I saw this question about reading a USB stick safely, and it made me wonder about SD and microSD cards. I've been told that SD/microSD cards are safer, and that I needn't worry as much about just plugging one in as I would a USB stick. Is this true? What sorts of vulnerabilities do SD/microSD cards have the USB sticks don't, and vice versa? Also, given a particular SD/microSD card, will formatting it make it safe to use again?
3 Answers
Define "safely".
The core SD data protocol can only expose itself as a mass storage device, which prevents a lot of the fun badUSB style attacks. If your host supports SDIO, the attack surface grows massively.
The card also contains a full MCU, typically ARM/8051, which can (at minimum) lie to you about the contents of flash a la IRATEMONK. See https://www.bunniestudios.com/blog/?p=3554. Formatting the card is thus NOT sufficient to "clean" it. Given the price of SD cards, if you're at all concerned about its provenance it's better to just chuck it and buy a new one from a trusted source.
TL;DR probability of RCE is lower than with USB, but there are definitely still nasty things possible.
- 46
- 1
A typical SD card contains a filesystem with files on it. Your operating system has code to read the filesystem. If there are any bugs in that code, it may be possible for the SD card to run arbitrary things on your system when it is read. So just by inserting the SD card (or mounting a filesystem on it) your system could be compromised.
Here is an example with NTFS.
To protect against this, you can read the raw data on the SD card instead of mounting the filesystem. However, this makes it pretty hard to do anything useful with the data.
- 28,707
- 12
- 74
- 102
You can browse the contents using a raspberry pi or something similar. if something gets broken at least the loss will be minimum
- 99
-
How will you attach it to the RPi? You will need an adapter, since you can't boot from it, you might as well attach it to an PC.. – Sir Muffington Aug 19 '22 at 15:39
-
a pi supports usb. you can install linux on your own sd card and use a card reader to attach the suspicious sd card to the card reader and then ssh or something similar – M.Hamza Ali Aug 20 '22 at 16:30
-
Then why not use your laptop/desktop PC since you need a card reader anyways?... – Sir Muffington Aug 20 '22 at 19:49
-
The question is about how to examining the content SAFELY not how to browse the contents of an SD card. Plugging it directly in the PC is risky because once you mount it there could be exploits on it. The same is true for rpi but the risk there is much lower – M.Hamza Ali Aug 20 '22 at 23:00
-
1Why is the risk much lower on a RPi vs e.g. a Linux laptop? – Sir Muffington Aug 21 '22 at 15:46
-
Your suggestion only transfers the threat. It does not lower the threat. Your suggestion doesn't allow you to inspect the contents "safely". – schroeder Aug 21 '22 at 20:10
-
YES it TRANSFERs the threat and that's the point. An RPi can be disposable. A pc/ laptop not so much. If browsing the contents is the point then this is ONE way to browse the contents without compromising your pc/laptop @sirmuffinton the risk of compromising your laptop is lower* – M.Hamza Ali Aug 22 '22 at 07:11