Security researchers Andrew “bunnie” Huang and Sean “xobs” Cross have recently described a new way that nefarious hackers could steal data from users by infecting memory cards with new software. The software stored on the memory card could be used to execute a man-in-the-middle attack. The two researchers described the exploit they discovered at the Chaos Computer Congress recently.
The researchers believe that their exploit could be used to secretly copy data or modify data, such as encryption keys. They also believe that their exploit could be used to subvert authentication processors by substituting an unauthorized file for execution rather than the file the machine authorized.
The exploit is able to take advantage of the fact that SD cards have tiny microcontrollers designed to oversee storage operations. The same attack could also be used in principal for other flash storage devices including SSDs.
The hack may also be used for not so nefarious deeds. The researchers say that their exploit allows the SD card to run other software and opens the door to much cheaper microcontrollers for DIY users. The microcontrollers in the SD card could be useful for things like data logging web-connected sensors according to the researchers.