Flash Memory Cards Contain Powerful, Unsecured Microcontrollers

Researchers Sean Cross and Dr. Andrew Huang demonstrated yesterday at the Chaos Communication Congress that they could write arbitrary code onto various flash-based SD memory cards.

Researchers demonstrated yesterday at the Chaos Communication Congress in Hamburg that they could write arbitrary code onto various SD memory cards, a hack that could give attackers the ability to perform man-in-the-middle attacks on devices housing the cards, as well as give users access to an inexpensive source of powerful and programmable microcontrollers.

Sean Cross, who goes by the hacker handle of xobs, and Dr. Andrew Huang, aka Bunnie, focused on managed flash devices including microSD, SD, MMC, eMMC, and iNAND devices. These are generally soldered onto the mainboards of smartphones for the purpose of storing operating system and other private user data, according to Huang. Similar vulnerabilities exist in related USB flash drives and SSDs.

More specifically, the researchers examined Appotech’s AX211 and AX215 products.

Flash memory has a number of performance issues, but it’s also inexpensive–0.1 nanodollars-per-bit to be exact. Huang claims that flash memory devices almost always contain bad memory blocks. The manufacturers work around this problem by implementing computation error correction algorithms that essentially create the illusion of perfect data to the user.

Huang explained at the conference that with flash memory you are not really storing your data; what you are storing is a probabilistic approximation of your data.

“The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions,” Huang explained in a related blogpost. “This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.”

Problematically, the algorithms that create this illusion are highly customized depending on the quality of the flash memory in each chip. Because of this, the manufacturers can’t correct the imperfections on the operating system or application level. Instead, they install fairly powerful microcontrollers onto each flash memory disk. In this case, the researchers worked with Intel 8051 microcontrollers.

“It’s probably cheaper to add these microcontrollers than to thoroughly test and characterize each flash memory chip,” Huang wrote, “which explains why managed flash devices can be cheaper per bit than raw flash chips, despite the inclusion of a microcontroller.”

The quality of flash memory chips varies widely from chip to chip. Sometimes companies build the chips with high-quality, new silicon. Sometimes the companies build flawed chips with recycled parts. In either case, these computational error correction algorithms are designed to make up for whatever level of deficiencies are present in the chips.

As the researchers said in their demo, if a company has a 16 GB flash SD card with 14 GB of bad memory blocks, then the manufacturer will apply their ECC algorithm, determine where the bad blocks are located, and sell the chip as a 2 GB SD card.

These microcontrollers must be able to handle vast numbers of hardware abstraction layers in order to accept firmware updates and ultimately process the unique algorithmic requirements of each flash implementation, especially for cases where third parties are handling the chips.

Huang and Cross discovered they could send a “knock” sequence with a manufacturer-designated command they found on a spec-sheet after searching around on the Chinese search engine Baidu. The command itself, followed by ‘A.P.P.O’ (the first four letters of Appotech) initiated the firmware loading mode on the chip. Once that process began, the chip would accept 512 bytes and run that data as code.

In other words, the maker of these particular chips, and likely a whole slew of others, is not adequately securing the firmware update process.

From this point, the researchers reverse engineered the 8051 controller and managed to build new applications for the controller without access to the manufacturer’s documentation.

“Most of this work was done using our open source hardware platform, Novena, and a set of custom flex circuit adapter cards (which, tangentially, lead toward the development of flexible circuit stickers aka chibitronics)” Huang explained on his blog.

The controllers also process SD commands with interrupt-driven callbacks, which the researchers claim are an ideal location to perform man-in-the-middle attacks. These attacks Huang says, would be difficult to detect because there is no standard protocol to inspect the contents of the code running on these microcontrollers.

“Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data,” Huang warns. “Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”

In terms of practical attacks, the vulnerability could offer an attacker the ability to eavesdrop. For example, an attacker could program a chip to report a smaller data-capacity than the actual capacity of the chip. While a seller of counterfeit chips may want to do the opposite of this (have the chip report a capacity larger than the actual capacity), a would-be eavesdropper may want to keep a user in the dark about the chip’s full storage capacity in order to sequester data to hidden, not erasable sections of the chip. A chip with more storage than advertised could be programed to secretly copy all its data to a hidden store that would be nearly impossible to remove from a chip other than by physically destroying it.

During the demo, Huang also warned of a potential time-of-check to time of use attack. A knowledgable attacker could present one version of a file for verification and a totally different (read: malicious) file for execution. An attacker could also perform selective modification attacks as well, swapping secure random number generators, binaries, or keys for unsecured ones.

On a less malicious note, Huang writes that the research opens up a cheap avenue for hackers and hardware enthusiasts customize the controllers for heir own purposes.

“An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.”

You can find a link to the demonstration slides here and watch the actual demo itself below:

http://youtu.be/r3GDPwIuRKI

Suggested articles