Many single board computers and mobile devices use microSD media as their primary data storage. However, microSD media is also used in cameras, security systems, and other small devices that handle large quantities of data. The security of this media format is often overlooked.
In this post, we’ll look at some history around the topic of microSD security and its implications. I’ll also be covering some basic concepts of securing microSD media.
MicroSD media is an extremely small form factor data storage device. It measures 15×11×1 mm, this makes is suitable for use an most mobile devices. It was first introduced in 2005 and is projected to remain on the market well into 2022, largely from the introduction of IoT and smart systems (references 1 and 2).
Because of its small size and low cost, physical security is a challenge. The media is prone to disposal without regard to security. Used media is often resold on the market, which potentially makes the data stored on them accessible by third parties. The devices that use the microSD media are also a challenge to secure. Cell phones are one example and loss or theft of these devices is in the millions per year (reference 3).
A proven method of physically securing any media is to physically destroy it. MicroSD media can be easily destroyed by cutting the card with household nail cutters. However, this is often overlooked because the storage media is mistakenly seen as part of the larger device that contains it, which is disposed of without regard to security.
In the event of loss or theft, physical destruction is not practical, mainly due from the intended and continued use of the storage. To prevent access, data encryption should be used which will make it less likely for a third party to access the contents of the microSD media. Unfortunately most users will not have the technical knowledge to enable encryption and will typically use a device default settings.
To compound matters, some devices will not work with encrypted media, such as data loggers, gps modules, or embedded DVRs. Even the RPi doesn’t seem to provide a streamlined one stop shop when it comes to full media encryption (reference 4). However, in defense of the RPi, the underlaying Linus OS does offer user folder encryption, which is better than nothing.
Even with what appears to be encryption of the microSD media may in fact not be. The hardware inside the microSD is a range of many microscopically etched devices, namely a microcontroller. This sub device hardware introduces an unseen security risk that will simply baffle the general public (reference 5). Here is a link to a presentation on the subject.
The microSD media is not immune to the ease at which data duplication can occur. Momentary unauthorized physical access to a microSD card can go undetected. Devices that replicate the data are inexpensive and provide a way to make a copy of the microSD media in the field. These procedures are typically used for legal purposes, such as preserving evidence for court proceedings. The same is true for research, as in the recent paper published on microSD media security (reference 6).
The bottom line is data contained on microSD media is insecure and will remain so until that media is physically destroyed.