It's a nasty problem if the firmware had been tampered. If they can do it to a USB then SD card firmware can be tampered also. How about the hardware based encrypted USB, will they have the same threat? There are some USB who have the encryption keyed to a chip which cannot be passed to a memory or never passed on the USB or system bus.