Ask Slashdot: Is Non-USB Flash Direct From China Safe?

Dishwasha (125561) writes I recently purchased a couple 128GB MicroSDXC card from a Chinese supplier via Alibaba at 1/5th the price of what is available in the US. I will be putting one in my phone and another in my laptop. A few days after purchased, it occurred to me there may be a potential risk with non-USB flash devices similar to USB firmware issues. Does anybody know if there are any known firmware issues with SD or other non-USB flash cards that could effectively allow a foreign seller/distributor to place malicious software on my Android phone or laptop simply on insertion of the device with autoplay turned off?

Fake!

I would almost guarantee for that price it's a fake card. It's a pretty common practice. It's either smaller than it says (Try a write test for the full 128gb) or slower than stated etc. Assuming you have an android phone that has the unauthorized sources turned off by default I would think your relatively safe. I would not say it's not possible of an attack though. To my knowledge there is no such thing as autoplay on android.

"From China"?!?

"Directly from China" is exactly as safe as "made in China and assembled in the US", which is pretty much your alternative.

Re:"From China"?!?

By the way, would a "Made in Russia" tag be a worse or better?

I dunno. I'd suppose it be likely to get drunk, slap its wife, invade Ukraine, and then break.

Make you sure you can read and write every bit

[kimgkimg]

You'll want to check to make sure you are actually getting a 128GB card. I've gotten a couple of fake flash drives and cards over the years which report the proper capacity and will even format, but when you try to write actual data to the device you end up with corrupt files. If the price is too good to be true, it generally is, so I don't buy cards or sticks from vendors that I can't return anymore. Use H2TESTW to test the speed and capacity of your flash card/device: http://forums.sandisk.com/t5/S...

Click the Contact Supplier button

[fat_mike]

Or search Google or better yet be lazy and do no research at all and then post a question on Slashdot!

Probably fake cards, actually

[Omega+Hacker]

If you think you're getting a card for 1/5th the price, you're probably getting 1/5th the card. I have personal experience with cards that claim to be 8GB but only have 1GB of actual flash in them. I won't touch on the malware issue, but before you actually try to make use of the cards you need to find a way to very exhaustively exercise the entire card. I haven't looked for such a program but I hear they're pretty easy to find. If I were writing one I would put a pseudo-random sequence across the entire advertised size of the card, then read it back and confirm that the same pseudo-random sequence comes back. The sequence should be longer than the card, or at the very least not repeat on something like a 1GB boundary. I suspect a common trick in these cards is to simply drop the upper address bits, so you'll read the same contents off e.g. the 2nd GB as you will from the 1st, and all the others.

Re:Probably fake cards, actually

[Megane]

I think it's funny that he's worried about being pwned by the flash card firmware (answer: you can't, it's not a generic interface like USB that can be keyboards, mice, network cards, etc. on a whim), and not about being cheated by the old "1GB card that claims to be 4GB" scam.

Anyhow, here are some relevant links:
http://www.bunniestudios.com/b...
http://www.bunniestudios.com/b...

You think the US ones don't come from China?

[gurps_npc]

What makes you think the one you bought direct from China is any different than one you get from Amazon or Best Buy.

Because I guarantee you that somewhere there is a guy buying them from China in bulk, for 1/5 the price, repackaging them and selling them on Amazon for 3/4 the price.

Re:You think the US ones don't come from China?

[Maxwell]

Doubt it. Even if they somehow got reseller status on Amazon, they would promptly get feedback'd down to oblivion. They would't last long on ebay either. Only on Alibaba would someone actually think those cards were real....

I have seen 640G Sony cards, 512G SD, etc years before that size was actually available....

Re:Nope.

He was asking about firmware. Formatting the SD card will not do anything to the firmware.

SD cards can't impersonate a keyboard

[AC-x]

SD cards can't impersonate a keyboard, so anything like the USB firmware hack you linked to is impossible. There could be malicious files pre-installed on the drive, but then that's happened to big name suppliers plenty of times too.

As far as I know Android has no facility to run code directly from an SD card anyway, and if you're using an antivirus package worth its salt on your PC it would block any autorun attempt.

OBInSovietRussia

In Soviet Russia, girlfriend claps tablet.

No badusb-type attack (% SDIO), but malware inject

[raymorris]

The SD* interface doesn't have the _same_ problem that USB does, ie badusb. It has other issues, though, and an SD card could made malicious. The issue with USB is that a USB device can be / act as storage, a keyboard, a mouse, a camera, etc. You can plug in a USB device which you think is just a memory stick, but unbeknownst to you you, it's also acting as a keyboard and "typing" commands to your computer. A pure SD card interface supports _only_ storage devices, so they can't act as keyboards. They therefore can't directly attack the host device in the same way that USB can.

Android does have some support for SDIO, though, which allows a card to act as a camera, wifi card, or keyboard. I *don't* think Android will by default use an SDIO input device. It's possible that it will, though. I may have to emulate such a card with a microcontroller and see what happens when it is plugged in to various iOS and Android devices. If it works, you just witnessed the birth of badsd, as I haven't heard of anyone doing that before.

What an SD card could do on a pure SD storage interface is muck with any files you put on the card. Suppose you installed towelroot or supersu on the SD card. The controller on the card could inject malware into the executable, and that malware would then be run with the same privileges you have - full root access if you root your phone, or the same access the apps have. Along with injecting malware into your files, the trojan SD card could send your files to the attacker. Wifi adapters can be made that small, so any data saved to the card could be sent to the attacker via the built-in wifi.

Your best defense in that case might be "at 1/5th the price of what is available in the US". A trojaned card like that is going to cost some money to make, particularly the version with built-in wifi. It wouldn't make sense to sell a million of them on Alibaba, losing money on all of them. They would more likely be used in a targeted attack - "mistakenly dropped" on the premises of a defense contractor or R&D lab, maybe even advertised on on a forum likely targets tend to visit, such as one related to aerospace engineering or large-scale investments.

One step you could take to protect yourself would be to write and read back some known files of various types and compare their SHA hashes within a VM. The card should return a bit-by-bit identical copy of the file that you copied to it. If you save an .exe or .apk file and it comes back changed, that would be a bad sign. I'd like to hear from anyone who experiences tat so we can investigate further.

Re:Not a security risk, but a fake risk

[queazocotal]

Of course it's a security risk.
The SD card has a 32 bit processor that does the wear leveling.
There is nothing stopping it doing 'interesting' things to files on it, if it's so programmed.
The extra fun part is that the user can't read out this programming.

Obvious things might be infecting files with viruses, appending small secret files to large media files in the hope that they will later be shared, or more targeted attacks.

Re:Ditto

[sexconker]

SDHC only goes up to 32 GB, so that should have been your first clue. Happened to my dad, too.

ps - you could be a target. Servo guy was

[raymorris]

I forgot to say, don't completely dismiss the possibility of a targeted attack. A few years ago there was a guy who didn't have access to any top secret information or anything. He worked on software for factory machine parts and stuff. For example, he might work on a large servo, translating the command "turn 30 degrees" to electrical impulses to the motor's magnets. He sure doesn't seem like a high-value target.

He turns out that the motors and stuff he worked on were being used by another company who built larger modules from motors, gears, etc. Those modules were, in turn, used to make chemistry lab equipment such as centrifuges. Centrifuges used in Iran. So servo firmware guy WAS target zero for stuxnet.

* The above narrative is roughly correct. Maybe the firmware-writing employee was a she, not a he, we don't know exactly which employee was hit first. We do know it came in through that company.

Re: There will be.

[Mashiki]

My advice to OP: treat all USB peripherals (mice, wireless cards, storage, etc) as malicious unless they come from trusted/vetted supply chains. And even then, be suspicious.

Sorry, you can't even trust things coming from a trusted and vetted supply chain unless there are massive oversight controls. I've seen knockoffs and other crap come though ingram micro...that was in the 90's.

don't worry about it

[frovingslosh]

Don't worry about it. If you got it through Alibaba it is almost certain to be a counterfeit card with the size and even brand name printed on failing rejected cards, and it will have no better chance of retaining malware than it will have of holding your own data. I know a couple of people who bought through Alibaba that this happened to.

Re:don't worry about it

[Curtman]

Same here. I bought two 128GB cards on eBay for $23 each. Only one showed up, and when I tested it with:

# dd if=/dev/zero of=/dev/sdc

it gives I/O error at about 8.2GB. Definitely not worth the aggravation.

Re:don't worry about it

[bscott]

Yeah - I worked for a gadget retailer and was asked to test some 8GB flash sticks several years ago.

You could write 8GB to them, but anything past the first 4GB returned a read error.

My boss called the supplier in Shenzen to yell at them - "How could you do this?" Their response: "I don't understand - you SAID you wanted the best price?!"

Re:don't worry about it

[plover]

It's an anti-TARDIS card -- it's smaller on the inside.

Re:don't worry about it

It might not do what you think.

Here's what to do:  Generate random stream with openssl, md5sum it going into the card, md5sum it coming back out.  Use pv for progress display if desired.

~ # cat randomtest.sh
#!/bin/bash
time (openssl bf-ofb -pass pass:`cat /dev/urandom | tr -dc [:graph:] | head -c56` < /dev/zero | pv -pterb -s `blockdev --getsize64 $1` -S | tee $1 | md5sum | tee writesum)
echo
time (cat $1 | pv -pterb -s `blockdev --getsize64 $1` | md5sum - > readsum)
echo
echo "Written:" `cat writesum`
echo "Read:" `cat readsum`
rm writesum readsum

Re:don't worry about it

[jones_supa]

Same here. I bought two 128GB cards on eBay for $23 each. Only one showed up, and when I tested it with:

# dd if=/dev/zero of=/dev/sdc

it gives I/O error at about 8.2GB. Definitely not worth the aggravation.

No, no, don't do it that way. If you overwrite an SD card starting from the beginning, you will overwrite the Protected Area of the card. Also happens if you use the "format disk" function of an operating system on the card.

The SD Association has a special formatter which avoids this problem.

Maybe try reading the card instead of writing, to test for those cards which have missing flash. Or carefully skip the Protected Area with dd when writing.

Re:don't worry about it

[resfilter]

oh dear god dont write over the protected area! ...

it's used for some specialized keys for some rarely used version of DRM. so if you have a CPRM "protected" file on the sd card, then.. you know.... "accidently" give the file to someone else, they'll lack the decryption keys (since they're stored outside of the filesystem by the program that wrote the file to the flash card) and the file will be useless.

http://en.wikipedia.org/wiki/C...

it's another one of those things that attempts to relabel yet another "generic binary storage device" as a "specialized media holder to assist content protection", and you should actually go out of your way to destroy this "protected area" instead of carefully avoiding damage to it.

it's totally safe to write over this "protected area" and use it for your own data, and it's rare to run into programs that actually use CPRM for protection against distribution (although they probably do exist, why would you use such a thing?).

that's probably why you've never heard of it or noticed writing over it.

Only slightly safer than buying in US

[Timmy+D+Programmer]

Its never secure, however buying directly from a supplier who has a good reputation to protect is is safer than buying from a distributor in the US. Simply because if you purchase direct and discover something they would be easily exposed,and that would kill their business. The more hands it gets passed through the more opportunities for someone to sneak something in.

Just avoid

[sansprivacy]

These types of "deals" are always some type of trade-off. How much is your time worth? Go with a tried and true distributor and reputable seller off amazon. If you can't afford something at the normal asking price to the point your are willing to dabble with nefarious entities from China, then maybe you should wait and save up for when you can ... or don't and convince yourself you got a great deal from "someone" in China.

Re:Chinese production values

[neminem]

Or, literally do exactly what this question is asking, release something that autoruns malicious software on your machine when you try to use it...

malware not the real worry IMO

[Stan92057]

I would be more worried about getting into trouble for buying counterfeit or stolen property.

More context on fakes

[rsborg]

I would almost guarantee for that price it's a fake card. It's a pretty common practice. It's either smaller than it says (Try a write test for the full 128gb) or slower than stated etc. Assuming you have an android phone that has the unauthorized sources turned off by default I would think your relatively safe. I would not say it's not possible of an attack though. To my knowledge there is no such thing as autoplay on android.

http://www.ebay.com/gds/All-Ab...

Re: There will be.

[Smerta]

Absolutely correct.

Remember that kerfuffle a couple weeks ago about FTDI bricking products that were using counterfeit FTDI USB-serial chips? Some of the product designers were unknowingly using counterfeit chips bought from companies we've all heard of (no, not Alibaba or Ebay...)

Alibaba has a long way to go

I got a counterfeit USB stick from Aliexpress and gave the item a one star review. The company actually called me up the next night - or should I say morning (3 AM), telling me that they understood the time difference and that they would continue to call me at that time every day until I changed my review.

I will never deal with Aliexpress again. Aliexpress never replied to my complaint. I will stick with something that realizes the importance of reputation.

Re:Chinese production values

[asimons04]

I wish I had mod points left so I could mod all of these up.

non-free formatter is risky

[John_Sauter]

The SD Association has a special formatter which avoids this problem.

Interesting that the special formatter is only available for Microsoft Windows and Apple Macintosh, and apparently only in binary form. Even if I had such a computer I would not be comfortable formatting my disk with non-free software. Who knows, it might be putting an encrypted child porn picture on a hidden part of the disk, exposing me to the risk of prosecution. No thanks.

QA rejects.

[SharpFang]

Most likely QA rejects. Now why they were rejected by QA - this is your opportunity for getting decent media cheap. Sometimes the controller is broken and you'll end up with a fancy guitar pick. But sometimes the number of bad blocks on flash exceeds the standard. Run 'badblocks' on your card, and you'll get a card 95% the size of respective 'brand' at 20% the price. As a bottom line, this may cost some work and don't expect your profit is 4x the value of 'certified', but you may come out profitable.