Slashdot Mirror
Ask Slashdot: Is Non-USB Flash Direct From China Safe?
Dishwasha (125561) writes I recently purchased a couple 128GB MicroSDXC card from a Chinese supplier via Alibaba at 1/5th the price of what is available in the US. I will be putting one in my phone and another in my laptop. A few days after purchased, it occurred to me there may be a potential risk with non-USB flash devices similar to USB firmware issues. Does anybody know if there are any known firmware issues with SD or other non-USB flash cards that could effectively allow a foreign seller/distributor to place malicious software on my Android phone or laptop simply on insertion of the device with autoplay turned off?
You'll want to check to make sure you are actually getting a 128GB card. I've gotten a couple of fake flash drives and cards over the years which report the proper capacity and will even format, but when you try to write actual data to the device you end up with corrupt files. If the price is too good to be true, it generally is, so I don't buy cards or sticks from vendors that I can't return anymore. Use H2TESTW to test the speed and capacity of your flash card/device: http://forums.sandisk.com/t5/S...
If you think you're getting a card for 1/5th the price, you're probably getting 1/5th the card. I have personal experience with cards that claim to be 8GB but only have 1GB of actual flash in them. I won't touch on the malware issue, but before you actually try to make use of the cards you need to find a way to very exhaustively exercise the entire card. I haven't looked for such a program but I hear they're pretty easy to find. If I were writing one I would put a pseudo-random sequence across the entire advertised size of the card, then read it back and confirm that the same pseudo-random sequence comes back. The sequence should be longer than the card, or at the very least not repeat on something like a 1GB boundary. I suspect a common trick in these cards is to simply drop the upper address bits, so you'll read the same contents off e.g. the 2nd GB as you will from the 1st, and all the others.
GStreamer - The only way to stream!
He was asking about firmware. Formatting the SD card will not do anything to the firmware.
The SD* interface doesn't have the _same_ problem that USB does, ie badusb. It has other issues, though, and an SD card could made malicious. The issue with USB is that a USB device can be / act as storage, a keyboard, a mouse, a camera, etc. You can plug in a USB device which you think is just a memory stick, but unbeknownst to you you, it's also acting as a keyboard and "typing" commands to your computer. A pure SD card interface supports _only_ storage devices, so they can't act as keyboards. They therefore can't directly attack the host device in the same way that USB can.
Android does have some support for SDIO, though, which allows a card to act as a camera, wifi card, or keyboard. I *don't* think Android will by default use an SDIO input device. It's possible that it will, though. I may have to emulate such a card with a microcontroller and see what happens when it is plugged in to various iOS and Android devices. If it works, you just witnessed the birth of badsd, as I haven't heard of anyone doing that before.
What an SD card could do on a pure SD storage interface is muck with any files you put on the card. Suppose you installed towelroot or supersu on the SD card. The controller on the card could inject malware into the executable, and that malware would then be run with the same privileges you have - full root access if you root your phone, or the same access the apps have. Along with injecting malware into your files, the trojan SD card could send your files to the attacker. Wifi adapters can be made that small, so any data saved to the card could be sent to the attacker via the built-in wifi.
Your best defense in that case might be "at 1/5th the price of what is available in the US". A trojaned card like that is going to cost some money to make, particularly the version with built-in wifi. It wouldn't make sense to sell a million of them on Alibaba, losing money on all of them. They would more likely be used in a targeted attack - "mistakenly dropped" on the premises of a defense contractor or R&D lab, maybe even advertised on on a forum likely targets tend to visit, such as one related to aerospace engineering or large-scale investments.
One step you could take to protect yourself would be to write and read back some known files of various types and compare their SHA hashes within a VM. The card should return a bit-by-bit identical copy of the file that you copied to it. If you save an .exe or .apk file and it comes back changed, that would be a bad sign. I'd like to hear from anyone who experiences tat so we can investigate further.
Don't worry about it. If you got it through Alibaba it is almost certain to be a counterfeit card with the size and even brand name printed on failing rejected cards, and it will have no better chance of retaining malware than it will have of holding your own data. I know a couple of people who bought through Alibaba that this happened to.
I'm an American. I love this country and the freedoms that we used to have.