your head, the medium one on your laptop, and the small one on your phone. After that, you should be just fine.
Just because it comes from china, that doesn't mean it's automagically laden with evil commie freedom-destroying malware. Slow your roll.
Most likely QA rejects. Now why they were rejected by QA - this is your opportunity for getting decent media cheap. Sometimes the controller is broken and you'll end up with a fancy guitar pick. But sometimes the number of bad blocks on flash exceeds the standard. Run 'badblocks' on your card, and you'll get a card 95% the size of respective 'brand' at 20% the price. As a bottom line, this may cost some work and don't expect your profit is 4x the value of 'certified', but you may come out profitable.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
...did they lie about the capacity of the flash memory? Chinese do this ALL of the time. (e.g. Remember those cheap nvidia gpus? pretty much a riff on their flash memory scams...)
Personally I wouldn't buy crap directly from China unless it was a reputable dealer, and even then I'd still be careful as even the "good" one have a tendency to go rogue.
I did bought some TF card with the price about $1/8GB when seeing the comment about "fake card", I did the test on a 32GB TF card. I write a 30GB file into it, and read it out. The data is OK. Only the speed, it said "class 10", but actually write at 3MB/s and read 12MB/s, using a micro-sd to usb adapter on my PC, which seems only "class 3" or "class 4". Writing 32GB data cost about 3 hours, so in case of 128GB may cost 12 hours!