A group of researchers has shown how, for instance, a repair shop could siphon data from Android handsets or infect them with malware with nothing more than a screen repair.
Omer Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren, all from Israel's Ben-Gurion University of the Negev, this week warn that smartphone makers are not doing enough to secure data and software on a phone from the device's own components, and because of that a simple repair could potentially turn into a serious data breach.
In other words, too much stuff in the phone trusts other electronics to be legit, which means an evil part, replaced during a repair or inserted if the handheld was seized, could cause all sorts of mischief. It doesn't matter that you've enabled disk encryption or software sandboxing, and so on: this is sidestepped by the rogue physical hardware, allowing photos and other files to leak or be tampered with.
The researchers write:
In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor.
To show the type of risks this poses, the group constructed a pair of proof-of-concept attacks that could be pulled off with a simple screen replacement. Because the targeted phone does not perform any sort of security checks on its display hardware, the researchers say that a replacement screen could be outfitted with a microcontroller that would then be able to access other components of the handset while presenting itself as a normal touchscreen chip.
Once compromised, the researchers were able to get the target device, a factory-reset Nexus 6P, to do things like insert malicious URLs into browsers, take and email photos from the phone's camera, and log and transmit the handset's unlock code.
The group also notes that by getting a specially designed component installed on the handset, they are also able to launch "active fault" attacks that disable the security components protecting other parts of the handset and stored data.
"The concept of attacking secure devices via malicious replacement units may allow an interesting trade-off between the two methods of software-oriented attacks and active fault attacks," the researchers explain.
"This is because it provides an attacker with a low-risk method of getting 'up close and personal' to the main CPU's hardware interfaces, while at the same time requiring very little of the attacker in terms of attack cost or time spent."
In practice, the flaw would allow an attacker – for example an unscrupulous repair shop – to sell and install touchscreen replacements that are equipped with specially designed controllers that then take over the handset to harvest data.
Solving the problem will require that vendors put additional protections on the hardware itself, the researchers say. By adding security components that monitor the serial bus traffic between the screen components, a fairly simple firewall protection could be put into place to guard against tampering.
The researchers explain:
A well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defenses accordingly.
Even that approach, however, has drawbacks. Apple famously drew the ire of many iPhone owners when an iOS firmware update created havoc for people whose screens had previously been replaced. ®