SD Card Hack Shows Flash Storage Is Programmable: Unreliable Memory
Ever wonder why SD cards are dirt cheap? At the 2013 Chaos Computer Congress, a hacker going by the moniker Bunnie recently revealed part of the reason: “In reality, all flash memory is riddled with defects — without exception.” But that tidbit is nothing compared to the point of his presentation, in which he and fellow hacker Xobs revealed that SD cards and other flash storage formats contain programmable computers.
Bunnie also summarized his presentation in a relatively easy to understand post on his blog. The images I’m sharing here are from the slides (pdf) that he and Xobs used in their 30C3 talk. Here’s the full paragraph where Bunnie claims that flash memory is cheap because they’re unreliable: “Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception. The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions…”
“…This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.”
Simply put, Bunnie claims that flash storage is cheap (partly) because all chips made are used, regardless of their quality. But how do flash storage makers deal with faulty hardware? With software.
Apparently flash storage manufacturers use firmware to manage how data is stored as well as to obscure the chip’s shortcomings. For instance, Bunnie claims that some 16GB chips are so damaged upon manufacture that only 2GB worth of data can be stored on them. But instead of being thrashed, they’re turned into 2GB cards instead. In order to obscure things like that – as well as to handle the aforementioned increasingly complex data abstraction – SD cards are loaded with firmware.microcontroller, i.e. a very tiny computer. The microcontroller is packed inside a memory card along with the actual chips that store the data. Bunnie and Xobs then proved that it’s possible to hack the microcontroller and make it run unofficial programs. Depending on how cynical you are, that finding is either good news or bad news.
For their talk, Bunnie and Xobs hacked into two SD card models from a relatively small company called AppoTech. I wish I could say more about their process, but you can read about it on Bunnie’s blog…
Long story short, Bunnie and Xobs found out that the microcontrollers in SD cards can be used to deploy a variety of programs – both good and bad – or at least tweak the card’s original firmware. For instance, while researching in China, Bunnie found SD cards in some electronics shops that had their firmware modified. The vendors “load a firmware that reports the capacity of a card is much larger than the actual available storage.” The fact that those cards were modified supports Bunnie and Xobs’ claim: that other people besides manufacturers can manipulate the firmware in SD cards.
It’s worth noting that this particular investigation had an extremely small sample size. That being said, Bunnie believes that this vulnerability exists in “the whole family of “managed flash” devices, including microSD, SD, MMC as well as the eMMC and iNAND devices typically soldered onto the mainboards of smartphones and used to store the OS and other private user data. We also note that similar classes of vulnerabilities exist in related devices, such as USB flash drives and SSDs.”
Turns out the memories of our computers are as unreliable as ours.