Stories
Slash Boxes
Comments

SoylentNews is people

Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security

posted by martyb on Tuesday August 22 2017, @06:41AM   Printer-friendly
from the Use-only-Official®-Authorized-Parts-and-Repair-Services dept.

Fnord666 writes:

People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.

The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

The research, in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary." The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there's no reliable way to certify replacement parts haven't been modified.

The researchers, from Ben-Gurion University of the Negev, wrote:

The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defenses accordingly

Source: Ars Technica

Also covered at: Engadget.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Bot on Tuesday August 22 2017, @07:22AM (4 children)

    by Bot (3902) on Tuesday August 22 2017, @07:22AM (#557424) Journal

    stop this paranoid thinking
    it makes no sense to hijack a phone through spare parts when you already control all the phone's parts.

    PS do you know I speak perfect Chinese? Well I don't.

    sent from my china produced hardware.

    --
    Account abandoned.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by FatPhil on Tuesday August 22 2017, @08:15AM (3 children)

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Tuesday August 22 2017, @08:15AM (#557433) Homepage
    It does seem a bit bizarre. but it's not impossible. However, mostly peripherals (such as the touchscreen) are sitting on a bus with very little else on them. Maybe gyro or accelerometer, or other low bandwidth device, but certainly not anything with high bandwidth requirements, such as any of the bunch of modems on your phone, so even if one of the devices was sniffing the bus, it's got no way of sending out that which it's sniffed. These evil replacement touchscreen controllers would need to include their own modem. That should be detected by increased power drain, and could also be picked up by FCC tests, as there are now unexpected emissions. The chips' interfaces aren't (or at least shouldn't be) capable of communicating to the chip whether they are in a phone or are on a test-rig, so they can't have Audi-like selective behaviour.

    Of course, once the data's off the bus and in the CPU, and being passed around the software stack (linux driver, linux event interface, X input layer, snoopable via Xtest), then that's another matter entirely, but that's not evil replacement hardware, that's sloppy or evil software which came with the phone anyway.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 2) by Arik on Tuesday August 22 2017, @08:32AM

      by Arik (4543) on Tuesday August 22 2017, @08:32AM (#557436) Journal
      Actually his approach boils down to using the replacement touch screen to install an app. The routine can be stored in the screen so the screen doesn't need to communicate with anything other than the CPU. However obviously the attack would be closed if the app were to be detected and removed.

      As long as it's available in the store though, the screen can wait till the system is idle, then invisibly install the app. Their app uses a buffer exploit and at that point it's game over. The combination of the app and the screen have full control of the system, it's a keylogger and a rootkit and it can use the network anytime it wants.

      Seem to me like you could achieve the same effect by just installing the app while you have the phone though? Removing the app from the store wouldn't help those already infected but would turn any existing stock of screens into junk, as at minimum they would have to be reprogrammed to install a different app.

      I don't know, I'm mostly agreeing with the other guy, that there's no need for attackers who already have the phones thoroughly compromised to start trying to sneak in replacement screens. It's not a horrible idea it's just redundant.

      --
      If laughter is the best medicine, who are the best doctors?

    • (Score: 2) by TheRaven on Tuesday August 22 2017, @09:36AM (1 child)

      by TheRaven (270) on Tuesday August 22 2017, @09:36AM (#557446) Journal

      However, mostly peripherals (such as the touchscreen) are sitting on a bus with very little else on them.

      Not in a typical Android phone, they're all on the memory bus and are have complete DMA access to the whole of physical memory and to other devices control registers.

      --
      sudo mod me up

      • (Score: 2) by FatPhil on Tuesday August 22 2017, @12:56PM

        by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Tuesday August 22 2017, @12:56PM (#557481) Homepage
        That's insane. I've only worked with touchscreen controllers that sit on buses like I2C/SPI, which are as complex as they need to be - utterly dumb - and as high bandwidth as they need to be - as slow as molasses in winter. Adding an external memory bus interface would probably more than double the size of the silicon (and I'm thinking doubling a multi-touch capacitive controller, which is way more complex than something like a simple resistive controller) and quintuple the number of pins on the die. What idiots thought any of that made sense? I guess I should be grateful they don't communicate over wifi.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves