Replacement parts can end up hacking into smartphones.
Hardware replacements like touchscreens, NFC readers, wireless charging controllers, among others, can come with a chip that can control the device’s communication, said researchers from Ben-Gurion University of the Negev.
The whole setup, the researchers said, can easily fit into the device, making it practically impossible for the user to find a problem.
Even the person that repairs the device might not know anything about it because the parts come to him already put together.
“Hardware replacement is traditionally considered a strong attack model, under which almost any attack is possible,” said university researchers Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren in a paper on the subject.
“In contrast to ‘pluggable’ drivers, such as USB or net- work drivers, the component driver’s source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications be- tween the component and the device’s main processor,” the researchers said.
Their research focused on the possibility of attacks that depend on only one “malicious” component with an extremely limited hardware interface.
They tested three different attacks, using an experimental setup based on a low-cost micro-controller embedded in-line with the touch controller communication bus.
In the first one, they managed to impersonate the user by injecting touch events into the communication bus. This allows the installation of software and the modification of the device configuration among others.
In the second one, they demonstrated an attacker can log touch events related to sensitive operations (lock screen patterns, credentials, passwords).
In the third attack, they proved by sending crafted data to the phone over the touch controller interface, an attacker can exploit vulnerabilities within the device driver and gain kernel execution capabilities.
They tested the attacks on a Huawei Nexus 6P smartphone and a LG G Pad 7.0 tablet that both ran Android, but it’s likely they would also work against devices running iOS, they said.
The researchers said the threat of a malicious peripheral existing inside consumer electronics should not be taken lightly.
“A well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defenses accordingly.”
That means check security along the replacement part supply chain.