End-user Computer Security/Main content/Digital storage
End-user Computer Security
Inexpensive security
for |
⦾ individuals |
|
General security risks in digital storageedit |
|
USB devices, SD cards, and drives (whether internal or external, whether a HDD, SSD, optical disc drive, or otherwise), including USB memory sticks, can likely easily be modified so as to transmit data to snooping devices—a security risk. Device ROM malware (using firmware or otherwise) likely always constitutes an attack vector for such devices (that appear often to have embedded microcontrollers that run such ROMs). The same applies with respect to hardware device tampering. However, SD cards are perhaps unlikely to undergo hardware tampering because of their small size (especially with respect to micro SD cards) and because of how they are constructed.
The custom BIOS/UEFI called Coreboot usefully has the option of being able to disable option ROMs when they are present in USB devices[1]. If you use Linux in conjunction with such disabling, you can instead rely on the drivers supplied in Linux to interface with those USB devices[2]—this approach objectively reduces the attack surface associated with those USB devices (because Linux drivers are considered to be more secure than manufacturer provided option ROMs that provide the same functionality) and is recommended for improved security.
Further information about such security weaknesses of USB and like devices, is available here on the Qubes website.
USB devices vs. SD cardsedit |
|
At first, it was initially thought that SD cards had no firmware, such that they couldn’t be infected with firmware malware. However, as pointed out on the webpage hosted here (by Andrew "bunnie" Huang), SD cards do in fact have firmware as well as embedded microcontrollers that run the firmware. Therefore, firmware malware can be present on SD cards similar to how they can be present on certain USB devices. The webpage elaborates on these specific security risks.
SD card firmware is mostly a blackbox according to team Kosagi (in the video[3] linked-to on the webpage), whereas USB device firmware specifications are generally more open and publicly available; this leads one to believe that from a purely programming perspective, it is easier to create malware for USB firmware (than it is for SD card firmware). Also, the team’s presentation in the video[3], inclines one to think that hardware interfacing for the purpose of reprogramming firmware, is much more difficult for SD cards than it is for USB devices. According to the team, it also appears it is harder to tamper with SD cards by sneakily adding or modifying hardware elements in them, than it is for USB devices (see same video[3]); their quite small size especially compared with USB devices, also supports such a conclusion. Because of these things, SD cards may generally have smaller attack surfaces in relation to both firmware reprogramming, and hardware tampering. Therefore, it may be best to assume that for higher security, if the alternative is USB storage, the use of SD cards is to be preferred for peripheral-based storage and retrieval whenever no extra special security measures are in place.
However, because the USB device firmware specifications are more open and publicly available, and because it appears to be easier to interface with a USB device for the purposes of checking and/or reinstalling firmware, it could in fact be easier to detect malware in USB devices than it is to do the same in SD cards. Reinstalling USB device firmware is often possible but the same for SD cards is generally almost impossible. So if you have a special process in place for ensuring the integrity of USB device firmware in the ways just touched upon, it may actually be more secure to use USB devices than to use SD cards.
Flash memory: NOR flash vs NAND flashedit |
|
There appears to be some evidence that using NOR flash memory for storage (rather than the more common NAND flash) on USB and other devices, might offer a security advantage, most likely due to issues related to NOR flash apparently being better able to store and retain values in each of its cells. In contrast, NAND flash employs error correction algorithms because values are not so well stored in NAND flash cells (more of a probabilistic approach is taken). However, NOR flash appears to be mostly earmarked for things like BIOS ROM rather than general storage (and also rather than mass storage).
NAND flash memory vs magnetic storageedit |
|
Because in comparison to magnetic storage:
|
|
🄰🄽🄳 | because adversaries can exploit these things, |
it would seem that magnetic storage (such as the use of a HDD) is more secure than NAND flash (NAND flash is commonly used in memory sticks, SD cards, and SSDs). |
Magnetic storage: tapes vs. discsedit |
|
Because it seems that objectively, random-access memory (RAM) has a greater attack surface in comparison to sequential access memory (SAM), it would seem that magnetic tapes are more secure than magnetic discs (magnetic discs are used in HDDs).
Rewritable media vs optical ROM discsedit |
|
"Write once" optical media is more secure than rewritable media because it narrows the attack window (and so also reduces attack surface) by generally significantly shrinking the window of time in which malware can be written to the media. It should be noted that if malware has already infected the firmware of an optical disc writer, even though you configure disc writing to be 'write once', because of the ROM malware, the writer may instead set the disc to be 'write many'. From this perspective, it is better only to use optical discs that physically cannot be rewritten, to write such media so that excess space is "blanked out", and to inspect visually, discs written, just after writing, to make sure that the excess space has indeed been blanked out; all of these things are important safeguards against attack vectors that specifically rely upon being able to make further writes to the disc.
Optical ROM discs are also potentially more helpful compared with rewritable media, in relation to post security checking. Malware in the ROMs of memory sticks and SD cards, can mostly use the storage capacities of such devices unencumbered whilst also being able to eliminate all traces of malware from the devices, any time the ROM is run. However, the window of time in which such can happen for optical ROM discs, as mentioned in the previous paragraph, is mostly narrowed. By using write-once media, and taking the precautionary measures outlined in the last paragraph, the optical disc contents are frozen. If the frozen contents contain evidence of malware, that evidence cannot be clandestinely destroyed through your computer system once the disc’s contents are frozen. This means post analysis, even post analysis one year later, can potentially detect any malware that was on the disc, possibly leading to the identification of points of weakness in your security that are connected to the use of that particular optical disc. The same is not necessarily true with rewritable media because no such freezing takes place.
SD cards and USB memory sticks vs. larger devicesedit |
|
Firmware integrity for larger devices is probably easier to establish because:
- larger device products (such as HDDs and DVD drives) tend to be kept for longer with fewer units tending to be used per user, when compared with SD cards and memory sticks, which means that not so many firmware checks overall need to be made.
- their relatively high price inclines one to believe that it is easier to ensure firmware integrity (because of increased support, better written firmware code, etc.)
- reinstalling and checking the firmware is likely much easier than it is with SD cards that are constrained due to their small form factors, and perhaps also when compared with memory sticks.
Drives able to eject hardware-less media vs. other mediaedit |
|
Drives capable of ejecting hardware-less media (such as optical disc drives, tape drives and floppy disk drives) may have special advantages in respect to hardware and firmware tampering, due to users only needing to “keep their eyes” on one unit regardless of how many hardware-less media (such as tapes and discs) are used. This is not true for memory sticks and SD cards because these media are essentially hardware incapable of ejecting hardware-less media, in fact the concept of ejecting media from them doesn’t apply. It is also not true for hard disk drives since the discs in such drives cannot be swapped out for other discs.
More about SD cardsedit |
|
Team Kosagi in the video[3] mentioned earlier, specifically names the manufacturer Sandisk as possibly creating more secure SD cards when compared to the SD cards of other brands. Their reasoning behind this is that extra security is achieved through Sandisk’s creation of SD cards having firmware that is not so reprogrammable (or even reprogrammable at all), due to Sandisk having higher involvement in the production process. Incidentally, SD cards can often be used for storing downloads made through mobile devices.
How to obtain computer media devicesedit |
|
It seems like a good idea always to use media devices that were bought in such ways that no significant risks of MITM (man-in-the-middle) compromises, were encountered in the acquisition of the items, and that were also bought from trusted shop sources. It might be preferable to buy such things from large shops, where you can choose any one device at random from a large selection of identical products from off the physical shelves (this is the security principle outlined later on in the section entitled “User randomly selecting unit from off physical shelves”).
Secure data sanitisationedit |
|
NCSC (National Cyber Security Centre) information on secure data sanitisation (rendering data unrecoverable) of USB storage devices and SD cards, as well as of other storage media and drives, is available here. Note that conventional data erasure may not work with storage devices (such as SD cards, USB memory sticks, external hard drives, etc.) because of the possible presence of malware in the microcontroller firmware of such devices, especially when the related microcontroller is also embedded in the device. In light of such, it may be necessary to destroy physically such devices to ensure better data sanitisation[4].
Footnotes
- ↑ USB devices that have embedded microcontrollers for running firmware on the devices, are probably unlikely to have and use option ROMs (instead, for such devices, another kind of ROM is more likely to be contained in the USB device).
- ↑ It appears that this likely does not apply to USB memory sticks and SD cards since they don’t appear to use option ROMs (instead, they appear to use another kind of ROM).
- ↑ a b c d https://youtu.be/r3GDPwIuRKI
- ↑ Andrew "bunnie" Huang recommends such destruction for those “... in high-risk, high-sensitivity situations ...”.
Chapter 3 Wireless Communications |
Chapter 5 Some measures that are primarily physical |