Goto ---> http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
If the SD card has firmware, it would be vulnerable to manipulation by a skilled hacker.
Hope the link answer your question.
Topic: Are SD Cards Subject to Vulnerability Similar to USB? (Read 5036 times)
Yea.. I posted the article.
Goto ---> http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
If the SD card has firmware, it would be vulnerable to manipulation by a skilled hacker.
Hope the link answer your question.
Goto ---> http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
If the SD card has firmware, it would be vulnerable to manipulation by a skilled hacker.
Hope the link answer your question.
SD card too
1. i think malware can infect firmware and keep wallet.dat files
2. how about archive & encrypt wallet with RSA-4096 & very difficult password
i think it's impossible avoid airgap from anyone
1. i think malware can infect firmware and keep wallet.dat files
2. how about archive & encrypt wallet with RSA-4096 & very difficult password
Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer.
don't forget this: http://www.welivesecurity.com/2014/01/15/secret-radio-technology-allowed-nsa-to-spy-on-pcs-disconnected-from-the-internet/i think it's impossible avoid airgap from anyone
I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers.
Back in the good ol' Trash80 & TI 99/4A days, storage was done not on USB, nor HDD, nor even floppy. We used FSK (frequency shift keying) to encode our ones and zeros as audio tones, and stored it on analog cassette. And we _liked_ it.
No reason you couldn't use FSK across the speaker/mic interface.
Now get off my lawn! Damn juvenile delinquents....
I'll have to look into that. I think I'll sit here on the corner of your lawn for now.
I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers.
Back in the good ol' Trash80 & TI 99/4A days, storage was done not on USB, nor HDD, nor even floppy. We used FSK (frequency shift keying) to encode our ones and zeros as audio tones, and stored it on analog cassette. And we _liked_ it.
No reason you couldn't use FSK across the speaker/mic interface.
Now get off my lawn! Damn juvenile delinquents....
Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer.
don't forget this: http://www.welivesecurity.com/2014/01/15/secret-radio-technology-allowed-nsa-to-spy-on-pcs-disconnected-from-the-internet/
Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer.
The vulnerability is within the firmware which SD cards also have so yes.
Are SD Cards Subject to Vulnerability Similar to USB?
SD cards have firmware, so theoretically, yes.EDIT: If so can you suggest a good option for moving transactions between online and offline wallets without using paper?
- CD-RW - the disc itself is just data. As long as you don't have AutoRun enabled and don't execute anything manually, it will be a purely data transfer, which is totally safe.
- Audio modem-style communication, e.g. http://www.reddit.com/r/Bitcoin/comments/2ceklk/audio_modem_python_library_for_airgapped/ - the only thing that goes over the audio cable or speakers/mic is the data; as long as the software is legit (and you can inspect the source code to ensure this), it will transfer the data securely.
I would not worry too much about it. As long as you don't keep using your USB key in strange computers, you should be relatively safe. Any attack that gets your off-line keys would likely have to be targeted at your specific set-up anyway.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys.
I plan to use paper backups, but I want an easier way to move transactions. Printing out a paper wallet every time I want to move Bitcoins to my online wallet sounds like a hassle, especially since my computer can't scan a QR code easily.
I would not worry too much about it. As long as you don't keep using your USB key in strange computers, you should be relatively safe. Any attack that gets your off-line keys would likely have to be targeted at your specific set-up anyway.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys.
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi?
I would just program the Raspberry Pi to clear all contents after each use. Setting up the USB to act as a serial receive only device would require reprogramming the USB interface hardware which would be way to much work.
The problem with that is that I am using the Rasperry Pi as my wallet. Clearing it each time would pretty much defeat the purpose. Unless you mean clearing the SD card, but that wouldn't work if malware is hiding in the firmware.
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi?
I would just program the Raspberry Pi to clear all contents after each use. Setting up the USB to act as a serial receive only device would require reprogramming the USB interface hardware which would be way to much work.
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi?
http://www.mirror.co.uk/news/world-news/vladimir-putin-accused-spying-world-2653508
now imagine what kind of tech US has....
you still need a secured wallet with passwords etc...
pretty soon we'll find out that google glass is capable of stealing your paper wallets if you're wearing them.
now imagine what kind of tech US has....
you still need a secured wallet with passwords etc...
pretty soon we'll find out that google glass is capable of stealing your paper wallets if you're wearing them.
I was wrong about the iPad, but I really hope I am right about Google Glass not catching on...
USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them.
if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago???
the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing
I've always used online wallets, but I am planning to move to an offline, Rasperry Pi based, wallet.
http://www.mirror.co.uk/news/world-news/vladimir-putin-accused-spying-world-2653508
now imagine what kind of tech US has....
you still need a secured wallet with passwords etc...
pretty soon we'll find out that google glass is capable of stealing your paper wallets if you're wearing them.
now imagine what kind of tech US has....
you still need a secured wallet with passwords etc...
pretty soon we'll find out that google glass is capable of stealing your paper wallets if you're wearing them.
Similar attacks have been demonstrated with SD card and hard disk firmware as well. However, USB is scary in that the device can masquerade as any other USB device: such as a keyboard that roots your machine with shell commands.
If it was not for the CPRM with device revocation, I would say SD cards are the perfect floppy replacement.
If security is important, I suggest CD-Rs. Note: most CD drives operate above the maximum storage temperature of the disk (about 35°C)
sometimes they have malware from the factory.
Edit: I was talking about the drive firmware as well.
If it was not for the CPRM with device revocation, I would say SD cards are the perfect floppy replacement.
If security is important, I suggest CD-Rs. Note: most CD drives operate above the maximum storage temperature of the disk (about 35°C)
Quote
You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
sometimes they have malware from the factory.
Edit: I was talking about the drive firmware as well.
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them.
if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago???
the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing
Someone get the floppies.
USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them.
if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago???
the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing
The articles say viruses reside in the FIRMWARE of the USB (stick, mouse, keyboard, etc) 
None mention SD cards.
CanaryInTheMine: How do u know SD cards have the same problem?
links:
http://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/
http://www.wired.com/2014/07/usb-security/
None mention SD cards.
CanaryInTheMine: How do u know SD cards have the same problem?
links:
http://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/
http://www.wired.com/2014/07/usb-security/
Jump to: