Using SD cards for secure "air-gapped" file transfer Using USB sticks to transfer files across multiple computers is certainly not secure since the USB bus allows for Direct Memory Access and an USB device can pretend to be anything by changing its firmware/software.
Now, SD cards are far more limited as to what they are allowed to access on the host computer and offer only an SPI interface to write to and read files from it. Now, what do you think is it reasonably secure using an SD card to transfer files or not?
<Just use CD/DVDs
That's an option though it is quite bulky and quite wasteful (for write-once CD/DVDs)
>>1494 USB does not allow DMA though. At least not to the extent that a plugged-in USB device can read or write main memory. It is, however, a concern that a USB device can emulate e.g. a keyboard and start typing random commands.
SD cards are ok if you access them through SPI, but they also have a (((proprietary protocol))) for access which I wouldn't use out of principle, although it still doesn't allow for data theft. Most card readers use the (((proprietary protocol))) because it's faster.
>>1495 >USB does not allow DMA though
Hm, I thought the USB protocol could be exploited to allow for DMA access ... but I can't find much on it besides this:
https://github.com/ufrisk/pcileech
There is a video from CCC on how to exploit SD cards microcontrollers. It's quite hard when you don't have access to the source code, but cianiggers probably have it.
From the microcontroller they can exploit SD card reader firmware, which is a USB device, so theoretically sdcards can be used to pwn the system. It must be a sophisticated malware like stuxnet tho.
>>1495 >Proprietary Protocol
I don't think this is happening in Linux though. I think the protocol is 'windows-based' - please correct me if I am wrong.
>>1517 >use SD card on multiple computers
yeah, but wasn't that OP's point?
>DMA and
what now. if a USB device can do DMA nothing else matters, it has access to all your RAM
>can pretend to be anything by changing its firmware/software.
>muh changing
no, it can simply be malicious by design, what kind of retarded thinking process do you have
OP here >>1565 Re-using (USB) SD card readers is problematic not re-using SD cards.
>>1569 Although USB doesn't have Direct-Memory Access the USB protocol does allow any particular USB device to have the capabilities of any other USB device by changing its firmware/software.
>>1514 You're right ... I can't read and thought you were only talking about the (USB/internal) SD card readers, but yes, SD card firmware can be attacked as well:
>Attack scenarios:
> – Eavesdropping
> ● Report smaller than actual capacity
> ● Data is sequestered to hidden sectors that are uneraseable
> – ToC/ToU
> ● Present one version of file for verification, another for execution
> ● Bootloader manipulation, etc.
> – Selective-modify
> ● Scan for assets of interest, e.g. security keys, binaries, and replace with insecure versions
>can be attacked as well
Or be malicious in the first place. Which is very, very likely... is there any storage medium (for a Sneakernet) that isn't as susceptible to attack?
(still OP)
Using SD cards for secure "air-gapped" file transfer
Using USB sticks to transfer files across multiple computers is certainly not secure since the USB bus allows for Direct Memory Access and an USB device can pretend to be anything by changing its firmware/software.
Now, SD cards are far more limited as to what they are allowed to access on the host computer and offer only an SPI interface to write to and read files from it. Now, what do you think is it reasonably secure using an SD card to transfer files or not?
<Just use CD/DVDs
That's an option though it is quite bulky and quite wasteful (for write-once CD/DVDs)