Some SD cards contain embedded software vulnerabilities that enable arbitrary code execution on the card, according to researchers Andrew Huang and Sean Cross. Flash memory is becoming cheaper but more unreliable, which means that flash disks ship with a relatively high-powered microcontroller designed to run a corrective disk abstraction algorithm. That also means that managed flash devices are susceptible to manipulation at the firmware level – and the possibility for errors is increasing as more layers of software are required to abstract increasingly unstable hardware.
"The inevitable firmware bugs are now a reality of the flash memory business, and as a result it's not feasible, particularly for third-party controllers, to indelibly burn a static body of code into on-chip ROM," Huang wrote. "The crux is that a firmware loading and update mechanism is virtually mandatory, especially for third-party controllers."
Huang detailed examples of retailers in China taking advantage of this firmware update ability to burn their own embedded software onto cards to artificially "expand" the capacity, an activity that suggested the code was not secure. By reverse engineering the code of one brand of microcontroller, the researchers were able to create their own firmware designed to carry out specific functions and load it onto the card, enabling uses such as a man-in-the-middle attack. While they only tested the approach on Appotech microcontrollers, they noted that many other models were likely vulnerable, pointing to research from earlier this year that found a similar flaw in Samsung phones.
The upshot of the discovery is that this type of code alteration could give developers access to a cheap and powerful source of microcontrollers for certain projects. However, the lack of attention to software security in SD card microcontrollers could also represent a risk, and vendors of such tools could benefit from taking precautions during the development process to strengthen code and limit alterations.
• Defend Against Injection-based Attacks white paper (PDF)
• When, Why and How to Leverage Source Code Analysis white paper (PDF)
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.