In the last edition of the Usenix Workshop on Offensive Technologies (held in Canada between 14th and 15th of August), researchers Omer Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren, of Ben-Gurion University (Israel), presented a series of conceptual attacks involving replacement parts for mobile devices.
At the presentation, the researchers used two models of Android devices — a Nexus 6P smartphone, manufactured by Huawei, and a LG G Pad 7.0 tablet. Both had their screens replaced by altered parts, indistinguishable from a legitimate one, containing chips that would give an alleged attacker the ability to save and transmit device unlock patterns, take pictures of the user, replace legitimate URLs with phishing URLs, and remotely exploit vulnerabilities present in the operating system.
The concept is described in the article “Shattered Trust: When Replacement Smartphone Components Attacks”, which questions the trust based relationship between outsourced companies that produce components — such as screens, GPS, NFC readers — and the vendors. “Third-party driver source code to support these components is integrated into the vendor’s source code (…) which implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device’s main processor”.
Two initial attacks are described in the study, both happened after the exchange of an original touchscreen module with a malicious version: touch injection — which allow the touchscreen to record and inject touch commands on the device — and buffer overflow — which can allow arbitrary code execution; combined, these attacks could lead to a series of end-to-end attacks that “could severely compromisse a stock Android device with standard firmware”.
An attacker could impersonate the user by unlocking the device with the screen off, downloading and installing applications without the device owner’s knowledge, and then using malicious code to abuse vulnerabilities and take control of the device.
Study Impact
According to a survey by the British company We Are Social, currently more than half of the world population uses a smartphone. Another survey by App Annie shows that, in the UK, users spend an average of two hours a day using apps, which is equivalent to one month per year.
This constant use obviously brings accidents. In 2015 Motorola conducted a global survey showing that more than 50% of smartphone users had damaged the screens of their devices (38% in the UK). And damaged screens fueled a growing industry: in the US, the smartphone repair market was estimated to generate $ 4 billion in revenue in 2016, with an average growth of 3% between 2011 and 2016.
It turns out that the high costs of parts and services in authorized assistance can lead users to seek more competitive prices — which will inevitably lead them to find generic parts and / or services that may be less reliable. In London, Apple’s authorized network is charging more than £ 150 for replacing a screen of its more expensive models, while “quick fix” companies charge less than a third of that value.
Combined, these factors can make the attacks shown by the researchers quite attractive.
Ben Gurion University released a series of videos showing some of the attacks made possible by the technique. The video below shows how you can take photos and send them by email.