Can flash memory cards spread malicious code? Yes they can, and a lot of people fail to scan them for viruses and other malware. Malicious software spread via removable storage remains a serious problem for companies and consumers, even though it’s an infection vector as old as Elk Cloner, a computer virus seen on early Apple computers in 1982. Like most viruses in the eighties, Elk Cloner spread via diskettes, those flexible pieces of magnetic storage which now seem like artifacts of ancient history. In recent years, the USB flash drive, that ubiquitous high-capacity successor to the floppy disk, has gained notoriety as a means of spreading computer viruses and Trojan code, not to mention a handy way to exfiltrate data. Back in 2012 I wrote about the careless use of unecrypted USB drives and their role in malware infection.
But what about memory cards, those tiny slices of removable, flash memory storage that show up as a drive on your computer but are not USB (unless you attach them via a USB flash card reader)? I sometimes see these cards being overlooked when organizations talk about their anti-malware and data loss prevention programs. For example, a security policy might state “all USB ports must be monitored for malware”, but it may not mention memory card reader slots, even though these normally have drive letters assigned to them when media is inserted.
Recently, I observed a corporate-wide data encryption program rolled out with the intent of forcing encryption on “all removable media” in the company. However, the policies somehow failed to address card slots on laptops and the cards that so easily slip in and out of them.
Yet these increasingly tiny pieces of storage — like SD cards that can pack tens of gigabytes of data into something that could fit under a postage stamp — are widely deployed, notably in that other emerging attack surface: mobile devices, like tablets and smartphones. While Stuxnet may be to blame for a lot of the notoriety of USB flash drives, both USB and slot-based storage media has done damage in a wide range of countries and industries, beyond the infamous impairing of enrichment centrifuges in Iran. A quick Google of the phrase data breach flash drive turns up plenty of hits.
As for flash drive malware distribution, consider this photo-sharing scenario: a friend has taken a bunch of pictures of a group activity and you would like copies. No problem, says your friend as he opens his camera and pulls out an SD card. You insert it into your tablet and copy the photo files. If the antivirus program on your tablet — you do have AV on your tablet, right? — is not properly configured, it will not scan the card when you insert it, and may not scan the files as you copy them. So you may not realize that your friend’s card was carrying a virus, possibly from his infected laptop. Now your tablet is an infectious malware delivery system:
1. If you connect your infected tablet to a network that is not scanning endpoints, you may infect that network.
2. If you put another SD card into your tablet while the tablet is still infected, that card could be infected and you could share it with someone, infecting them.
These things can and do happen, with both SD cards and USB flash drives. Here’s a link to a report that includes a good case study on how sharing conference presentation files on flash storage infected over 100 hosts on the enterprise network of someone in the U.S. nuclear power industry: ICS-CERT Incident Summary Report, June 28, 2012 (PDF file).
Fortunately, the spread of malicious code via flash memory cards can be blocked if you combine endpoint protection strategies like this:
- On Windows devices disable Autorun and Autoplay (see Solution B in this Knowledgebase article).
- Turn on automatic scanning of removable media in your AV software.
- Run good AV software on mobile devices.
- Block access to media reader slots using device controls in your security software (do this for systems that operate in untrusted environments).
- Require encryption of all media cards used on your systems (here’s one product for that).
- Install antivirus software on removable flash storage that is used in untrusted environments (here’s an example).
- Regularly run scans for malware on your servers to make sure nothing has slipped past your endpoint protection and you are not serving up malicious code.
- Consider gateway protection for all HTTP and FTP connections in and out of your network (see the diagram on this page).
Hopefully, these tips will help you close any holes in your digital defenses that flash memory cards have created. Remember, it’s not just USB flash drives you have to worry about. I’m just as guilty as the next security expert when it comes to talking about the threat from flash drives as though USB ports were the only flash-storage infection vector. Those tiny flash cards also need watching, as do those media reader slots.
Author Stephen Cobb, ESET