Bucholtz said it wouldn't even require a corrupt manufacturer colluding with attackers. "The contract manufacturer has no reason to investigate what microcode they are given for the device, so there is no need for corruption or complicity unless the attacker is trying to slip their attack tool into another brand's devices," he said. "It might be easier to simply compromise the code of a major manufacturer prior to a production run."
But even at the nation-state level, Botezatu said he thinks it would be unlikely to succeed, since, "security restrictions forbid the use of removable storage on mission-critical systems.
"The only way I see it viable would be if the attack was carried on flash storage that is permanently attached to the device, but in the case of government smartphones, this would mean that the entire phone has been at the bad guys' disposal, so chances are that they would rather tamper with the operating system instead."
Wysopal and Bucholtz said manufacturers of SD cards could, and should, take steps to secure the vulnerable firmware update process that Cross and Huang exposed. "They need to make it impossible for attackers to load their own code onto the microcontrollers," Wysopal said.
"Code signing can mitigate some of the risk of code injection, and storage/file encryption of all writes to removable SD cards can mitigate the risk of MitM sniffing or tampering of data," Bucholtz added, "unless the attacker gets the keys."
But McAleavey said unless there is a widespread, high profile security disaster involving microcontrollers of flash memory that threatens manufacturers financially, it is unlikely that anything will change.
"Not a whole lot of people are cutting up their cards (as Cross and Huang did)," he said. "They could probably design some methods to detect the tampering, but unless it actually becomes a genuine in-the-wild issue that harms their sales, I'd expect them to roll their eyes and ignore it."
Sign up for Computerworld eNewsletters.