Security practice for possible compromised storage devices

So I’ve recently found a 512GB SD card outside my front door, not quite the lottery but hey.

I’m reasonably confident that I’d lost one recently so I think I might have dropped it going in/out of the house. However I’m also cautious about plugging in a potentially rogue device into my computer in case it is not one of mine.
Its highly unlikely I’m being directly targeted and I don’t imagine an attacker would use a larger and more expensive SD card, though I know that this can easily be spoofed (looking at eBay and amazon…).

I’d like to reclaim the device and ensure that it is ‘clean’ but I’m not sure of best practice in this instance (best practice after dispose of the device specifically*).
I’m thinkingthe best way is getting a USB booting into tails OS on an old laptop I don’t use anymore, run ClanTK/AV on it, and then purging/ the drive so the whole thing is reset to 0’s (not sure on the correct term for this). Then repeating with the tails USB device.
Would anyone suggest a different way of ensuring it is clean other than disposing of the device?

1 Like

Carefully place it into a drawer then go buy a new clean card for $40. You’ve retained the suspect card and kept your systems clean.

You don’t remember what the card you lost looked like? If it’s the same model it’s yours, if it isn’t it’s not.

If you have to think about it beyond that the sane answer is tossing the card and getting another one, not doing all this work to get a cheap SD card you still aren’t going to trust.

1 Like
  1. You do not know if the card even follows the SD spec. I got a counterfeit from Amazon (sold by a third party). The thing fried the first card reader I put it into. It got really hot. (And it was intended to be put into my $3,000 camera.)
    • Put a cheapo/sacrificial USB SD card reader between the card and your computer. For extra assurance, put a cheapo powered USB hub between that and your computer too.
  2. You do not know if there is malicious code. For example, I got an unwiped SSD off eBay replete with its boot partition and OS. I’m actually glad I took the precaution to not plug it in before booting the system.
    • Always plug in suspect devices after booting and not before.

There’s always the off chance that some SD cards could still have malicious content that exploits vulnerabilities in one of the many parsers that will read the content as soon as you plug the card in (e.g., reading the partition table, determining the file system in the partitions, etc.). You can’t really defend against that other than not plugging the card in, or plugging it into a sacrificial device that’s air-gapped.

You can try to boot one of the more esoteric OS like GNU/Hurd, BSDs and the like and plug it in. You still risk frying the computer but you get lesser chances of being infected with malware.

2 Likes

See the cheapskate in me doesn’t want to throw it out and I assumed there must have been a standard practice when dispose/destroy isn’t an option. If it’s unavoidable I’ll be what it’ll be, but was hoping there was a good method to save it. I must admit I’m my head they were still like $130 … Its crazy how much the prices have dropped.

See that’s where I thought using tails on an air gapped old machine might fully protect from this, but I’m not sure realistically how much this would protect me.

Pull the internal drive of the old machine then boot it up under tails os. update the the os / clantk/av. disconect from the internet (wifi / wired / blutooth / nfc basically all the connections) then and only then would I dare plug in the rouge device to check it out. If it’s yours great if not burn it. literaly as in some sort of fire. this way it cannot spread it’s hate and discontent. Then on the laptop if the device is ok, power down and reinsert the main drive and remove the tails os usb and your good to go. If it wasn’t turn off the machine pull out the tails os usb and burn it with the sd card. reinstall the main drive and your ready for the next one.

The reason I’m having you pull the main drive is so nothing is written to and can hang out there as you test out the sd card! Also burning the tails usb if the sd card is infected is a precaution as usb drives are cheap these days and you don’t want to risk an infection so use the smallest capacity usb drive as you can for this!

My $0.02 for what it’s worth!

1 Like

What about malicious code that tinkers with the BIOS or firmware? :grin:

2 Likes

boot any live USB in driveless machine
insert card
zero out with dd
move on with life

Linux targeted persistent threat malware holding a 0 day is rare, unless you’re being targeted by a nation state (you would know)

2 Likes

Well that’s why your using an outdated / non production / not in use machine!

Never check an unknown device on a device that you cannot afford to throw out after it gets compromised!

Edit: Those 10 year old laptops on ebay are looking better and better every day as system to use for checking out shit like this for $50.00!!! Eh?

1 Like

You can just plug it in. The chances of something going wrong are so incredibly low that I wouldn’t worry about it.

See that was the kind of thing I was thinking about and didn’t know if the booing tails is would have remedied this. I know after the LTT hack more recently Luke ordered that the motherboard and some of the other components be removed/destroyed or something due to that risk.

I mean you’re probably right, but its more just the case of not deliberately introducing unnecessary risk without being 110% I know what I’m doing, which if I’m being perfectly honest Id argue that I dont.

How would an attack even work? It is impossible to know if Tails would help since I have never heard of a MicroSD card being an attack vector. The only thing it really could do is cause a short but chances are the slot is designed to handle a bad card. (shorting can be caused by lots of things)

Also, if someone was trying to attack you why would they use a MicroSD card? They likely would know that you would be skeptical so it wouldn’t be worth the effort. Chances are this is just a card you lost some time in the past. It wouldn’t make sense for a MicroSD card to just show up.

I mean my guess would be exactly the same as with a USB device, but I don’t know if thats actually possible or not?

To be honest I feel like anyone who would be skeptical about a micro sd card would be just as skeptical about a USB device.

This is reasonably likely the case, im just a little apprehensive about plugging it in willy-nilly. I mean luckily I don’t keep any important data on SD cards so I’ve nothing important lost if I destroy it at least.

a USB device can appear as a keyboard or really anything. A MicroSD card is just storage.