ubuntu-phone team mailing list archive

[Francisco Pina Martins <f.pinamartins@xxxxxxxxx>]

Hi Matthias,

I’d say this also kind of off-topic here, but here are my 0,02€.

Phishing attacks via “lost” USB thumb drives are not unheard of [1].

However, this kind of attacks are usually *very* specifically targeted.

I wouldn’t leave the possibility of an attack vector out of the picture, 
but I think there is a higher chance of simply being a returned product 
(that somehow got back in the shelf), or some refurbished drive that 
somehow skipped the QA part of the supply chain.

Best,

Francisco

[1] https://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/

On 27/05/19 08:55, Matthias Apitz wrote:

> Hello,
>
> Last Saturday I went to a big tech market to buy a new SD card for my BQ E4.5.
> I bought a SanDisk microSDHC UHS-I 16 GByte. When I pulled it our from its
> plastic cover it was easy to open and I already though that someone opened this
> plastic once. I plugged it in and ... it contained pictures in a DCIM dir,
> a file Kontacts.vcf and more stuff, some Android directories etc. I returned
> it to the shop and they were surprised as well and gave me a new one, now really empty.
>
> What I'm asking me: Who is so "intelligent" and returns such SD to the shop, even
> hang it into the place where new cards are (or maybe the shop staff did so)
> but in any case without at least formatting the SD? And why at all?
>
> Or is this some new attack vector distributing trojans or malware on SD cards
> through shops?
>
> I asked the same in the UBports forum, but it was declared as OFF TOPIC
> there: https://forums.ubports.com/topic/2768/are-there-any-attack-vectors-based-on-sd-card
>
> Thanks
>
> 	matthias
​