21

The firmware of a USB flash drive can be maliciously rewritten in order to make it appear as a rogue device (like a keyboard, a network card, etc.). Since several different kind of devices may be simultaneously connected to the same USB port, it very very hard (if not impossible) for the computer OS to distinguish genuine from rogue devices. This is called a BadUSB attack.

SD-Cards rely on the very same technology than USB flash drives: the same NAND memory, the same controller, the same kind of firmware running all together. So, theorically, the firmware itself should be vulnerable to the same kind of attack.

However, at least when the computer provides an internal non-USB SD-Card reader (as can be found on laptops where the SD-Card reader is connected directly to the PCI bus), the OS would never expect to see a keyboard or whatever to be plugged on the SD-Card reader slot, the protocol does not even allow such kind of weird thing, so a BadUSB type attack against SD-Cards would be moot.

However, I wonder if this remains true when one uses an external USB SD-Card reader? Can the SD-Card be infected in a way that, when used together with a sane USB reader, it will be able to trigger a BadUSB type attack against the computer? Or can an SD-Card reader be considered as a secure "proxy" between the computer and a potentially malicious SD-Card?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104

1 Answers1

19

I can't say that it's always the case, but all of the internal SD card readers I've looked at were actually USB devices - this puts them in scope for BadUSB.

Internally, an SD card is indeed very similar to a thumbdrive - and there have been attacks against them released. So they can be reprogrammed to change how they behave, just as you can a thumbdrive. So, there is certainly something to this.

Myself and Brandon Wilson released the first public BadUSB code - when we did this we also looked at SD cards, trying to see how they could be leveraged to perform similar attacks. The answer we came up with was that there wasn't a reliable way to do it.

The attack vector here would be a malicious SD card would behave in a non-standard way to exploit a vulnerability in the firmware of the reader - as it's the thing connected to USB, and potentially able to do more interesting things - in order to take control of the USB interface directly or apply modify the reader's firmware to facilitate further attacks.

The problem with this? You have to target specific readers (by controller & firmware version), which means that it has some value as a targeted attack, but can't be made reliable or generic enough to have a large scale impact. So we didn't pursue it in our research. Of course, it's worth noting that there aren't a huge number of companies that develop the controllers that the readers use, so there's some potential for targeting a relatively small number of common controller / firmware combinations and covering a decent percentage of the market.

So, to answer your question - it isn't a secure proxy, but it is a complicated proxy. If an attacker is able to learn about your specific configuration, and is willing to spend the money on research and development - it is possible. But, that said, if you are facing that type of attacker, there are almost certainly better options for them.

In general, pretty much everything that connects to USB, from mice to the internal root hub, are potential targets of BadUSB attacks. Some are harder to leverage than others - thumbdrives are ubiquitous and easy to modify, so they became the face of the attack, but they are far from alone. If it's connected to the bus, there's always a risk that it could be modified with malicious firmware.

It's been pointed out many times, but keep in mind that BadUSB isn't really a vulnerability, it's a feature. Everything that you see in a BadUSB attack is compliant with the specification - that's why there isn't an effective defense. The host has no way to know if the behavior is desired or not.

It's also important to remember that BadUSB isn't just devices showing up as another device type - it can change how the device behaves, while appearing to act normally. One of the demos that we released was a hidden partition that was only accessible if you know the right trick - we had also toyed with self-destructing drives, and drives that made a backup copy of anything deleted, so that even if the drive is formatted, it still can contain sensitive information (we didn't release these).

Adam Caudill
  • 1,794
  • 14
  • 18
  • 2
    I've found [your presentation on this subject](https://www.youtube.com/watch?v=xcsxeJz3blI) very interesting and thank you for your answer. Personally, I would not class the latest techniques you mention as BadUSB since they have clearly a different scope. They do not actually target USB devices (USB mouses and keyboards, while part of BadUSB main targets, are out-of-scope here) but target firmware based storage devices instead (for instance the NSA is known to use the hidden partition trick you mention with common internal hard disks, no link at all with USB but the very same technique used). – WhiteWinterWolf Jan 04 '16 at 10:33
  • 2
    And BTW I've checked a Thinkpad and a Macbook laptop, in both cases the SD-Card reader showed up only in the `lspci` command, never in the `lsusb` command. Therefore, unless these commands output may be misleading, I think both connect the SD-Card reader directly to the PCI bus and not to the USB one. – WhiteWinterWolf Jan 04 '16 at 10:38
  • 2
    Which could be even worse if you can alter the card reader's firmware, because PCIe has direct memory access... you could even simulate an USB-extension-card with a keyboard connected – K. Biermann Dec 14 '16 at 14:00