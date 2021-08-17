from the Use-only-Official®-Authorized-Parts-and-Repair-Services dept.
People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.
The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.
The research, in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary." The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there's no reliable way to certify replacement parts haven't been modified.
The researchers, from Ben-Gurion University of the Negev, wrote:
The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defenses accordingly
Source: Ars Technica
Also covered at: Engadget.
(Score: 0) by Anonymous Coward on Tuesday August 22, @06:50AM
Not to mention what it could do to your penis.
Reply to This
(Score: 0) by Anonymous Coward on Tuesday August 22, @06:55AM
In other words, please stop repairing your phones. Use our official repair service or even better go buy a new phone (our repair service will cost just about as much anyways!). Just throw that old one away. It's no good. Why? Well because we're now selling a new one!
Perhaps we should lobby the government to pass some laws to make repairing your own devices illegal. You know... for the protection of the people. We can call it The Digital Hardware Protection and Initiative Red White and Blue Team America FUCK YEAH Act for Consumer Freedom Choice and Freedom PATRIOT.
Reply to This
(Score: 2) by bradley13 on Tuesday August 22, @07:05AM
The damned Google Assistant, which I had disabled months ago, pops up today "Can I tell you a joke?"
The complexity of the software and hardware is such, that no one has an overview any more. Devices are always online. The motivations of the software and hardware manufacturers do not align with the interests of the customer.
I do my best to maintain some degree of privacy and security, but: If you cannot trust the hardware or the software, and it's too complex to check yourself, what can you do? At best, you can eliminate the obvious threats. If a major company or a government wants to spy on people, really, WTF can you do? Become a digital hermit?
Everyone is somebody else's weirdo.
Reply to This
(Score: 2) by Bot on Tuesday August 22, @07:22AM
stop this paranoid thinking
it makes no sense to hijack a phone through spare parts when you already control all the phone's parts.
PS do you know I speak perfect Chinese? Well I don't.
sent from my china produced hardware.
Reply to This