from the Use-only-Official®-Authorized-Parts-and-Repair-Services dept.
People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.
The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.
The research, in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary." The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there's no reliable way to certify replacement parts haven't been modified.
The researchers, from Ben-Gurion University of the Negev, wrote:
The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defenses accordingly
Source: Ars Technica
Also covered at: Engadget.
(Score: -1, Offtopic) by Anonymous Coward on Tuesday August 22 2017, @06:50AM
Not to mention what it could do to your penis.
(Score: 0) by Anonymous Coward on Tuesday August 22 2017, @06:55AM
In other words, please stop repairing your phones. Use our official repair service or even better go buy a new phone (our repair service will cost just about as much anyways!). Just throw that old one away. It's no good. Why? Well because we're now selling a new one!
Perhaps we should lobby the government to pass some laws to make repairing your own devices illegal. You know... for the protection of the people. We can call it The Digital Hardware Protection and Initiative Red White and Blue Team America FUCK YEAH Act for Consumer Freedom Choice and Freedom PATRIOT.
(Score: 3, Interesting) by bradley13 on Tuesday August 22 2017, @07:05AM (12 children)
The damned Google Assistant, which I had disabled months ago, pops up today "Can I tell you a joke?"
The complexity of the software and hardware is such, that no one has an overview any more. Devices are always online. The motivations of the software and hardware manufacturers do not align with the interests of the customer.
I do my best to maintain some degree of privacy and security, but: If you cannot trust the hardware or the software, and it's too complex to check yourself, what can you do? At best, you can eliminate the obvious threats. If a major company or a government wants to spy on people, really, WTF can you do? Become a digital hermit?
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Tuesday August 22 2017, @09:35AM (8 children)
How can I completely power down a Galaxy 8?
(Score: 0) by Anonymous Coward on Tuesday August 22 2017, @10:49AM (7 children)
Putting it in a bucket of water for an hour should do the trick.
(Score: 2) by DECbot on Tuesday August 22 2017, @01:08PM (6 children)
The Galaxy phones are designed to be waterproof. I suggest using a hammer liberally across the entirety of the device to expose the water detect off switch.
cats~$ sudo chown -R us /home/base
(Score: 2) by realDonaldTrump on Tuesday August 22 2017, @06:16PM (5 children)
The Galaxy S6 is not waterproof. 🇺🇸
(Score: 2) by DECbot on Tuesday August 22 2017, @07:31PM (4 children)
True, but only so much water can enter through the headphone jack per second. If you really want to ensure that your phone is off _right_now_, use the hammer to expose the switch and then toss it in a bucket of water. If you can wait 30 minutes, you can do what I did and put it in the washing machine's steam cycle.
cats~$ sudo chown -R us /home/base
(Score: 2) by jasassin on Tuesday August 22 2017, @11:12PM (3 children)
Why? Why not wipe it and sell it? Or, just throw it in a dumpster? Is this a joke?
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by DECbot on Wednesday August 23 2017, @03:49AM (2 children)
I wish it were a joke... I threw my pants in the wash and 30 minutes later I couldn't find my phone. Low and behold, it was eventually found in the wash, still in my pants.
cats~$ sudo chown -R us /home/base
(Score: 2) by jasassin on Wednesday August 23 2017, @07:14AM (1 child)
So it never worked again?
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by DECbot on Wednesday August 23 2017, @11:01PM
Correct. I even disassembled the device and stuck the boards in a bag of rice. It never booted again. Now the replacement device (same make and model) I had in my pocket when I fell waist deep into a lake. That one was disassembled and sun-dried. About 4 hours later it was working again.
cats~$ sudo chown -R us /home/base
(Score: 0) by Anonymous Coward on Tuesday August 22 2017, @01:46PM
is when you take a crap. And that is only assuming you haven't placed an Amazon Echo (or equivalent) or brought a computing device into the bathroom with you.
Hell if you're one of those people with a TV in every room, you might even have a videocamera and microphone recording every time you drop your pants and get ready to take a dump. I wonder how long until somebody gets arrested for exposing themselves in a bathroom under the expectation of privacy. The way the current surveillance state is going I can't forsee it taking too much longer.
(Score: 2) by ilsa on Tuesday August 22 2017, @06:47PM
There really *isn't* anything you can do. Or at least, very little a conscious consumer can do. The only option really, is that supply chains need to be audit-able and steep penalties applied to violators. But that costs money and effort, which raises prices, and the average person cares more about the up-front price than anything else.
(Score: 2) by urza9814 on Wednesday August 23 2017, @11:51AM
Hah, similar story here...I had the damn thing disabled, never used it in the two years that I owned this phone...then all of a sudden every time I plug in the aux jack for my car, the fuckin thing starts going "I'm sorry, I didn't hear that, please try again" or whatever.
Long story short, I wiped it and switched to LineageOS. Works much better now :)
Now it' s just constantly complaining that the kernel or play services or whatever else doesn't have internet access. Because I blocked it. And it works fine, so apparently it doesn't need it.
(Score: 2) by Bot on Tuesday August 22 2017, @07:22AM (4 children)
stop this paranoid thinking
it makes no sense to hijack a phone through spare parts when you already control all the phone's parts.
PS do you know I speak perfect Chinese? Well I don't.
sent from my china produced hardware.
Account abandoned.
(Score: 2) by FatPhil on Tuesday August 22 2017, @08:15AM (3 children)
Of course, once the data's off the bus and in the CPU, and being passed around the software stack (linux driver, linux event interface, X input layer, snoopable via Xtest), then that's another matter entirely, but that's not evil replacement hardware, that's sloppy or evil software which came with the phone anyway.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Arik on Tuesday August 22 2017, @08:32AM
As long as it's available in the store though, the screen can wait till the system is idle, then invisibly install the app. Their app uses a buffer exploit and at that point it's game over. The combination of the app and the screen have full control of the system, it's a keylogger and a rootkit and it can use the network anytime it wants.
Seem to me like you could achieve the same effect by just installing the app while you have the phone though? Removing the app from the store wouldn't help those already infected but would turn any existing stock of screens into junk, as at minimum they would have to be reprogrammed to install a different app.
I don't know, I'm mostly agreeing with the other guy, that there's no need for attackers who already have the phones thoroughly compromised to start trying to sneak in replacement screens. It's not a horrible idea it's just redundant.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by TheRaven on Tuesday August 22 2017, @09:36AM (1 child)
Not in a typical Android phone, they're all on the memory bus and are have complete DMA access to the whole of physical memory and to other devices control registers.
sudo mod me up
(Score: 2) by FatPhil on Tuesday August 22 2017, @12:56PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Insightful) by Anonymous Coward on Tuesday August 22 2017, @10:23AM
If a hardware repair shop wanted to sneak something in, they surely would find easier ways than via the display. Remember, they have temporary access to the complete hardware. Who stops them e.g. from installing a root kit? That one you won't find out at all by inspecting the hardware, even if an expert does it.
(Score: 2) by BenJeremy on Tuesday August 22 2017, @11:23AM
Unless those parts are supplied by Q so 007 can spy on your phone, such "malware parts" can't really do anything with all that information they are supposedly logging.
This is FUD from brand companies trying to protect their high profit margin repair business, or at the very least, sensationalized garbage from a "Researcher" who has had his Ric Romero moment hinging on a fairly impractical "danger" to consumers.
(Score: 2, Funny) by Virindi on Tuesday August 22 2017, @11:48AM (1 child)
Sketchy repair parts are quite a troubling threat.
For the good of their users, surely major manufacturers, recognizing this threat, will make genuine replacement parts available to the public and repair shops for reasonable prices. I expect this to happen soon, because it is well understood that treating the customer well will keep them coming back to your products when it does come time for an upgrade. Buyers, being generally informed consumers, will prefer the products that provide them the best long-term value for their money, which includes being reasonably possible to repair by a technically skilled user or repair shop.
In case you were thinking of some alternative, keep in mind that it is well known in the ranks of business that consumers are savvy to evil tricks. Consumers are smart and not easily distracted by glitz when there is a serious technical flaw with the product.
(Score: 2) by cafebabe on Wednesday August 23 2017, @03:02AM
As noted with FTDI serial chips [soylentnews.org], what happens if honestly purchased parts are fakes? The retailer and customer are conned even if both make an effort to obtain premium components.
1702845791×2
(Score: 3, Interesting) by MrGuy on Tuesday August 22 2017, @03:26PM
is who was involved in funding this study.
Look, I'm not questioning their conclusions - I have no doubt someone who's able to sneak new hardware into a phone could do something malicious with that access. I'd go so far as to call that conclusion obvious (though the study does a great job going into specifics of the "how you'd do it.") And the conclusion is more aimed at device makers needing to be more careful about their trust boundaries, rather than advocating against third-party repair.
But given this study is being released right at the time when "right to repair" is being debated in multiple countries, the timing of a scientific study about how third-party repair can imperil devices seems...well...awfully convenient. And given that the conclusion here seems somewhat obvious (I'd have been HIGHLY surprised if determined study couldn't find a way to exploit this), it's not a stretch to think about whether a device maker who was opposed to "right to repair" wouldn't want a study like this to wave around and demonstrate why the reason they won't let you repair your own device is FOR YOUR OWN SAFETY!! Zomg, think of the children.
I'm not saying anything nefarious DID happen. But it's at best coincidental, and it's a little troubling to me that (given this background) I don't see any disclosure in the paper as to who paid for the research (there IS a disclosure section, but it's talking about disclosing vulnerabilities to manufacturers pre-publication). I find the lack of information about this a little disquieting.