Bunnie describes the issue in a separate blog posting. "Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception." This is the inevitable result of economic pressure: "a constant arms race between the engineers and mother nature."
Engineers need to produce memory cheaper and faster – but in doing so, that memory becomes increasingly unreliable. So, "the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale."
In short, flash memory requires sophisticated error correction algorithms to make it appear to be contiguous and reliable. "These algorithms are too complicated and too device-specific to be run at the application or OS level," writes bunnie, "and so it turns out that every flash memory disk ships with a reasonably powerful microcontroller to run a custom set of disk abstraction algorithms."
The problem is that you can still gain access to those microcontrollers from the outside. "In my explorations of the electronics markets in China," he relates, "I’ve seen shop keepers burning firmware on cards that 'expand' the capacity of the card — in other words, they load a firmware that reports the capacity of a card is much larger than the actual available storage. The fact that this is possible at the point of sale means that most likely, the update mechanism is not secured." And it means that other code could be uploaded to perform other functions.
The bottom line is that some – if not the majority – of SD cards contain an inexpensive microcontroller (typically a modified 8051 or ARM CPU) that can be accessed externally. "From this beachhead, we were able to reverse engineer (via a combination of code analysis and fuzzing) most of the 8051′s function specific registers, enabling us to develop novel applications for the controller, without any access to the manufacturer’s proprietary documentation."
As a result, the apparently inert memory card can be hacked to be not so inert: "they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect."
It is not clear what sort of detection and defense could be mounted against such an attack. Exploiting the weakness would be difficult, but not impossible. "I can see there are a number of possibilities to exploit this to use it as a tool for sophisticated (state-sponsored) targeted attacks," PandaLabs technical director Luis Corrons told Infosecurity. "Antivirus would have a really hard time detecting modified SD cards' code, even if it is possible at all."
David Harley, ESET senior research fellow, also notes that exploitation would not be impossible. " Dissemination through Windows (or even Mac) malware would, in principle, be no more (or less) problematical than other PC-hosted malware. While I don’t know how much of a problem this is really going to be in the future," he told Infosecurity, "I think there are two main areas of concern: firstly, the introduction of malware into the supply chain; and secondly, compromises introduced onto mobile platforms, where the OS tends to discourage fully-effective on-access scanning, and where transparent communication between devices is arguably more common than with desktop machines (standard networking protocols apart)."