Ask Slashdot: Is Non-USB Flash Direct From China Safe? 178
Dishwasha (125561) writes I recently purchased a couple 128GB MicroSDXC card from a Chinese supplier via Alibaba at 1/5th the price of what is available in the US. I will be putting one in my phone and another in my laptop. A few days after purchased, it occurred to me there may be a potential risk with non-USB flash devices similar to USB firmware issues. Does anybody know if there are any known firmware issues with SD or other non-USB flash cards that could effectively allow a foreign seller/distributor to place malicious software on my Android phone or laptop simply on insertion of the device with autoplay turned off?
Fake! (Score:2, Insightful)
I would almost guarantee for that price it's a fake card. It's a pretty common practice. It's either smaller than it says (Try a write test for the full 128gb) or slower than stated etc. Assuming you have an android phone that has the unauthorized sources turned off by default I would think your relatively safe. I would not say it's not possible of an attack though. To my knowledge there is no such thing as autoplay on android.
More context on fakes (Score:3)
I would almost guarantee for that price it's a fake card. It's a pretty common practice. It's either smaller than it says (Try a write test for the full 128gb) or slower than stated etc. Assuming you have an android phone that has the unauthorized sources turned off by default I would think your relatively safe. I would not say it's not possible of an attack though. To my knowledge there is no such thing as autoplay on android.
http://www.ebay.com/gds/All-Ab... [ebay.com]
OBInSovietRussia (Score:3, Funny)
In Soviet Russia, girlfriend claps tablet.
There will be. (Score:1)
Well, you've just made the suggestion in a public forum monitored (at a very low-level) by multiple intelligence agencies. Some intern will now write it up and toss it up the chain, and if someone can develop such a thing, they will.
Re: There will be. (Score:2)
Old news.
My advice to OP: treat all USB peripherals (mice, wireless cards, storage, etc) as malicious unless they come from trusted/vetted supply chains. And even then, be suspicious.
Fortunately for the average consumer, China at a state level is interested in stealing valuable technology and company secrets, not in your person
Re: (Score:3)
My advice to OP: treat all USB peripherals (mice, wireless cards, storage, etc) as malicious unless they come from trusted/vetted supply chains. And even then, be suspicious.
Sorry, you can't even trust things coming from a trusted and vetted supply chain unless there are massive oversight controls. I've seen knockoffs and other crap come though ingram micro...that was in the 90's.
Re: (Score:3)
Remember that kerfuffle a couple weeks ago about FTDI bricking products that were using counterfeit FTDI USB-serial chips? Some of the product designers were unknowingly using counterfeit chips bought from companies we've all heard of (no, not Alibaba or Ebay...)
Re: (Score:2)
my first 486 came from a very well known manufacturer... with a virus in the BIOS!
Re: (Score:2)
Big risks (Score:1)
Yes, there are big risks. That's why you need to write the manufacturers and insist they make a public statement. Then people can call them on their contract failure.
Also, your phone and laptop are already 0wn3d by the government and the corps.
Re: (Score:2)
No. No chance of security problems other than possibly having malware pre-loaded in a file on the drive. If you have auto-play turned off and format the card, it should be just fine.
Now, it is still likely that it is a fake. It might be very small, very slow, or die a very early death, but that would only endanger your data on there and not your computer itself.
You may be asking "Why is this the case?" The reason is that the "U" in "USB" stands for "Universal" A USB device could easily present itself a
Re: (Score:2)
I've seen webcams and Bluetooth SD cards as well, even a composite GPS/storage card (how in the fuck they got a GPS to fit INSIDE an SD form factor with only an inch and a quarter of wire sticking out (the antenna) is anybody's guess...).
more likely scenarios (Score:1)
That scenario is entirely possible, but the more likely scenarios are:
It could be a smaller device hacked to misreport its size, or
It has PC based malware waiting to be activated when you connect it to a computer.
"From China"?!? (Score:2, Interesting)
"Directly from China" is exactly as safe as "made in China and assembled in the US", which is pretty much your alternative.
Re: (Score:2)
This. Also consider that these so-called knockoff chips are made on EXACTLY the same process lines as the "real thing", using EXACTLY the same substrates, screens, whatever... the only difference is that the "knockoffs" haven't been power tested - so you're taking pot luck that they actually work, even if they are actually as specified on the box (how long have the 8GB cards with 64/128GB firmwares been sitting in storage?? They're still genuine cards, what makes them slightly hooky is the firmware. There's
Re: (Score:2)
Its actually not, supported by ample evidence, but whatever. Quality control is a huge huge problem in china, whether or not you consider it "Politically correct" to say so.
Re: (Score:2, Funny)
By the way, would a "Made in Russia" tag be a worse or better?
I dunno. I'd suppose it be likely to get drunk, slap its wife, invade Ukraine, and then break.
Make you sure you can read and write every bit (Score:5, Informative)
Re: (Score:2)
Mod parent up. I got a USB drive as a gift that claimed to be 256GB! I tested it, and I think it's actually a 4GB drive with a little over-provisioning.
Ditto (Score:1)
Yes, my 64GB MicroSDHC turned out for be 3.5GB of actual memory followed by rewrites that corrupt over the existing data. Apparently this is very common.
Re:Ditto (Score:4, Informative)
SDHC only goes up to 32 GB, so that should have been your first clue. Happened to my dad, too.
Re: (Score:2)
who remembers all the acronyms?
SD, SDHC, SDXC, SDIO, BFG, LOL, WTF
(lameness filter, blah blah blah)
Re: (Score:2)
"who remembers all the acronyms?"
https://google.com/ [google.com] if the first page does not have it then try
https://www.wikipedia.org/ [wikipedia.org] if wiki fails you or has too many acronyms on one page then ask the author if they can be reached.
oh no, sdxc chips all use exfat and are limited to 4 gb for a single file, meaning a dvd iso won't fit. the sdhc was 2 gb files so it went up but not enough and according to wikipedia "SDXC adopts Microsoft's exFAT file system as a mandatory feature." i have xc cards already but if the ha
Re: (Score:2)
So if you change the filesystem on an SDXC card after buying it there's nothing to say SDXC devices definitely won't be able to read it, just that you cannot automatically assume that they will be able to read it.
The problem with that approach is that these cards have been optimized with FAT filesystem in mind. They do this by using smaller sectors for the FAT area, and bigger sectors for the data area. Using a different filesystem can reduce speed and durability of the card.
Re: (Score:2)
You might want to read it once.
Yes, my 64GB MicroSDHC
Re: (Score:2)
oh, fuck, not another ransomware...
I'm just glad I keep all my data airgapped.
Click the Contact Supplier button (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2)
Wow, Foamy, lay off the coffee, eh?
Re: Click the Contact Supplier button (Score:2)
Laugh. Cut the dough bag a little slack. Afterall, /. is the land of speculation and pseudo-experts.
Should be Easy to Check (Score:1)
Use some Linux tools to examine any partitions that might appear on the card. Also, use these same tools to wipe the card before use; but, doesn't all that manpower negate any savings? Shouldn't we do these things with any SD card?
Re: (Score:2)
There was a case where Best Buy (long time ago when 100MB Zip disk were the rage) re-sold Zip-disks containing someone's pr0n stash. So the source of the media doesn't really matter.
Any media, no matter what it's packaging can be a vector for viruses. USB is the most heinous because a device could be the size of a micro BlueTooth tranciever, report it self as a keyboard, and install gigabytes of virus code on a computer system. There's no bigger risk to security than physical contact.
Probably fake cards, actually (Score:5, Interesting)
Re:Probably fake cards, actually (Score:5, Informative)
I think it's funny that he's worried about being pwned by the flash card firmware (answer: you can't, it's not a generic interface like USB that can be keyboards, mice, network cards, etc. on a whim), and not about being cheated by the old "1GB card that claims to be 4GB" scam.
Anyhow, here are some relevant links:
http://www.bunniestudios.com/b... [bunniestudios.com]
http://www.bunniestudios.com/b... [bunniestudios.com]
Re: (Score:2)
Analogous to worrying about something that's not likely to happen but sounds scarier and ignore a more common problem.
Re: (Score:2)
that's pretty darn unlikely though.
so that's not really a thing to worry. besides, if it happens, he can make a blog post about it on some blog he has ads on and get 20 million hits as he would be the first.
he could turn card encryption on too in whatever os he is using it on, which would make the sd firmware inserting files into the filesystem or altering them even more unlikely.
Re: (Score:2)
I usually throw a new card into a camera and format the thing. Generally sorts it out.
Re: (Score:2)
You think the US ones don't come from China? (Score:4, Interesting)
Because I guarantee you that somewhere there is a guy buying them from China in bulk, for 1/5 the price, repackaging them and selling them on Amazon for 3/4 the price.
Re: (Score:3)
Doubt it. Even if they somehow got reseller status on Amazon, they would promptly get feedback'd down to oblivion. They would't last long on ebay either. Only on Alibaba would someone actually think those cards were real....
I have seen 640G Sony cards, 512G SD, etc years before that size was actually available....
Not a security risk, but a fake risk (Score:2, Insightful)
I would tend to agree with other people: There's really no risk that a SD card is a security problem in the same way that USB is, since it's just storage. However, there is a big risk that any SD card you buy through unusual channels, especially at a ridiculously low rate like 1/5 the price, is just a fake which will start overwriting your data after you get past 1G or 8G or whatever. I absolutely refuse to buy SD cards outside a major physical store chain.
Re: (Score:2)
Mod parent up.
The posters flash is almost certainly a fake if it's a mass market brand. Even if it's a generic Chinese brand, it most likely uses the same low-grade flash used in the fakes. I would not risk my data on these devices as the durability over the course of normal use is a big unknown since they aren't backed by a company doing extensive characterization.
Re: (Score:2)
It's not that the flash is low grade, it's that it just plain doesn't exist, and the card will just discard data after a while. What flash there is in there probably works, but is useless.
Re: (Score:3, Interesting)
Of course it's a security risk.
The SD card has a 32 bit processor that does the wear leveling.
There is nothing stopping it doing 'interesting' things to files on it, if it's so programmed.
The extra fun part is that the user can't read out this programming.
Obvious things might be infecting files with viruses, appending small secret files to large media files in the hope that they will later be shared, or more targeted attacks.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There's a big difference between "it will lose the data you put on it" and "it will infect your computer and destroy the data you put everywhere". If I wanted to conduct secure transactions with my bank over the internet, it doesn't really matter (much) if my computer is running off of an unreliable hard drive. It might crash in the middle, but I probably won't lose money over it. But if the hard drive infected the operating system, the infection could undermine the security of my transactions and drain my
Re: (Score:2)
Because so often in these discussion it comes down to the latter.
Re: (Score:2)
Re: (Score:2)
There's no practical way to compromise a machine with an SD card. There are theoretical ways. You are throwing up uninforme
Re: (Score:2)
Hey, don't accuse me of hijacking the discussion. I wasn't the one who asked if an SD card bought from unreliable sources could install malware without autorun:
Does anybody know if there are any known firmware issues with SD or other non-USB flash cards that could effectively allow a foreign seller/distributor to place malicious software on my Android phone or laptop simply on insertion of the device with autoplay turned off?
That was the OP, not me. I just wanted to praise queazocotal for actually answering the OP's question.
Re: (Score:2)
Think for a second (Score:2)
SD cards can't impersonate a keyboard (Score:3)
SD cards can't impersonate a keyboard, so anything like the USB firmware hack you linked to is impossible. There could be malicious files pre-installed on the drive, but then that's happened to big name suppliers plenty of times too.
As far as I know Android has no facility to run code directly from an SD card anyway, and if you're using an antivirus package worth its salt on your PC it would block any autorun attempt.
No badusb-type attack (% SDIO), but malware inject (Score:5, Interesting)
The SD* interface doesn't have the _same_ problem that USB does, ie badusb. It has other issues, though, and an SD card could made malicious. The issue with USB is that a USB device can be / act as storage, a keyboard, a mouse, a camera, etc. You can plug in a USB device which you think is just a memory stick, but unbeknownst to you you, it's also acting as a keyboard and "typing" commands to your computer. A pure SD card interface supports _only_ storage devices, so they can't act as keyboards. They therefore can't directly attack the host device in the same way that USB can.
Android does have some support for SDIO, though, which allows a card to act as a camera, wifi card, or keyboard. I *don't* think Android will by default use an SDIO input device. It's possible that it will, though. I may have to emulate such a card with a microcontroller and see what happens when it is plugged in to various iOS and Android devices. If it works, you just witnessed the birth of badsd, as I haven't heard of anyone doing that before.
What an SD card could do on a pure SD storage interface is muck with any files you put on the card. Suppose you installed towelroot or supersu on the SD card. The controller on the card could inject malware into the executable, and that malware would then be run with the same privileges you have - full root access if you root your phone, or the same access the apps have. Along with injecting malware into your files, the trojan SD card could send your files to the attacker. Wifi adapters can be made that small, so any data saved to the card could be sent to the attacker via the built-in wifi.
Your best defense in that case might be "at 1/5th the price of what is available in the US". A trojaned card like that is going to cost some money to make, particularly the version with built-in wifi. It wouldn't make sense to sell a million of them on Alibaba, losing money on all of them. They would more likely be used in a targeted attack - "mistakenly dropped" on the premises of a defense contractor or R&D lab, maybe even advertised on on a forum likely targets tend to visit, such as one related to aerospace engineering or large-scale investments.
One step you could take to protect yourself would be to write and read back some known files of various types and compare their SHA hashes within a VM. The card should return a bit-by-bit identical copy of the file that you copied to it. If you save an .exe or .apk file and it comes back changed, that would be a bad sign. I'd like to hear from anyone who experiences tat so we can investigate further.
ps - you could be a target. Servo guy was (Score:4, Interesting)
I forgot to say, don't completely dismiss the possibility of a targeted attack. A few years ago there was a guy who didn't have access to any top secret information or anything. He worked on software for factory machine parts and stuff. For example, he might work on a large servo, translating the command "turn 30 degrees" to electrical impulses to the motor's magnets. He sure doesn't seem like a high-value target.
He turns out that the motors and stuff he worked on were being used by another company who built larger modules from motors, gears, etc. Those modules were, in turn, used to make chemistry lab equipment such as centrifuges. Centrifuges used in Iran. So servo firmware guy WAS target zero for stuxnet.
* The above narrative is roughly correct. Maybe the firmware-writing employee was a she, not a he, we don't know exactly which employee was hit first. We do know it came in through that company.
Only slightly safer than buying in US (Score:2)
Just avoid (Score:2)
Re: (Score:2)
These types of "deals" are always some type of trade-off. How much is your time worth?
I don't know about 1/5, but you can typically get memory cards at 1/2 off by just buying naked OEM cards. Before I leave positive feedback, I try to register for the warranty.
malware not the real worry IMO (Score:2)
Safe? (Score:2)
Alibaba has a long way to go (Score:2, Informative)
I got a counterfeit USB stick from Aliexpress and gave the item a one star review. The company actually called me up the next night - or should I say morning (3 AM), telling me that they understood the time difference and that they would continue to call me at that time every day until I changed my review.
I will never deal with Aliexpress again. Aliexpress never replied to my complaint. I will stick with something that realizes the importance of reputation.
SD Cards == exploitable (Score:2)
FYI... Sean "xobs" Cross and Andrew "bunnie" Huang disclosed low-level vulnerabilities in SD cards (as far as I can tell: on par with- and related to- the more recent BadUSB-type hacks) at a 30C3, back in December 2013.
For further details, see:-
http://www.bunniestudios.com/blog/?p=3554 [bunniestudios.com]
Re: (Score:2)
No idea... (Score:2)
No idea about Alibaba but E-Bay has a dispute system. And when I bought a pack of 18650 batteries 0.25 Ah each instead of at least 2.5 Ah and marked them OK - it's my own problem.
Next time I asked the seller "How many Ah has your 3.0Ah battery?" Answer was "They usually have at least half of that, you understand...". I preferred to buy a cheap notebook battery and disassemble it.
F3 (Score:2)
I don't have any experience with malicious flash drives, but since we're on the topic of fakes, F3 is a handy test program:
http://oss.digirati.com.br/f3/ [digirati.com.br]
Get whacha pay for (Score:2)
The price makes the item suspect. One must oneself, why is this so much cheaper?
While being malicious is possible, it's probably much more likely its substandard and either won't work very well straight out of the box, or will fail fairly quickly compared to a 'normal' priced one.
Re: (Score:2)
This. Bricks and mortar for me, and I'll only deal with a BAM that records the serial number of the card (they're around, and EVERY branded card has a UUID silkscreened on it). Any problems, card goes back for exchange. Sorted. :) I also won't buy a card with less than three years warranty.
tin foil (Score:2)
considering any you are buying locally will be made in china or korea anyway then if you are scared of those cards you should be scared of just about every piece of electronic kit in the modern world. Your only safe bet is to go live in the woods with an abundant amount of tin foil.
Safe? No. Secure? Probably. (Score:2)
It takes effort to put root-kits on these and even the USB-attacks where a publicly available tool-chain exists need customization for the target and specific exploit code. These are not one-size-fits-all attacks.
But safe? Likely these use sub-standard flash and controllers to make that price. Expect data loss and undetected corruption.
Here's what you do (Score:2)
Take some tinfoil, form a large hat, a medium hat, and small hat. Put the large one on your head, the medium one on your laptop, and the small one on your phone. After that, you should be just fine.
QA rejects. (Score:3)
Most likely QA rejects. Now why they were rejected by QA - this is your opportunity for getting decent media cheap. Sometimes the controller is broken and you'll end up with a fancy guitar pick. But sometimes the number of bad blocks on flash exceeds the standard. Run 'badblocks' on your card, and you'll get a card 95% the size of respective 'brand' at 20% the price. As a bottom line, this may cost some work and don't expect your profit is 4x the value of 'certified', but you may come out profitable.
Re: (Score:1)
This answer is technically correct. If you can't personally vouch for the source of something, it could be dangerous. That's what trust is.
My best suggestion is put it in a Linux box(low priority target for this kind of hack), and reformat it.
Re:Nope. (Score:5, Informative)
He was asking about firmware. Formatting the SD card will not do anything to the firmware.
Re: (Score:2)
Not sure I'd use 0's. I think i'd use random data with a CRC check, or at least known files that i could copy back and diff against hte originals.
Re: (Score:1)
A rip off 128GB will probably be something like 4GB or 8GB under the hood. If you're going to make a fake flash card or USB drive, you use the current cheap flash.
Re: (Score:2)
I have a 20GB hard drive that formats to 10GB. There're no bad sectors reported on it or anything like that, it's been like that since I partitioned it the second time round. Were they doing this to hard drives as well way back when a 20 set you back £200?
Re: (Score:2)
Are you sure there is not a size barrier on the BIOS / disk controller? Or that the HDD has a jumper to a lower capacity for compatibility with above mentioned size barrier? I remember with hard drives that were "too big", you'd have to set the jumper, then install overlay software (usually in the MBR) to allow access to the full capacity. Int13 has a limit around 8GB, and is one of those barriers.
Re: (Score:2)
definitely not that. I'm aware of the 8GB cap, I'm also aware of the 32GB jumper cap on larger capacity drives. This one doesn't have that.
Re: (Score:2)
rotfl of course you know, if they are counterfit, you might be able to take that as a good sign, since you know the people tampering with it were explicitly ripping you off for profit, those sticks probably don't contain any backdoors placed by a reputable internationally operating TLA who would want you to get the full size of the drive you paid for.
Re: (Score:2)
I was aware of and willing to take that risk considering the significant price difference. The positive thing with Alibaba is a 15 day dispute period. It probably won't be even worth going through the dispute process, but at least that option is available.
Re: (Score:2)
The price is the dead giveaway that it is a fake. Flash memory does cost money, and it is sold at minimal margins. One fifth of the price means less than one fifth of the memory, every time.
The card will pretend to be as big as they claim, and it will silently just lose your data.
Re: (Score:2)
Contents? Keep the crap on your HD, I want your bandwidth, your processing time and your IP address.
don't worry about it (Score:5, Insightful)
Re: (Score:3)
# dd if=/dev/zero of=/dev/sdc
it gives I/O error at about 8.2GB. Definitely not worth the aggravation.
Re: (Score:2)
This sort of test may not detect all fakes.. really you need to write a test pattern and read it back, as the writes may appear to succeed.
Programs exist to do this for you, e.g. https://sites.google.com/a/int... [google.com]
When I had one of these fake cards, it seemed to me that the firmware had been designed to allow a filesystem to be created on the device, by remapping the blocks that the filesystem would use for its metadata.
Formatting utilities should really check for bad SD cards...
Re:don't worry about it (Score:5, Funny)
Yeah - I worked for a gadget retailer and was asked to test some 8GB flash sticks several years ago.
You could write 8GB to them, but anything past the first 4GB returned a read error.
My boss called the supplier in Shenzen to yell at them - "How could you do this?" Their response: "I don't understand - you SAID you wanted the best price?!"
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Here's what to do: Generate random stream with openssl, md5sum it going into the card, md5sum it coming back out. Use pv for progress display if desired.
~ # cat randomtest.sh
#!/bin/bash
time (openssl bf-ofb -pass pass:`cat
echo
time (cat $1 | pv -pterb -s `blockdev --getsize64 $1` | md5sum - > readsum)
echo
echo "Written:" `cat wri
Re: (Score:3, Interesting)
Same here. I bought two 128GB cards on eBay for $23 each. Only one showed up, and when I tested it with:
# dd if=/dev/zero of=/dev/sdc
it gives I/O error at about 8.2GB. Definitely not worth the aggravation.
No, no, don't do it that way. If you overwrite an SD card starting from the beginning, you will overwrite the Protected Area of the card. Also happens if you use the "format disk" function of an operating system on the card.
The SD Association has a special formatter [sdcard.org] which avoids this problem.
Maybe try reading the card instead of writing, to test for those cards which have missing flash. Or carefully skip the Protected Area with dd when writing.
Re: (Score:2)
And what is the "protected area"?
Re:don't worry about it (Score:5, Informative)
oh dear god dont write over the protected area! ...
it's used for some specialized keys for some rarely used version of DRM. so if you have a CPRM "protected" file on the sd card, then.. you know.... "accidently" give the file to someone else, they'll lack the decryption keys (since they're stored outside of the filesystem by the program that wrote the file to the flash card) and the file will be useless.
http://en.wikipedia.org/wiki/C... [wikipedia.org]
it's another one of those things that attempts to relabel yet another "generic binary storage device" as a "specialized media holder to assist content protection", and you should actually go out of your way to destroy this "protected area" instead of carefully avoiding damage to it.
it's totally safe to write over this "protected area" and use it for your own data, and it's rare to run into programs that actually use CPRM for protection against distribution (although they probably do exist, why would you use such a thing?).
that's probably why you've never heard of it or noticed writing over it.
non-free formatter is risky (Score:4, Insightful)
The SD Association has a special formatter [sdcard.org] which avoids this problem.
Interesting that the special formatter is only available for Microsoft Windows and Apple Macintosh, and apparently only in binary form. Even if I had such a computer I would not be comfortable formatting my disk with non-free software. Who knows, it might be putting an encrypted child porn picture on a hidden part of the disk, exposing me to the risk of prosecution. No thanks.
Re: (Score:2)
Re:don't worry about it (Score:4, Funny)
It's an anti-TARDIS card -- it's smaller on the inside.
Re: (Score:3)
Or, literally do exactly what this question is asking, release something that autoruns malicious software on your machine when you try to use it [wikipedia.org]...
Re: (Score:2)
Because Sony are content providers, we are pigs in the trough.
Re: (Score:2)
Re: (Score:2)
am I the only one who finds this post a: redundant and b: ironic?