Is SanDisk’s 512 GB SD Card Vulnerable?

First, a brief history of SD Cards.

SD card

Way back in 1999 SanDisk, Toshiba and Panasonic launched a new player in the memory card game. These SD cards were based on an earlier card format, called MultiMedia Cards (MMC), created by SanDisk and Siemens a few years earlier. Today, despite their high level of market saturation, many people aren’t aware that SD stands for Secure Digital, and even fewer people are aware that the word “secure” in the name refers to its ability to store encrypted music data. The original incarnation of SD cards had a storage capacity that maxed out at 2 gigabytes.

Seven years later, in 2006, a consortium of manufacturers announced a new type of SD card that was going to break that 2 gigabyte barrier. In addition to their higher storage capacity, these SDHC (Secure Digital High Capacity) cards had faster read and write speeds than standard SD cards. While physically and electrically similar to SD cards, SDHC cards featured a redefined CSD (Card-Specific Data) register. Their increased storage capacity capped at 32 gigabytes.

Just three years later, in 2009, a new type of SD card was announced. SDXC (Secure Digital eXtended Capacity) cards shattered the 32 gigabyte storage capacity with a theoretical storage capacity of up to 2 terabytes. That’s literally 1,000 times the top-end storage capacity of the original SD cards.

SanDisk’s 512 GB SD Card

Despite the theoretical capacity of 2 terabytes, the current capacity leader is SanDisk’s new Extreme PRO® SDHC™/SDXC™ UHS-I memory card. I’ve noticed that SanDisk’s announcement of the world’s first 512 gigabyte memory card has created quite a stir—as has its $799 price tag. That’s a lot of money, but these cards aren’t geared toward your average consumer. They are being released specifically with professional videographers and photographers in mind. SanDisk is touting them as 4K Ultra HD-ready as well as stating that they are “shockproof, X-ray proof, waterproof and. . .operates in temperatures ranging from -13 to 185 degrees Fahrenheit.”3

But what about security?

Data Loss Vulnerability

The specifications for these cards state that they have a “built-in write-protect switch [that] prevents accidental data loss,”3 and a Tech Times article says that “if images are accidentally deleted, the new SanDisk memory card has software for data recovery called RescuePRO® Deluxe brings these important files back.”4 That would indicate that these new cards might be reasonably safe from data loss. Of course, none of these security measures mean anything if you misplace or mislay one of these tiny cards. Additionally, even a “secure-erase” of a card isn’t guaranteed to erase your data. So, for those who use SD cards in high-sensitivity situations, total physical destruction of the card may be the only way to guarantee that any sensitive data can’t be retrieved.

Security Vulnerability

Going beyond the security of your data, SD cards—like USB flash drives—have some inherent security vulnerabilities. This includes the new 512 GB card. Due to their very nature, SD cards each contain a tiny microcontroller that helps them run. Late last year, researchers Andrew “bunnie” Huang and Sean “xobs” Cross wrote a blog detailing how these microcontrollers can allow arbitrary code execution on the card itself. Their conclusions say that “On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else.”5

They continue, “From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller.”5 These vulnerabilities can mean that your little memory card could potentially be a source of malware that could cause you severe security issues.

Because of these vulnerabilities, it can be a tough choice whether to use SD cards or not. If you choose to use them, you should always be aware that use on any untrusted computer could potentially infect your card, which could, in turn, infect your electronics.