Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security

Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."

Phone manufacturers

[Dan+East]

I wonder which phone manufacturers sponsored this FUD. Technically possible? Sure. Any evidence it has ever occurred in the wild? No. Would this sort of malicious hardware have to transmit data in some way to offload the stolen information, thus raising alarms in various corporate type networks and the like? Eventually.

Re:Phone manufacturers

[WD]

Perhaps you're not familiar with how security research works. Stopping at "is this being exploited in the wild now?" is shortsighted.

For some background, read:
https://blog.osvdb.org/2017/08...
(about "L0pht, Making the theoretical practical since 1992." )

Re:Phone manufacturers

[ctilsie242]

In theory, Apple and Samsung have a lot more to lose. Apple especially, since their reputation as a phone provider rides on how secure their devices are, and if something is discovered, there are many rivals who will be happy to take the loss. Samsung, similar.

Huawei? Not as much, as they are in a different market segment.

Re:Phone manufacturers

[bsDaemon]

Apple and Samsung devices and software have been evaluated and validated against FIPS 140-2, Common Criteria and Commercial Solutions for Classified (CSfC) standards and are considered safe enough for use by the US government and others which respect those certifications (such as the 20+ countries in the Common Criteria Recognition Agreement).

Huawei has financial and political ties to the Chinese government, which has a well known history of taking "cyber" action for both political and industrial espionage purposes, in addition to siding with adversarial countries such as Russia, North Korea, etc. on a number of issues.

Therefor, Apple and Samsung are probably better choices from a trustworthiness standpoint. On the other hand, they're largely manufactured and assembled in the PRC and would be targets for the kind of supply-chain-infiltration type hardware implant attack. It'd just be less easy to accomplish than embedding implants or back doors into the hardware of one of their own companies.

Re:Phone manufacturers

[Tjp($)pjT]

They don't need to replace the processor. They are exploiting data capture from the digitizer and screen, and using the privileged position the display assembly has in the hardware to inject and essentially jailbreak the device. Or root it in the case of Android. Consider at one point you could just visit a website to jailbreak an iPhone. So wait until the user is quiescent and use the digitizer to visit a website. Pretty easy to do that. Then once compromised, game over. It isn't an easy process, nor cheap one, but for nation states not much of a problem. Once compromised the installed app can sit in the background. It is a waiting game for the installed hardware to find the right moment. The only "value" to this attack vector is that a known good repair shop can be compromised by their supplier, else a bad repair shop would likely just install bad firmware. As to replacing BGAs, there was a Vietnamese shop that did this to break earlier iPhones by swapping out the image on the firmware with a new one since out of the phone the chip could be reprogrammed. So even little shops on cramped, third world evident streets can do this without much difficulty.

Re:Phone manufacturers

[tlhIngan]

Right. Because the user taps in several places on the screen; but unless the display/digitizer is privvy to exactly WHAT App is running in the foreground, those taps and swipes are USELESS outside of the phone.

FUD.

No, it's not. Because if you log where you touch on the screen and where you swipe, you can probably figure out what's going on.

Look at the lock screen on your phone, and your keypad is probably laid out like every other keypad out there. In fact, it looks remarkably like the phone keypad too (if you're using a PIN). So any succession of taps in that region of the screen with the relatively wide spacing may be either a phone number, or the PIN code to unlock your phone.

Ditto with the keyboard - if you're making a bunch of taps in the lower 1/3rd of the screen, I don't need to know what you're running in order to guess you might be typing something. If I record the locations of the taps, and then try to play it back with various scaling on the keyboard, I might be able to recreate what you typed.

Heck, I might log information about when the touch screen chip is turned off so I can tell when you power it up, you're screen is probably locked and to note the next few taps and swipes.

This isn't news

[mlw4428]

Once you give up physical access to your device, you give up security. This is no different than the possibility that a locksmith could use a copy of a key he made for you. It's stupid.

Re:This isn't news

[spire3661]

This is why the USER should be able to set the locks themselves. The 'physical access' loophole can be defeated with 'Trust, but Verify' methods.

Re:This isn't news

[Sloppy]

Once you give up physical access to your device, you give up security.

And when it comes to phones, that happens before you even buy it. The idea of a phone's security being subverted is laughable. It never had any security! It was always someone else's computer.

Granted, you would probably prefer your phone to have n masters above you, rather than n+1. But for high values of n, the more you care about that, the less sense it makes. You should probably worry more about n and less about the +1. Solve the real problem, and you'll solve the fake problem too.

Who do you trust? Really?

[gillbates]

Ken Thompson's Reflections on Trusting Trust is well worth a read. Long story short, anyone with access to the hardware/software stack of your machine can compromise its security.

These attacks are not merely theoretical. The key to good security is to make the cost of compromise greater than the value of whatever would be received by doing so. For the average person, their privacy is not worth the effort of surrepitiously installing hardware. However, if you're a Palestinian terrorist... You may just want to have someone else purchase/service your electronic devices, as the Israeli equivalent of the CIA has planted explosives in the cellphones of Palestinians (and successfully carried out assassinations this way.)