From the DIY and hacker perspective, our findings indicate a potentially interesting source of cheap and powerful microcontrollers for use in simple projects. An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price.

That's pretty exciting, actually.
posted by penduluum at 8:45 AM on December 30, 2013 [8 favorites]

Repeating my post from the badbios discussion, which is even scarier after the spiegel article about the ready-to-use NSA toolkit from earlier today:

There have been many BlackHat/ShmooCon/OHM/etc talks that are just waiting to be weaponized. Things like Thunderbolt/Firewire, HDD controllers, USB fuzzing, laptop batteries, or even malicious chargers. Combination attacks like Stepping P3wns have been demonstrated that move from printers to VOIP phones to routers to computers.

I've been experimenting with EFI and DMA attacks over Thunderbolt and it is truly horrifying how poorly implemented the security is when devices are connected to the internal busses. Makes me want to fill every I/O port with epoxy, encase the computers in concrete, dump them in the river and go back to pencil on paper. And even then I'm not sure about the pencils.

And not all of the attacks are "smart device[s] emulating a usb stack, not just a dumb usb device ferrying data" -- many of them modify normal existing controllers (like the multi-core ARM in the HDD, or the option ROM in the gigabit ethernet adapter). And as more modern devices get shoe-horned into smaller packages we've ended up with video cables that have full ARM CPUs built literally into the cable housing. Things that we don't think of as "smart" have become programable and potential attacks vectors.

posted by autopilot at 8:51 AM on December 30, 2013 [7 favorites]

It’s as of yet unclear how many other manufacturers leave their firmware updating sequences unsecured.

I'm curious to know if the NSA can shed any light on this:

[One] program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.
posted by ryanshepard at 8:53 AM on December 30, 2013 [1 favorite]

The downside of all this complexity is that there can be bugs in the hardware abstraction layer ... as a result it’s not feasible, particularly for third party controllers, to indelibly burn a static body of code into on-chip ROM. The crux is that a firmware loading and update mechanism is virtually mandatory, especially for third-party controllers.

I don't follow this line of reasoning. How many people are going to look for a patch to fix a defective $5 SD card? The manufacturer needs to load the firmware once, at manufacturing time, and that's it. I don't see how an update capability is needed at all.

Many micro-controller architectures include fuses that can be burned out at programming time specifically to ensure some operations (like programming or calibration steps) only happen once. That would be cheap and simple (No reprogramming feature to test!) and more secure, since it wouldn't be possible to load new, malicious micro-controller firmware.
posted by Western Infidels at 9:13 AM on December 30, 2013 [1 favorite]

Western Infidels, I think the concern with reprogrammability is that if you build a hundred thousand $5 SD cards, ship ten thousand of them and discover an error, then you've got 90k cards that need something done if they're not going to end up as a total write-off.

But a lot of this is also that how we approach software development has changed. A lot. Back when it was "we're about to burn a quarter of a million CD ROMs" there was a level of testing and rigor in development that, in these days of continuous deployment to web based apps, I'm seeing a hell of a lot less of.

Couple that with the notion that, frankly, Chinese software engineering culture appears to be a whole lot less mature than what I see here in the United States (at least based on my experiences developing products here to be manufactured over there), and the "just build something, we'll fix it with updates" attitude is very strong.
posted by straw at 9:25 AM on December 30, 2013 [4 favorites]

I don't follow this line of reasoning. How many people are going to look for a patch to fix a defective $5 SD card? The manufacturer needs to load the firmware once, at manufacturing time, and that's it. I don't see how an update capability is needed at all.

you are right that no end user is going to go looking for a patch for their memory card, but the end user isn't their real concern. as Straw pointed out if you have a code error or a manufacturing error (wrong code got loaded or something, this happens REALLY frequently), you need a way out without throwing away a product that you already have little margin on.

Also if you are selling these to embedded device manufacturers and your code fuck-up is affecting their end products and you don't have a way to fix it in the field, they are not going to continue to use you as a vendor.

it wouldn't be possible to load new, malicious micro-controller firmware
I can almost guarantee that nobody cared about that during the design phase of those controllers. security consciousness only comes about from massive public embarrassment (which this isn't or is likely to ever be) and the company and their customers have to care enough to justify the massive investment in making their products secure.
posted by Dr. Twist at 9:36 AM on December 30, 2013

If someone made an SD card with 100mhz arm cpu that you could program with the arduino IDE, they would make a mint. Instantly.
posted by Freen at 10:43 AM on December 30, 2013 [2 favorites]

I'm more excited about the Circuit Stickers that they mentioned. They look like a really fun (and not super expensive) tech+crafting kit.
posted by benito.strauss at 11:23 AM on December 30, 2013 [1 favorite]

"I'm more excited about the Circuit Stickers that they mentioned. They look like a really fun (and not super expensive) tech+crafting kit."

Basically that guys' site just blew my mind. I followed his links and I'm reading this thing about how he's designing and building his own laptop from the motherboard component level up and I keep thinking "this isn't really possible, is it, to design and make all this bespoke electronics at this level?" but it is. And then the circuit stickers are amazingly cool and

my brain broke.

I was (and still am, in a limited sense) something of a hardware hacker back in my teens in the late 70s and early 80s. The maker scene, especially the computing and networking side of it, sings to me now like almost nothing else does and if I were my 16-year-old self, I'd probably have dropped out of high school to spend all my time building stuff by this point.

Nothing these days makes me feel like I'm living a Neal Stephenson cyberpunk novel like the high-tech maker movement. Every brush against it I experience gives me a strong sense of some kind of fundamental economic and technological paradigm shift in its first moments — it just seems like bespoke high-tech designing and manufacturing cheaply by the the consumer must be economically subversive in some deep sense.

3D printers, of course, are supposedly what is what that whole anticipated revolution will be about, but it seems to me that the whole related infrastructure of leveraging, say, what previously were three billion dollar fabs and the technology research invested in them to throwaway dirt cheap ubiquitous microprocessors and such is really what's enabling.
posted by Ivan Fyodorovich at 1:38 PM on December 30, 2013 [3 favorites]

The manufacturer needs to load the firmware once, at manufacturing time, and that's it. I don't see how an update capability is needed at all.

There could be OEM stuff going on too. E.g., some nameless behemoth manufacturer could crank out a ton of shoddy 8GB SD cards, and then send them on to other "manufacturers", who flash them and stick their own labels and packaging on before shuffling them along to the consumer. Some higher-grade companies might put different defect-mapping code onto the cards (perhaps proprietary code) to get around errors, while shoddier companies might just put the bare minimum. Or even worse, they might choose to get extra capacity at the expense of reliability.

If you're the giant behemoth manufacturer, you want your product to appeal to as many people at the next step along the supply chain as possible, and you want to do it with minimal variation (ideally, no variation). If you can make the chips reprogrammable and have 1 SKU instead of permanently burning code onto them and suddenly having 10, that's a big win for you.

A fusible link does seem like a good way of preventing reprogramming later on, but honestly I'm glad that's not the case: it would prevent hobbyist reuse of the cards but wouldn't really add much in the way of security against a serious adversary. It would prevent script-kiddle reprogramming of cards, but it wouldn't stop the NSA or the KGB or whatever today's euphemism for Chinese Army hackers is, from buying some unprogrammed cards and dumping their own firmware on there, then burning out the link themselves. So it doesn't seem like much of a win.

The solution, it seems to me, is not to make it more difficult to reprogram the cards but to make it easier to audit the code that's actually running, and potentially to make it even easier to reprogram them (i.e. release the documentation). That way, concerned users could just dump their own firmware onto the cards when they buy them, blowing away the manufacturer's crap. In other words, rather than trying to make a general-purpose computing device act like a stupid device, which really just furthers the misunderstanding that leads to all the trouble, we should instead make sure smart devices act like smart devices. And that means opening up the code, the programming features, debugging, etc.
posted by Kadin2048 at 2:14 PM on December 30, 2013 [4 favorites]

It's neat how this makes the plot of Johnny Mnemonic totally plausible:

In my explorations of the electronics markets in China, I’ve seen shop keepers burning firmware on cards that “expand” the capacity of the card — in other words, they load a firmware that reports the capacity of a card is much larger than the actual available storage.

posted by mmcg at 3:32 PM on December 30, 2013

I fell victim to a reflashed SD card (in brand name retail packaging which I'm hoping was counterfeit) on my vacation this year and lost eight days worth of pictures. Which was annoying to say the least.
posted by Mitheral at 5:23 PM on December 30, 2013

If someone made an SD card with 100mhz arm cpu that you could program with the arduino IDE, they would make a mint.

I think that's roughly the Electric Imp. I'm pretty sure it's similar underlying hardware as the Eye-Fi or other cards, with the addition of the weird locked-down web-based IDE. Or if you're more adventurous, some of the WiFi SD cards actually run Linux. If you don't specifically need the card form factor, checkout the Teensy-3.1 (no wifi, cheaper, but has an actual open and documented cpu).
posted by hattifattener at 8:54 PM on December 31, 2013