Early Black Friday Starts NOW!

Your content will be up shortly. Please allow up to 5 seconds
News & Insight

SD Cards Pose Real Security Risks For Photographers

By Kishore Sawh on January 2nd 2014

If you’ve owned a digital camera or phone over the past ten years, you’ll have noticed that in that time flash memory has become significantly cheaper. You can get relatively huge amounts of storage space on this tiny, flimsy little card for quite little. And why not, you may wonder. They are, after all, little pieces of plastic with seemingly unsophosticated read-write tech inside; easy to manufacture, easy to format, easy to store on, and easy to erase. But, you’d be wrong. A hacker team recently delivered a report at the Chaos Computer Congress detailing just how unsafe these storage cards are, and why.

SD-cards-security-risk-large-1

Cards like Eye-Fi seem to pose a greater risk

The team posted a video to Youtube (see below) a written breakdown online and pointed out some serious flaws in the make up of these storage devices. Now, if you have adenoids or read computer manuals for fun, you may see and read that material like I would a children’s book. But if you’re like me, a typical man who hears the first word and then shuts down, you may not fully understand all the intricacies of what they said. I recruited a friend of mine who’s a computer scientist for the military to hold my hand like a 5 year old, and walk me through it using small words and size 18 font. What he explained was amazing, and surprising, and holds important information for photographers.

First off, he said, “There’s a reason I’m not allowed to use flash memory for work; SD cards or common portable flash drives. They are all defected and easy to manipulate.” He went on to explain from the article that all flash storage comes with a microcontroller that tells the device how to perform functions. That controller can be easily compromised and force the card to do a task in conjunction with what it’s supposed to be doing. Essentially, making it a tiny unassuming computer with a large amount of storage in an inconspicuous package. A very cheap package.

The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction

He went on to explain that as technology improves and these cards are expected to and able to handle more and more storage, these controllers become more powerful, and possibly more plentiful since they have to be able to account for more while seemingly providing the same user experience to the end user which they’ve become accustomed to.

[REWIND: How To Spot A Scam: Must-Read Camera Buyer Advice!]

This, he says, opens the door for someone to compromise the controller and add functions to it which it wasn’t intended to do. “Like what?” I asked. To which he explained the card could be programmed to copy all its info, and then, once hooked up to a computer, could send out an email with the info and you’d be none-the-wiser. Or possibly, corrupt your computer. He pointed out, after seeing my ‘Eye-Fi’ card, that it’s possible for that card to actually send out info without being connected to a computer. “But how does this affect me if no-one else gets hold of my card?”

Thoughts

The article went on to explain the card manufacturers and vendors commonly, “use recycled flash chips salvaged from discarded parts,” and that, “even the largest players staunchly reserve the right to mix and match flash chips with different controllers, yet sell the assembly as the same part number.” This is all disconcerting stuff, and add to that the fact that these devices are built with inherent flaws and that “The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction,” makes me wonder where to from here.

At the moment, I don’t have any answers, any suggestions would be appreciated. One suggestion to me was to never let anyone else touch my cards, or simply, go back to film. Riiight.

Name of computer scientist withheld at request.

Source:Bunnie Studios

About

A photographer and writer based in Miami, he can often be found at dog parks, and airports in London and Toronto. He is also a tremendous fan of flossing and the happiest guy around when the company’s good.

Q&A Discussions

Please or register to post a comment.

  1. KK

    Drew, I think the phrase “once hooked up to a computer” is being used here to indicate that the hack is PC-based and not something that’s DSLR-specific.

    As for the malicious code needing to be able to elude anti-virus/anti-malware software, that presupposes the presence of such software which, as even MS Security Essentials doesn’t come pre-installed, is by no means guaranteed.

    As with many, if not most, computer security threats, the most likely victim is not the technophile that uses their DSLR’s wifi capabilities to transfer several GBs worth of photos to their virus-immune PC (to the detriment of battery life, not to mention vastly increased transfer times). The most likely victim is — forgive the rampant stereotyping — the middle-aged mother who’s transferring pics from her point-and-shoot by inserting the SD card into the laptop she bought from Best Buy, and who doesn’t know anything about malware except that that’s the kind of thing she occasionally needs to take her computer to the Geek Squad to fix.

    | |
  2. Drew Pluta

    So what does any of this have to do with security risks? The reason your friend can’t use flash drives working for the government is primarily because they don’t want people pulling data Edward Snowden style.

    The only way it would seem there’s a security risk is via the exact same methods all media related security risks always present themselves. Are you cautioning that we may see targeted attacks on DSLR users in camera via hacking? I can’t tell. That would be an interesting article.

    Furthermore, if we’re to be alarmed about this particular type of storage, you need to be writing articles urging people to worry about their nice new APPLE products with SSD’s and all SSD drive usage in laptops.

    I want some actual information instead of alarm bells.

    | |
    • Niko

      Drew,

      This article (along with countless others online) has just pointed out a major flaw in flash storage that has not necessarily been exploited yet. All of the information needed has been provided:

      – You don’t know what’s been installed on that flash drive you’re buying
      – When you use the flash drive, there is a possibility that pre-installed malicious code could infect your computer
      – The resulting infection could result in the distribution or corruption of your data

      That is a pretty big issue in my book.

      – Niko

      | |
    • Drew Pluta

      Unless the code is written for the specific device it’s a non issue. Like I said, are they claiming that there are DSLR hacks? A virus written to send malicious email would have nothing to do on a Canon 6D camera OS for instance. It wouldn’t even be seen by the system.

      Left over malicious code is certainly not cool but the idea that there is any real risk in this beyond normal is just so beyond being able to worry about. The code would have to be written for the specific devices I’m using (PC or Mac.) It would have to be in tact and executable. And then be able to defeat virus and security scanning software. This would indicate that it’s up to date, which it would not be due to it’s recycled thus out of date nature.

      | |