The problem, Huang wrote, is that the firmware loading and update mechanism of those microcontrollers is not secured. He said in observing electronics markets in China, he had seen shop keepers, "burning firmware on cards that 'expand' the capacity of the card -- in other words, they load a firmware that reports the capacity of a card is much larger than the actual available storage."
That vulnerability also made it possible for the two to hack into the firmware update process and write their own applications for the controller without needing access to the manufacturer's documentation. This, they said, would allow an attacker to eavesdrop on a user with a MitM attack.
Huang also wrote on his blog that the malicious code could be written to a sector of the card that is not erasable. He said that those in high-risk situations should not assume that even a "secure" erase of a card is enough. He recommended disposal of such cards, "through total physical destruction (e.g., grind it up with a mortar and pestle)."
All true, say other experts, who agree with Cross and Huang that flash memory is notoriously unreliable and degrades over time.
"You can only write a single memory cell a number of times, after which it wears out and gets corrupt," said Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender. "So even if you have a flawless chip, which is not the case in real life, some of its cells will definitely fail during its utilization."
The risk of compromise, they say, is also real, and has existed with other devices for years. "Such vulnerabilities have been seen in USB, Firewire, even parallel and serial ports of the past," said Bucholtz. "Any device that contains a controller executing code is always potentially at risk of such vulnerabilities."
And there are multiple possibilities of damage. "Attackers could hide data on the card," said Chris Wysopal, cofounder and CTO of Veracode. "They could make copies of files that were written and erased later. They could modify the data on the card, which could be very dangerous if programs are executed from the card."
"The attacker could intercept writes to the drive of passwords, credit cards, classified documents, or other sensitive data," Bucholtz said. "Such data could be stored in a hidden area that the device knows nothing about. The SD card could then be retrieved to obtain the data. The card could also inject code into the device for execution, taking over the device, and allowing just about anything to be done with it."
Still, there is general agreement that this is unlikely to be something focused on the mass market, because there are so many different brands of chips with different architecture and because, as McAleavey said, it would be easier to manufacture malicious chips than to break into existing ones.
Sign up for Computerworld eNewsletters.