1

I want to move data from an insecure host to a secure host, e.g. to update the software on a Ballot marking device, or move data back and forth between such hosts. But as we know, even common thumb drives can stage BadUSB attacks.

Until 2019, I was thinking that SD card interfaces were significantly less vulnerable than USB ports (though not totally secure), as explained here by one of the BadUSB experts: Can SD-Card be a vector of a BadUSB type attack when used with a USB reader?

But I just watched the amazing presentation on Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals – NDSS Symposium which details how Thunderbolt support exposes a huge attack surface via DMA and the complex PCIe protocols involved. They also specifically note near the end of their presentation that SD card version 7.0 supports DMA, which brings with it a whole host of related risks. In fact the 7.0 SD Express bus implements PCIe also, as noted in SD card - Wikipedia

For those who value protection of their hosts against peripherals more than the speed of IO transfers, how can we avoid these attack surfaces? Proper implementation of Input–output memory management unit (IOMMU) protections can help, but doing that right seems barely out of its infancy.

Would specing SD card support below the level of 7.0 help? Or are there ways to select or reliably configure host drivers to decline to support DMA and the like?

Or are there other similar attacks on older SD card interfaces, in which case they are also suspect, and we should go back to moving data around on writable DVDs or via data diodes like QR codes?

nealmcb
  • 20,693
  • 6
  • 71
  • 117
  • Frame challenge: What's wrong with putting nail polish in every USB, RJ-45, serial, and SD card port, and reading the ballot results from a screen with the other ballot watchers when you're phoning the results in to the voting district's recorder's office? – Ghedipunk Aug 06 '19 at 23:27
  • @Ghedipunk I do like the idea of getting data *off* of the devices by printing or displaying QR codes and the like, as my last reference notes. But part of the problem is updating the software on the device itself, and I also see this general question being of interest for most any data transfers on or off of secure offline hosts. – nealmcb Aug 06 '19 at 23:30
  • Swap the hard drives, with the connectors sealed with tamper evident tape. Preferably with serial numbers printed on that tape. We can't eliminate all threats, but we can have a checklist that verifies serial numbers before opening the polls and while closing the polls, so that the only active attacks have to happen in secure facilities. – Ghedipunk Aug 06 '19 at 23:47

0 Answers0