2

From the perspective of USB device-born malware/exploits, especially affecting firmware (e.g., can an infected computer reprogram an inserted USB memory stick to act like a keyboard and autotype malicious scripts on another machine? Or flash the BIOS or hard drive firmware on that machine?).

Assuming I have multiple devices that all have USB ports but also all have SD card readers, is it safer (and how much safer?) to move files between the devices using an SD card instead of a USB memory stick?

Some devices are computers running windows, laptops running various flavours of linux in various locations. Ignoring electrical attacks as I would buy the USB memory stick / SD card new from amazon.

Does using an SD card in this way limit the potential threats to autorun executables? Does doing this prevent the computer from seeing the SD card as anything other than a storage device?

Thank you for wading through this poorly written question.

user109295
  • 21
  • 2

1 Answers1

5

While SD cards cannot be programmed to behave as a different key of USB device like a keyboard (i.e. Bad USB) they have their own vulnerabilities since they also contain firmware which can be hacked. From On Hacking MicroSD Cards (12/2013):

... code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else...

One attack vector I could think of is to return a different file (i.e. malware) instead of the real file when reading from the card, but maybe only after the 3rd attempt to read the file so that it can not be easily detected.

So yes, they are probably safer to use than USB sticks but misuse is still possible.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • An example of attack would be to have the card fingerprint the computer and deliver different malicious files based on the host OS, or to obfuscate the malicious code on the fly with each read, making antivirus useless at detecting the malware as every time the card is read the signature of the malicious file will change. (note that all of this applies to USB sticks and hard drives as well as long as the attacker owns their firmware). – André Borie May 01 '16 at 12:01
  • could y/someone extend on the 'autoron' in the Q? – qrtLs Jan 29 '20 at 13:41
  • @qrtLs: there is no difference here. USB and SD-Card are both covered by the autoplay feature in Windows. – Steffen Ullrich Jan 29 '20 at 15:07