|
Title: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 06, 2014, 02:39:30 AM I can't seem to find the article, but it was recently reported that USB flash drives are unsafe because they can hide malicious software in an unusable portion of the drive used by the storage system. Therefore, for the purposes of Bitcoin security, it's important to consider any usb drive exposed to an untrusted computer to be infected.
Does this affect SD cards or only USB flash drives? EDIT: I am referring to malware stored in the FIRMWARE such that formatting the drive does not delete it. EDIT: If so can you suggest a good option for moving transactions between online and offline wallets without using paper? Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: CanaryInTheMine on August 06, 2014, 02:50:12 AM I can't seem to find the article, but it was recently reported that USB flash drives are unsafe because they can hide malicious software in an unusable portion of the drive used by the storage system. Therefore, for the purposes of Bitcoin security, it's important to consider any usb drive exposed to an untrusted computer to be infected. SD cards too.Does this affect SD cards or only USB flash drives? Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 06, 2014, 02:52:31 AM Can you suggest a good option for moving transactions between online and offline wallets without using paper?
Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: waldox on August 06, 2014, 03:01:58 AM im sure this exposes windows pcs to malicious usb keys
does it effect macos or linux (ie ubuntu)? Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: bitcoinbitcoin on August 06, 2014, 03:07:39 AM The articles say viruses reside in the FIRMWARE of the USB (stick, mouse, keyboard, etc) :o
None mention SD cards. CanaryInTheMine: How do u know SD cards have the same problem? links: http://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/ http://www.wired.com/2014/07/usb-security/ Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: franky1 on August 06, 2014, 03:08:12 AM USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them. if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago??? the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: gadman2 on August 06, 2014, 03:39:16 AM Someone get the floppies.
Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: BIGbangTheory on August 06, 2014, 03:43:09 AM USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them. if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago??? the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Pente on August 06, 2014, 03:58:19 AM Can you suggest a good option for moving transactions between online and offline wallets without using paper?
Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: phillipsjk on August 06, 2014, 04:14:12 AM Similar attacks have been demonstrated with SD card (http://technabob.com/blog/2013/12/31/sd-card-programmable-hack/) and hard disk (http://spritesmods.com/?art=hddhack&page=1) firmware as well. However, USB is scary in that the device can masquerade as any other USB device: such as a keyboard that roots your machine with shell commands.
If it was not for the CPRM with device revocation (https://www.sdcard.org/developers/overview/copyright_protection/), I would say SD cards are the perfect floppy replacement. If security is important, I suggest CD-Rs. Note: most CD drives operate above the maximum storage temperature of the disk (about 35°C) Quote You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised. sometimes they have malware from the factory. Edit: I was talking about the drive firmware as well. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: CanaryInTheMine on August 06, 2014, 04:31:04 AM http://www.mirror.co.uk/news/world-news/vladimir-putin-accused-spying-world-2653508
now imagine what kind of tech US has.... you still need a secured wallet with passwords etc... pretty soon we'll find out that google glass is capable of stealing your paper wallets if you're wearing them. :) Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 06, 2014, 04:45:27 AM Can you suggest a good option for moving transactions between online and offline wallets without using paper?
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi? http://www.mirror.co.uk/news/world-news/vladimir-putin-accused-spying-world-2653508 now imagine what kind of tech US has.... you still need a secured wallet with passwords etc... pretty soon we'll find out that google glass is capable of stealing your paper wallets if you're wearing them. :) I was wrong about the iPad, but I really hope I am right about Google Glass not catching on... USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them. if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago??? the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing I've always used online wallets, but I am planning to move to an offline, Rasperry Pi based, wallet. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Pente on August 06, 2014, 05:00:07 AM Can you suggest a good option for moving transactions between online and offline wallets without using paper?
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi? I would just program the Raspberry Pi to clear all contents after each use. Setting up the USB to act as a serial receive only device would require reprogramming the USB interface hardware which would be way to much work. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 06, 2014, 05:21:23 AM Can you suggest a good option for moving transactions between online and offline wallets without using paper?
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi? I would just program the Raspberry Pi to clear all contents after each use. Setting up the USB to act as a serial receive only device would require reprogramming the USB interface hardware which would be way to much work. The problem with that is that I am using the Rasperry Pi as my wallet. Clearing it each time would pretty much defeat the purpose. Unless you mean clearing the SD card, but that wouldn't work if malware is hiding in the firmware. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: phillipsjk on August 06, 2014, 07:08:26 AM I would not worry too much about it. As long as you don't keep using your USB key in strange computers, you should be relatively safe. Any attack that gets your off-line keys would likely have to be targeted at your specific set-up anyway.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 06, 2014, 01:32:49 PM I would not worry too much about it. As long as you don't keep using your USB key in strange computers, you should be relatively safe. Any attack that gets your off-line keys would likely have to be targeted at your specific set-up anyway. Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys. I plan to use paper backups, but I want an easier way to move transactions. Printing out a paper wallet every time I want to move Bitcoins to my online wallet sounds like a hassle, especially since my computer can't scan a QR code easily. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: TimS on August 06, 2014, 01:57:13 PM Are SD Cards Subject to Vulnerability Similar to USB? SD cards have firmware (http://www.ehow.com/how_5030815_program-sd-cards.html), so theoretically, yes.EDIT: If so can you suggest a good option for moving transactions between online and offline wallets without using paper?
Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Jamie_Boulder on August 06, 2014, 01:58:22 PM The vulnerability is within the firmware which SD cards also have so yes.
Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 06, 2014, 07:02:12 PM Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer.
Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: CanaryInTheMine on August 06, 2014, 07:06:24 PM Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer. don't forget this: http://www.welivesecurity.com/2014/01/15/secret-radio-technology-allowed-nsa-to-spy-on-pcs-disconnected-from-the-internet/Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: jbreher on August 06, 2014, 08:11:35 PM I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. Back in the good ol' Trash80 & TI 99/4A days, storage was done not on USB, nor HDD, nor even floppy. We used FSK (frequency shift keying) to encode our ones and zeros as audio tones, and stored it on analog cassette. And we _liked_ it. :) No reason you couldn't use FSK across the speaker/mic interface. Now get off my lawn! Damn juvenile delinquents.... Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Razick on August 07, 2014, 03:37:39 AM I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. Back in the good ol' Trash80 & TI 99/4A days, storage was done not on USB, nor HDD, nor even floppy. We used FSK (frequency shift keying) to encode our ones and zeros as audio tones, and stored it on analog cassette. And we _liked_ it. :) No reason you couldn't use FSK across the speaker/mic interface. Now get off my lawn! Damn juvenile delinquents.... I'll have to look into that. I think I'll sit here on the corner of your lawn for now. Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: sandykho47 on August 07, 2014, 11:54:54 AM SD card too ;D
1. i think malware can infect firmware and keep wallet.dat files 2. how about archive & encrypt wallet with RSA-4096 & very difficult password ??? Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer. don't forget this: http://www.welivesecurity.com/2014/01/15/secret-radio-technology-allowed-nsa-to-spy-on-pcs-disconnected-from-the-internet/i think it's impossible avoid airgap from anyone Title: Re: Are SD Cards Subject to Vulnerability Similar to USB? Post by: Kprawn on August 07, 2014, 01:35:54 PM Yea.. I posted the article. ;D
Goto ---> http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/ If the SD card has firmware, it would be vulnerable to manipulation by a skilled hacker. :( Hope the link answer your question. |