

Hacking Transcend WiFi SD Cards - vincentstorme
http://haxit.blogspot.com/2013/08/hacking-transcend-wifi-sd-cards.html

======
q3k
My experience with embedded systems allows me to be fairly certain that this
bugfest is due to an electronics engineer writing the software for the card.
Way too often small R&D teams, especially working on new products, have EE
people being assigned to part-time-embedded-programmer roles.

This is especially scary as some of these teams work on internet-facing pieces
of hardware - home routers/gateways, etc. One cool weekend project to have is
trying to get hold of an image of the firmware of your home router, run
binwalk on it, try to extract the filesystem, and count the number of remote
exploits you can spot in the CGI perl scripts (like they are, in 99% of the
cases) found there. Yet another reason to run OpenWRT ;).

~~~
jrockway
As someone who's written software for all his life, I'll posit that most
"software engineers" write code like this. People don't test corner cases;
they just shit out code, check that it works in the browser, and ship it.
That's why the regexes like /.PNG/ are in there: they work, but they don't
prevent the security problems they intend to prevent. If the engineer writing
the code had written unit tests that checked various filenames, he would have
discovered the bug immediately. If there were code reviews by someone who knew
even the tiniest bit of Perl, the `$user_controlled_command > file` bug would
be gone. If the programmer had run Perl with taint mode enabled, he would have
discovered this bug instantly.

I think it's a mental thing: most people writing code never think "how could
this go wrong", since they assume that they don't make mistakes. If you don't
have a healthy fear of the code you write, you're not going to test the corner
cases or not write complex features.

Ultimately, I'm not complaining, because buggy software is great in the
context of devices that try to prevent you from doing something with your own
property. I especially encourage people to write their system-level software
in C and use lots of strcpy calls. It ensures that I can root my phone even
though the carrier doesn't want me to.

~~~
femto
Another explanation is that there is no benefit to the manufacturer in writing
tighter code. Tighter code means more time spent on testing and review, but
probably wouldn't increase sales. From a bottom line point of view, the mantra
is get it working and ship it.

~~~
toble
Yep. Whenever you work in an industry that involves churning out software as
quickly as possible, it's easy to appreciate that commercial pressures are
often too great to test properly. Whereas with start-ups (for example),
they're usually well funded and have a strong focus on building great
software.

------
jtchang
This is awesome. A few years back I originally wrote an open source EyeFi
server in Python ([http://returnbooleantrue.blogspot.com/2009/04/eye-fi-
standal...](http://returnbooleantrue.blogspot.com/2009/04/eye-fi-standalone-
server-version-20.html)). I could not actually hack into the card though and
get root which is what I really wnated.

These memory cards are super fun and I've been meaning to pick another up to
give it another go.

~~~
q3k
We use your eyefi server at our local hackerspace (hackerspace.pl). I haven't
really touched the card myself (the setup was done by a fellow hacker), but
I'll probably take a look at it some day, if there is at least some vague
promise of RCE hidden somewhere.

Thank you for your great piece of software.

------
martey
> _After navigating the filesystem and downloading scripts, it is obvious, and
> not surprising, that this system is using busybox..._

Does anyone know whether Transcend provides source code [0] upon request? The
EULA in the user manual for the product [1] mentions that it might contain
"GPL Components", but I could not find any additional details.

[0]:
[http://www.busybox.net/license.html](http://www.busybox.net/license.html)

[1]: [http://www.transcend-
info.com/files/Manual/WiFiSD_Manual_v1....](http://www.transcend-
info.com/files/Manual/WiFiSD_Manual_v1.4_EN.pdf)

~~~
raphman
There is a >50 MB "GPL download" on the Transcend website. So I guess they are
at least partially complying with it.

~~~
martey
Do you have a link? The only GPL-related download I could find was for their
RecoveRX data recovery software:
[http://www.transcend.de/products/RecoveRXTool/GPL.asp](http://www.transcend.de/products/RecoveRXTool/GPL.asp)

~~~
raphman
Sorry, here it is: [http://www.transcend-
info.com/Support/DLCenter/dllogin.asp?L...](http://www.transcend-
info.com/Support/DLCenter/dllogin.asp?Link=dlcenter|Driver|WiFiSD_GPL_release.zip)

------
ars
"Perl has a nice feature when opening a file with the open() library call,
because it not only opens files, but runs programs if the file path is not a
path, but a shell command ending in a pipe."

I thought only PHP did things like that :)

I hope this is disabled in mod_perl? Because if not I need to let someone know
they need to audit their code.

PS. I get how useful this is, and it's well documented, but this functionality
should be in the ancillary function (i.e. used when needed), not in the
default one.

~~~
username42
Perl has the three argument open that is safe. The issue is well known by perl
developers and well explained in the popular free book "Modern Perl".

~~~
eCa
And the three argument open has been in Perl since at least 5.6, which was
released 13 years ago. No reason to use anything else.

------
jwildeboer
As pointed out over at
[http://www.mikrocontroller.net/topic/303547](http://www.mikrocontroller.net/topic/303547)

the most simple way of starting the fun:

Create a file called autorun.sh on the card, put

telnetd -l /bin/sh &

in that file and boom. telnet 192.168.11.254 and enjoy.

------
pplante
this was posted to /r/netsec too, the conversation here has more details about
the embedded system:
[http://www.reddit.com/r/netsec/comments/1k4zhz/i_rooted_my_t...](http://www.reddit.com/r/netsec/comments/1k4zhz/i_rooted_my_transcend_wifi_sd_card_and_wrote_a/)

~~~
gbl08ma
Googling the hardware name from /proc/cpuinfo, "KeyASIC Ka2000 EVM", I found
out that this isn't the first person to hack into these half-SD-half-WiFi
cards:
[http://colas.sebastien.free.fr/index.php/category/transcend-...](http://colas.sebastien.free.fr/index.php/category/transcend-
sdhc-wifi/)
[http://blog.toshikatsu.tanimula.net/2013/03/aircard.html](http://blog.toshikatsu.tanimula.net/2013/03/aircard.html)
[http://lemoidului.wordpress.com/2013/02/11/linux-is-
everywhe...](http://lemoidului.wordpress.com/2013/02/11/linux-is-everywhere-
pqi-aircard-partie-i/) etc. etc.

I don't read French or Japanese but even the shell outputs are interesting
reads.

------
Tsagadai
Thanks for posting. I love articles like this which follow the thought
processes of someone trying to hack a device. Keep 'em coming!

~~~
voltagex_
I'm working on an article like this (but with less success at the end) for my
Blu Ray player. Email me if you want a preview!

------
lsiebert
This is cool. Unfortunate in some ways that it has an AR6003 wifi, since
ath6kl (the OS driver for the AR6003) doesn't have monitor or promiscuous mode
support yet which means no sniffing or injection.

Because if it did, it would be an interesting choice for pen testing. You
could recase it, and it's small enough that properly installed and configured,
it would be difficult to find. Processor is fast enough to get some cool
tricks going.

Of course, it's possible some clever kernel hacker will get those working on
the AR6003 at some point, which would open up this, as well as a bunch of
devices, to some cool uses.

~~~
Raphael
A pen testing pen.

------
seanp2k2
I love articles like this. Thanks for posting this; good hacks :)

In the same vein, though I can't find the video for it right now:
[http://www.khanfu.com/m/plain/29/event/1978](http://www.khanfu.com/m/plain/29/event/1978)
(this was also presented at Defcon 21)

------
madlag
It's very cool to be able to write remotely on a SD Card when you have for
example a Makerbot 3D Printer, or any device with a SD Card reader but without
wifi / ethernet connection: never plug in / out the SD Card anymore !

------
ridruejo
What are the specs (CPU, RAM) for the card?

~~~
fernjager
According to author's post in the Reddit thread, it has a 400MHz arm9 with
30MB of RAM.

~~~
supergauntlet
That's actually pretty decent considering what it is.

Do you think you could run owncloud or something similar to use it as a sort
of wireless flash drive?

~~~
Ecio78
or maybe it could be used as a ultra low energy bittorrent client: the cpu
should be fair enough (many router/nas use 800mhz-1ghz ARM cpu and they offer
bittorrent and other clients) and even though this device is low on memory
(32MB RAM) it looks like transmission client can use only 10MB or RAM:
[http://pastehtml.com/view/5tx16jw.html](http://pastehtml.com/view/5tx16jw.html)
so MAYBE it could work.

------
robinson-wall
Contrived, sure, but you could use these exploits to upload all files added to
the card somewhere, assuming it can find a wireless network to connect to.
Maybe even just keep a hidden copy on the part of the FS invisible to the host
system if there is enough free space.

"Oh sure I've got an SD card you can borrow..."

~~~
caf
You could do a lot of neat things - like make an SD card that automatically
GPG-encrypts every file that gets stored on it.

------
brador
How are these cards powered?

~~~
bluedino
A quick look at the pinout for the cards shows a 3.3v line, so it simply draws
power from the host device.

~~~
pdjstone
I wonder how long this thing would run off a pair of AA batteries?

------
motyard
Check [http://motyar.blogspot.in/2013/02/hacking-
micromax-400r-mi-f...](http://motyar.blogspot.in/2013/02/hacking-
micromax-400r-mi-fi.html)

------
theicfire
Excellent post. Thanks! Hopefully these will become dirt cheap (or, worth
hacking because they'll be cheaper than the electric imp).

------
Fuxy
That thing was put together in a hurry. I bet nobody even considered security
but that's the good news for us :)

------
draugadrotten
Thank you for the blog post. Very interesting and good lessons to learn in
there.

------
minor_nitwit
Is it possible to stream data to these cards?

------
caberus
a kickstarter project, with a more powerful hardware and easy to hack system,
would be great

~~~
brador
Wouldn't that just be a raspberry pi?

~~~
silasb
The point is to have small device that would fit in a SD slot and AFAIK the
Raspberry Pi can't be reduced that small.

