← Back to team overview

ubuntu-phone team mailing list archive

Re: Are there any attack vectors based on SD card?


Hi Matthias,

I’d say this also kind of off-topic here, but here are my 0,02€.

Phishing attacks via “lost” USB thumb drives are not unheard of [1].

However, this kind of attacks are usually *very* specifically targeted.

I wouldn’t leave the possibility of an attack vector out of the picture, but I think there is a higher chance of simply being a returned product (that somehow got back in the shelf), or some refurbished drive that somehow skipped the QA part of the supply chain.



[1] https://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/

On 27/05/19 08:55, Matthias Apitz wrote:


Last Saturday I went to a big tech market to buy a new SD card for my BQ E4.5.
I bought a SanDisk microSDHC UHS-I 16 GByte. When I pulled it our from its
plastic cover it was easy to open and I already though that someone opened this
plastic once. I plugged it in and ... it contained pictures in a DCIM dir,
a file Kontacts.vcf and more stuff, some Android directories etc. I returned
it to the shop and they were surprised as well and gave me a new one, now really empty.

What I'm asking me: Who is so "intelligent" and returns such SD to the shop, even
hang it into the place where new cards are (or maybe the shop staff did so)
but in any case without at least formatting the SD? And why at all?

Or is this some new attack vector distributing trojans or malware on SD cards
through shops?

I asked the same in the UBports forum, but it was declared as OFF TOPIC
there: https://forums.ubports.com/topic/2768/are-there-any-attack-vectors-based-on-sd-card