Depending on your perspective, most modern SD cards just got either a lot more interesting or a lot more dangerous.
While MicroSD cards are becoming less and less common in mobile devices, there are still a significant number of phones and tablets that rely on some version of the SD storage format. This means that there’s a high probability that these cards will be plugged into a computer at some point, and that’s where this new bit of research will either turn your stomach or leave you scrambling for your stash of cards to start a new fun project. It turns out that SD cards have their own microcontrollers, and they can be manipulated to do as you please… if you know how to talk to them.
The team at Bunnie Studios explained recently on USENET newsgroup posts that SD cards can’t exist in their current or future states without some form of onboard microcontroller. The failure rate for cheap storage is staggeringly high, and these tiny ARM CPUs are assigned error correction tasks to try and combat those failure rates. The end result is all the makings of a computer the size of a quarter that can be reprogrammed to perform other tasks.
In the hands of many USENET newsgroup hobbyist, this opens the door to some really exciting projects that allows you to use a computer that makes an Arduino look huge. In the hands of someone malicious, SD cards just became capable of being quite dangerous to unsuspecting users.
Because your computer has no way to inspect the code running on an SD card before allowing it to shake hands with your PC, it is possible that a Man In The Middle attack could be set up on your PC. There’s also no way to confirm that you have removed any information that the program may have grabbed from your PC once you have discovered what the card was doing when it was connected. For the time being, if you discover you have an SD card that was programmed to misbehave, the best suggestion is to destroy the card and move on.
It’s interesting to see someone stumble across something that is equal parts exciting and mildly concerning. While it is possible for malicious code to be executed, it stands to reason that someone would have to try fairly hard to target an individual with this sort of attack. Unless you work in a secure environment, the random chance you have of being negatively affected by this would be entirely dependent on you using someone else’s removable storage. Much like candy from strangers, the safest course here would probably be to not borrow or accept free SD cards from people you don’t know.
