Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security (arstechnica.com)

← Back to Stories (view on slashdot.org)

Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security (arstechnica.com)

Posted by msmash on Friday August 18, 2017 @02:45AM from the security-woes dept.

Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."

38 of 62 comments (clear)

Min score:

Reason:

Sort:

Phone manufacturers by Dan+East · 2017-08-18 02:54 · Score: 3, Interesting

I wonder which phone manufacturers sponsored this FUD. Technically possible? Sure. Any evidence it has ever occurred in the wild? No. Would this sort of malicious hardware have to transmit data in some way to offload the stolen information, thus raising alarms in various corporate type networks and the like? Eventually.

--
Better known as 318230.
1. Re:Phone manufacturers by ctilsie242 · 2017-08-18 03:03 · Score: 1
  
  How can a screen or digitizer communicate to the outside world? It likely isn't on a bus where it can ask the radio or NIC to packetize stuff it feels like. At best, it can record taps on a screen, but getting those out would be a different story. Perhaps for physical snooping where the device is captured later on (say to glean someone's PIN), but for a remote attacker, it isn't that feasible.
2. Re:Phone manufacturers by MightyYar · 2017-08-18 03:05 · Score: 1
  
  Not only is it FUD, but it could be done with brand-new phones. Thousands of people have access to the supply chain and at any point could pull inventory, modify/replace the original parts, and swap them back in. The fact is that there is no reasonable commercial incentive for the random repair person at a store to spy on the random customer that has his screen replaced, and it would be super simple to catch the responsible party. Talk about hard evidence!
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
3. Re:Phone manufacturers by known_coward_69 · 2017-08-18 03:13 · Score: 1
  
  if you're a front for organized crime, then it's an easy way to hijack people's phones
4. Re:Phone manufacturers by WD · 2017-08-18 03:15 · Score: 4, Insightful
  
  Perhaps you're not familiar with how security research works. Stopping at "is this being exploited in the wild now?" is shortsighted.
  For some background, read:
  https://blog.osvdb.org/2017/08...
  (about "L0pht, Making the theoretical practical since 1992." )
5. Re:Phone manufacturers by ElizabethGreene · 2017-08-18 03:15 · Score: 1
  
  Dumb question here. Why do we trust Apple or Samsung parts more than Huwai?
6. Re:Phone manufacturers by UnknowingFool · 2017-08-18 03:17 · Score: 1
  
  thus raising alarms in various corporate type networks and the like?
  
  Only if you assume that no one ever uses a network outside their corporate network and that all networks used employ various ways to detect this data transmission. For most consumers, the normal is not to have such high security. They don't employ such detection methods and they connect to outside networks all the time.
  Also consumers are far more likely to buy these 3rd party parts than someone with a corporate phone who will most likely send it to their company for repair who will use genuine parts.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
7. Re:Phone manufacturers by thegreatbob · 2017-08-18 03:27 · Score: 1
  
  If it knows what touches to simulate, then it can use any of a number of ways of doing so when the user isn't actively handling their phone (e.g. after it has been set down, but not yet auto-locked).
  
  --
  There is no XUL, only WebExtensions...
8. Re:Phone manufacturers by MightyYar · 2017-08-18 03:44 · Score: 1
  
  But like I said, super easy to trace back and with tons of hard evidence, both on-premises and in all of your victim's hands. Plus the circumstantial evidence of all the ripped off people having a common experience of using your business. Much better off with a software hack. I mean, you have the person's phone in your possession... why not just install whatever software that you want - where there is at least some degree of plausible deniability?
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
9. Re:Phone manufacturers by ctilsie242 · 2017-08-18 03:52 · Score: 2
  
  In theory, Apple and Samsung have a lot more to lose. Apple especially, since their reputation as a phone provider rides on how secure their devices are, and if something is discovered, there are many rivals who will be happy to take the loss. Samsung, similar.
  Huawei? Not as much, as they are in a different market segment.
10. Re:Phone manufacturers by Anonymous Coward · 2017-08-18 04:01 · Score: 1
  
  "error 53"
11. Re:Phone manufacturers by bsDaemon · 2017-08-18 04:02 · Score: 4, Informative
  
  Apple and Samsung devices and software have been evaluated and validated against FIPS 140-2, Common Criteria and Commercial Solutions for Classified (CSfC) standards and are considered safe enough for use by the US government and others which respect those certifications (such as the 20+ countries in the Common Criteria Recognition Agreement).
  Huawei has financial and political ties to the Chinese government, which has a well known history of taking "cyber" action for both political and industrial espionage purposes, in addition to siding with adversarial countries such as Russia, North Korea, etc. on a number of issues.
  Therefor, Apple and Samsung are probably better choices from a trustworthiness standpoint. On the other hand, they're largely manufactured and assembled in the PRC and would be targets for the kind of supply-chain-infiltration type hardware implant attack. It'd just be less easy to accomplish than embedding implants or back doors into the hardware of one of their own companies.
12. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:13 · Score: 1
  
  Probably our friendly, neighborhood, fruit tree company...
  Probably not; but I'll bet their devices don't share this issue. Not because of good design (but that is likely part of it); but because they don't use commodity SoCs like in 100% of Android devices.
  But I would really be surprised if ANY independent repair shops are replacing BGA-packaged SoCs, anyway.
  I agree: The article is FUD.
13. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:18 · Score: 1
  
  How can a screen or digitizer communicate to the outside world? It likely isn't on a bus where it can ask the radio or NIC to packetize stuff it feels like. At best, it can record taps on a screen, but getting those out would be a different story. Perhaps for physical snooping where the device is captured later on (say to glean someone's PIN), but for a remote attacker, it isn't that feasible.
  Right. Because the user taps in several places on the screen; but unless the display/digitizer is privvy to exactly WHAT App is running in the foreground, those taps and swipes are USELESS outside of the phone.
  FUD.
14. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:20 · Score: 1
  
  If it knows what touches to simulate, then it can use any of a number of ways of doing so when the user isn't actively handling their phone (e.g. after it has been set down, but not yet auto-locked).
  But unless it knows exactly WHAT App is receiving those "taps" (which the display and digitzer most assuredly do NOT), so the fuck what?
15. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:23 · Score: 1
  
  But like I said, super easy to trace back and with tons of hard evidence, both on-premises and in all of your victim's hands. Plus the circumstantial evidence of all the ripped off people having a common experience of using your business. Much better off with a software hack. I mean, you have the person's phone in your possession... why not just install whatever software that you want - where there is at least some degree of plausible deniability?
  Good luck doing that with a signed OS, like iOS... You can't even install a LEGIT, but no-longer-signed, version of iOS; let alone some backroom-hacked FrankenWare version.
16. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:25 · Score: 1
  
  Dumb question here. Why do we trust Apple or Samsung parts more than Huwai?
  Because by now, any nefarious transmissions would have long-ago been discovered by people like you.
17. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:26 · Score: 1
  
  now android marketing and spy OS ,there is no difference to ios,(it's not for geek), I used to like before there was a 2.3 version, now I use a simple push-button telephone
  WTF are you even talking about?
18. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:27 · Score: 1
  
  In theory, Apple and Samsung have a lot more to lose. Apple especially, since their reputation as a phone provider rides on how secure their devices are, and if something is discovered, there are many rivals who will be happy to take the loss. Samsung, similar.
  Huawei? Not as much, as they are in a different market segment.
  Exactly.
19. Re:Phone manufacturers by Tjp($)pjT · 2017-08-18 04:28 · Score: 1
  
  Smart "chip in the middle" devices would wait until you were off wifi and on the LTE or other telecom data. Or if they were really suave, even if you were on wifi they'd use the telecom communications channel.
  
  --
  - Tjp
  I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
20. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 04:28 · Score: 1
  
  Apple and Samsung devices and software have been evaluated and validated against FIPS 140-2, Common Criteria and Commercial Solutions for Classified (CSfC) standards and are considered safe enough for use by the US government and others which respect those certifications (such as the 20+ countries in the Common Criteria Recognition Agreement).
  Huawei has financial and political ties to the Chinese government, which has a well known history of taking "cyber" action for both political and industrial espionage purposes, in addition to siding with adversarial countries such as Russia, North Korea, etc. on a number of issues.
  Therefor, Apple and Samsung are probably better choices from a trustworthiness standpoint. On the other hand, they're largely manufactured and assembled in the PRC and would be targets for the kind of supply-chain-infiltration type hardware implant attack. It'd just be less easy to accomplish than embedding implants or back doors into the hardware of one of their own companies.
  PERFECT answer!
  Mod Parent "Informative"!
21. Re:Phone manufacturers by Tjp($)pjT · 2017-08-18 04:40 · Score: 2
  
  They don't need to replace the processor. They are exploiting data capture from the digitizer and screen, and using the privileged position the display assembly has in the hardware to inject and essentially jailbreak the device. Or root it in the case of Android. Consider at one point you could just visit a website to jailbreak an iPhone. So wait until the user is quiescent and use the digitizer to visit a website. Pretty easy to do that. Then once compromised, game over. It isn't an easy process, nor cheap one, but for nation states not much of a problem. Once compromised the installed app can sit in the background. It is a waiting game for the installed hardware to find the right moment. The only "value" to this attack vector is that a known good repair shop can be compromised by their supplier, else a bad repair shop would likely just install bad firmware. As to replacing BGAs, there was a Vietnamese shop that did this to break earlier iPhones by swapping out the image on the firmware with a new one since out of the phone the chip could be reprogrammed. So even little shops on cramped, third world evident streets can do this without much difficulty.
  
  --
  - Tjp
  I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
22. Re:Phone manufacturers by MightyYar · 2017-08-18 04:47 · Score: 1
  
  OK, but if you can't do it with physical access to the phone, then a screen hack also won't help you.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
23. Re:Phone manufacturers by Tjp($)pjT · 2017-08-18 04:55 · Score: 1
  
  The hardware is not something a small scale actor would be able to create. At the moment this is nation state, and maybe organized crime or the teamsters level of involvement to create a hack that you could then re-close the phone up. Done properly the hardware would be selective about the data it captures and when it sends it. And if you're a bad actor shop you only install the spyhard-ware on select victims phones and use legitimate hardware on others. You limit your footprint. If you are a bad actor on the supply chain side you have to manage to crack your victims phone and insert your devices into the repair supply chain to overlap the period from breakage to replacement, so you'll compromise more phones. The reason to prefer hardware over software is a complete from the ground up software reinstall doesn't undo the compromise. Imagine a hacked BIOS on an older PC. You hide your malicious code in the unused portion of the BIOS memory. When the user flashes a new BIOS image, the old image was still in control. It could, in theory, just reinfect the new image. Of course if you're a malicious shop you skip the firmware and install a new boot-rom. If there is one. SoC chips with a fuse segregate the "boot-rom" to a virtual existence and if the chip also contains the walled garden security mechanism, it is likely not very easy at all to compromise that without detectable side affects, like on an iPhone touch id no longer working as the sensor gets unpaired. But even then you could just disregard the security since it's now your walled garden.
  
  --
  - Tjp
  I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
24. Re:Phone manufacturers by tlhIngan · 2017-08-18 06:06 · Score: 2
  
  Right. Because the user taps in several places on the screen; but unless the display/digitizer is privvy to exactly WHAT App is running in the foreground, those taps and swipes are USELESS outside of the phone.
  FUD.
  No, it's not. Because if you log where you touch on the screen and where you swipe, you can probably figure out what's going on.
  Look at the lock screen on your phone, and your keypad is probably laid out like every other keypad out there. In fact, it looks remarkably like the phone keypad too (if you're using a PIN). So any succession of taps in that region of the screen with the relatively wide spacing may be either a phone number, or the PIN code to unlock your phone.
  Ditto with the keyboard - if you're making a bunch of taps in the lower 1/3rd of the screen, I don't need to know what you're running in order to guess you might be typing something. If I record the locations of the taps, and then try to play it back with various scaling on the keyboard, I might be able to recreate what you typed.
  Heck, I might log information about when the touch screen chip is turned off so I can tell when you power it up, you're screen is probably locked and to note the next few taps and swipes.
25. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 12:12 · Score: 1
  
  Right. Because the user taps in several places on the screen; but unless the display/digitizer is privvy to exactly WHAT App is running in the foreground, those taps and swipes are USELESS outside of the phone.
  FUD.
  No, it's not. Because if you log where you touch on the screen and where you swipe, you can probably figure out what's going on.
  Look at the lock screen on your phone, and your keypad is probably laid out like every other keypad out there. In fact, it looks remarkably like the phone keypad too (if you're using a PIN). So any succession of taps in that region of the screen with the relatively wide spacing may be either a phone number, or the PIN code to unlock your phone.
  Ditto with the keyboard - if you're making a bunch of taps in the lower 1/3rd of the screen, I don't need to know what you're running in order to guess you might be typing something. If I record the locations of the taps, and then try to play it back with various scaling on the keyboard, I might be able to recreate what you typed.
  Heck, I might log information about when the touch screen chip is turned off so I can tell when you power it up, you're screen is probably locked and to note the next few taps and swipes.
  I'm sorry; my lock screen doesn't have a keypad, nor do I swipe to unlock.
26. Re:Phone manufacturers by TheFakeTimCook · 2017-08-18 12:15 · Score: 1
  
  My two year old Samsung still gets an update at least every other month. Soooooo wth were you saying again champ?
  So, you're in the .00000000000000000000000000000001 percent of Android users that have gotten mire than an updated or two.
27. Re:Phone manufacturers by Joosy · 2017-08-18 15:22 · Score: 1
  
  So, you're in the .00000000000000000000000000000001 percent of Android users that have gotten mire than an updated or two.
  Rubbish. My Samsung Galaxy Note 4 (last of the line with a replaceable battery!) was originally released in late 2014. It still regularly receives updates.
  
  --
  I'm sick and tired of these hip, "ironic" sigs. This is an actual, honest-to-goodness no-nonsense sig!
28. Re: Phone manufacturers by philmck · 2017-08-19 02:20 · Score: 1
  
  My Galaxy S4 says it was last updated in November 2016. Must be pretty vulnerable by now :-(
  
  --
  Phil McKerracher
There are much worse things already happening by rickb928 · 2017-08-18 03:06 · Score: 1

Such as faulty/counterfeit batteries used in Galaxy Note 4s during repair.

--
deleting the extra space after periods so i can stay relevant, yeah.
This isn't news by mlw4428 · 2017-08-18 03:06 · Score: 2

Once you give up physical access to your device, you give up security. This is no different than the possibility that a locksmith could use a copy of a key he made for you. It's stupid.
1. Re:This isn't news by spire3661 · 2017-08-18 03:19 · Score: 2
  
  This is why the USER should be able to set the locks themselves. The 'physical access' loophole can be defeated with 'Trust, but Verify' methods.
  
  --
  Good-bye
2. Re:This isn't news by Sloppy · 2017-08-18 03:54 · Score: 2
  
  Once you give up physical access to your device, you give up security.
  And when it comes to phones, that happens before you even buy it. The idea of a phone's security being subverted is laughable. It never had any security! It was always someone else's computer.
  Granted, you would probably prefer your phone to have n masters above you, rather than n+1. But for high values of n, the more you care about that, the less sense it makes. You should probably worry more about n and less about the +1. Solve the real problem, and you'll solve the fake problem too.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
A cell phone inside the cell phone to send data? by BenJeremy · 2017-08-18 03:23 · Score: 1

So fine, your screen part has a malicious "touch logger" capability... how does it send data? Oh yeah, it CAN'T.
This sounds like FUD to make sure customers use the most expensive repair channel - the original manufacturer - to have the work done.
New, more accurate headline by Miamicanes · 2017-08-18 03:35 · Score: 1

"A hacked touchscreen can inject pre-scripted touch events into the event screen"
Of course, this assumes:
a) the device is unlocked
b) the malicious driver can guess where the required touch zones are located (no small feat, considering the diversity of softkey layouts (e.g, Samsung vs Nexus vs LG vs HTC), homescreen launchers, and the layout of app drawers (depending upon what the user installed).
c) Since malware (in addition to the driver itself) is almost a requirement (given a & b), the hardware itself is almost superfluous. At most, it might log touch events to its own local ram, then make them available to malware that knows how to use the attack chip (events Android itself might otherwise choose to not share with the malware).
Put another way, under precisely the right circumstances, a mouse can be used to completely hijack a device's security (by guessing where to move & generating phantom clicks). And if pigs had gills, they could breathe underwater.
The more likely scenario: a state espionage agency replaces touchscreen controller chips with hand-crafted replacements that include a simple radio transmitter so they can remotely monitor & log touch events. That's an ENTIRELY different challenge than implementing your own network stack or attempting to do naughty things over the i2c bus or as a USB peripheral.
Put another way, this is a multi-stage attack that's SO outrageously complex, requiring so many resources from the attacker, and requiring so much knowledge about the state of the target victim's phone, even taking it seriously as a possibility of something that has happened to you requires venturing into the realm of conspiracy-theory paranoia. There are easier, cheaper, and more profitable ways to compromise a user's device without going so far off the complexity deep-end.
Omg! Thanks for the warning. by easyTree · 2017-08-18 03:47 · Score: 1

I'll be sure to pay out the a$$ for the expensive parts with spyware approved by the shiny people.

--
Requiem for the American Dream
Who do you trust? Really? by gillbates · 2017-08-18 04:13 · Score: 3, Interesting

Ken Thompson's Reflections on Trusting Trust is well worth a read. Long story short, anyone with access to the hardware/software stack of your machine can compromise its security.
These attacks are not merely theoretical. The key to good security is to make the cost of compromise greater than the value of whatever would be received by doing so. For the average person, their privacy is not worth the effort of surrepitiously installing hardware. However, if you're a Palestinian terrorist... You may just want to have someone else purchase/service your electronic devices, as the Israeli equivalent of the CIA has planted explosives in the cellphones of Palestinians (and successfully carried out assassinations this way.)

--
The society for a thought-free internet welcomes you.
You should always order by mail or Amazon by WillAffleckUW · 2017-08-18 08:52 · Score: 1

This just shows that you should always order by mail order or by Amazon, so that the NSA can install their own chips inside instead of the other ones a repair shop would install.

--
-- Tigger warning: This post may contain tiggers! --