A USB drive can operate fully within the USB spec, implementing a USB hub and USB keyboard, and enter malicious code.
The SD interface does not implement a similar spec, so this somewhat safer. The bad news most PC card readers are based on USB, so a targeted attack (which is probably in scope for Briar's customers) may still be possible - you could attack the firmware of the card reader, as described in [1] by Adam Caudill of BadUSB fame. Without breaking that firmware, however, you can't connect USB network->Card reader->USB hub, and you also probably can't connect SDIO/SPI network->SDIO-based-card-reader->USB hub.
There's also the possibility that the card itself can run untrusted code. Just like a USB drive, an SD card typically contains a small 8051 [2] or ARM [3] microcontroller. Running a compromised controller would give the attacker access to all the data that's ever sent to the SD card, but one would hope that Briar does not cache unencrypted data to the uSD card which the user is expected to write to an physically pass to a potential adversary.
Also, be aware of products like the Toshiba FlashAir Wifi SD card, which implement a wireless adapter in an SD card form factor. Replacing the label would be trivial, and it could broadcast or connect to a hidden wifi network without your knowledge. But again, one would hope that Briar does not cache unencrypted data to the SD card where it could, with one of these cards, be exfiltrated wirelessly. I think this capability is only available as an SD card or an obvious uSD-to-protruding-SD-card adapter form factor, not as a microSD card which would typically be used in a mobile device.
Of course, there's still the possibility that the host OS does something stupid, like autorun an executable on the external media...but that's more of a badly configured Windows PC problem, I expect that modern mobile devices do not do that.
The SD interface does not implement a similar spec, so this somewhat safer. The bad news most PC card readers are based on USB, so a targeted attack (which is probably in scope for Briar's customers) may still be possible - you could attack the firmware of the card reader, as described in [1] by Adam Caudill of BadUSB fame. Without breaking that firmware, however, you can't connect USB network->Card reader->USB hub, and you also probably can't connect SDIO/SPI network->SDIO-based-card-reader->USB hub.
There's also the possibility that the card itself can run untrusted code. Just like a USB drive, an SD card typically contains a small 8051 [2] or ARM [3] microcontroller. Running a compromised controller would give the attacker access to all the data that's ever sent to the SD card, but one would hope that Briar does not cache unencrypted data to the uSD card which the user is expected to write to an physically pass to a potential adversary.
Also, be aware of products like the Toshiba FlashAir Wifi SD card, which implement a wireless adapter in an SD card form factor. Replacing the label would be trivial, and it could broadcast or connect to a hidden wifi network without your knowledge. But again, one would hope that Briar does not cache unencrypted data to the SD card where it could, with one of these cards, be exfiltrated wirelessly. I think this capability is only available as an SD card or an obvious uSD-to-protruding-SD-card adapter form factor, not as a microSD card which would typically be used in a mobile device.
Of course, there's still the possibility that the host OS does something stupid, like autorun an executable on the external media...but that's more of a badly configured Windows PC problem, I expect that modern mobile devices do not do that.
[1] https://security.stackexchange.com/a/109595
[2] https://www.bunniestudios.com/blog/?p=3554
[3] https://www.bunniestudios.com/blog/?page_id=1022