If you’ve owned a digital camera or phone over the past ten years, you’ll have noticed that in that time flash memory has become significantly cheaper. You can get relatively huge amounts of storage space on this tiny, flimsy little card for quite little. And why not, you may wonder. They are, after all, little pieces of plastic with seemingly unsophosticated read-write tech inside; easy to manufacture, easy to format, easy to store on, and easy to erase. But, you’d be wrong. A hacker team recently delivered a report at the Chaos Computer Congress detailing just how unsafe these storage cards are, and why.
The team posted a video to Youtube (see below) a written breakdown online and pointed out some serious flaws in the make up of these storage devices. Now, if you have adenoids or read computer manuals for fun, you may see and read that material like I would a children’s book. But if you’re like me, a typical man who hears the first word and then shuts down, you may not fully understand all the intricacies of what they said. I recruited a friend of mine who’s a computer scientist for the military to hold my hand like a 5 year old, and walk me through it using small words and size 18 font. What he explained was amazing, and surprising, and holds important information for photographers.
First off, he said, “There’s a reason I’m not allowed to use flash memory for work; SD cards or common portable flash drives. They are all defected and easy to manipulate.” He went on to explain from the article that all flash storage comes with a microcontroller that tells the device how to perform functions. That controller can be easily compromised and force the card to do a task in conjunction with what it’s supposed to be doing. Essentially, making it a tiny unassuming computer with a large amount of storage in an inconspicuous package. A very cheap package.
The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction
He went on to explain that as technology improves and these cards are expected to and able to handle more and more storage, these controllers become more powerful, and possibly more plentiful since they have to be able to account for more while seemingly providing the same user experience to the end user which they’ve become accustomed to.
This, he says, opens the door for someone to compromise the controller and add functions to it which it wasn’t intended to do. “Like what?” I asked. To which he explained the card could be programmed to copy all its info, and then, once hooked up to a computer, could send out an email with the info and you’d be none-the-wiser. Or possibly, corrupt your computer. He pointed out, after seeing my ‘Eye-Fi’ card, that it’s possible for that card to actually send out info without being connected to a computer. “But how does this affect me if no-one else gets hold of my card?”
The article went on to explain the card manufacturers and vendors commonly, “use recycled flash chips salvaged from discarded parts,” and that, “even the largest players staunchly reserve the right to mix and match flash chips with different controllers, yet sell the assembly as the same part number.” This is all disconcerting stuff, and add to that the fact that these devices are built with inherent flaws and that “The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction,” makes me wonder where to from here.
At the moment, I don’t have any answers, any suggestions would be appreciated. One suggestion to me was to never let anyone else touch my cards, or simply, go back to film. Riiight.
Name of computer scientist withheld at request.