An SD card isn’t just a dumb chunk of memory; it’s a dumb chunk of memory with a built-in brain, a microcontroller. And at this year’s Chaos Computer Congress, enterprising hackers showed off exactly what those brains can be used for cheap hardware for makers or malware machines for malcontents.
The reason SD cards have microcontrollers in the first place is because it’s cheaper than producing reliable memory. Instead of testing each card to make sure it’s a flawless bit of hardware (it never is), SD card manufacturers just slap on a cheap microcontroller that can come up with workarounds for dead sectors and other hardware issues on the fly. This all gets set up at the factory, and average users never have to know a thing about it.
But that’s where the modification comes in. As hackers bunnie and xobs discovered, some of cards’ chip firmware isn’t locked down particularly well, leaving it completely open to modification. On the good side, that means relatively cheap microcontrollers for anyone who bothers to hack them. On the dark side, that means SD cards that can perform their own man-in-the-middle attacks and steal data on the sly with built-in malware. Or counterfeit SD cards that look like they’re waaaay bigger than they are, like the mythical never-ending hard drive.
The details of exactly how you mess with this stuff are available over on bunnie’s blog, but the next time you plug in an SD card, just remember that it’s actually a tiny computer of its own. And though it’s probably not doing anything especially cool, or out to screw you over, it certainly has the potential to do either. [bunnie’s blog]
Image via Asim18/Creative Commons