Hacking smartphones with malicious replacement parts

Smartphone users can now add a new entry to the list of things they need to worry about: their phones being compromised via replacement parts.

A group of researchers from Ben-Gurion University of the Negev has demonstrated that hardware replacements – e.g. touchscreens, NFC readers, wireless charging controllers, and so on – can be equipped with a chip that is capable of manipulating the device’s communication.

And even though they haven’t gone through the trouble of doing so, they say that the whole setup can easily be made to be small enough to fit into the device, making it practically impossible for the user to discover that something is amiss.

In fact, even the person that repairs the device could be in the dark about the modification, as the replacement parts are often produced by third-party manufacturers, and are not usually checked for tampering before being installed.

Successful attacks

“Hardware replacement is traditionally considered a strong attack model, under which almost any attack is possible,” the researchers noted. But their research focused on the feasibility of attacks that depend on only one “malicious” component with an extremely limited hardware interface.

They tested three different attacks, using an experimental setup based on a low-cost micro-controller embedded in-line with the touch controller communication bus.

In the first one, they managed to impersonate the user by injecting touch events into the communication bus. This allows the installation of software, the modification of the device configuration, etc.

In the second one, they demonstrated that an attacker can log touch events related to sensitive operations (lock screen patterns, credentials, passwords).

In the third one, they proved that by sending crafted data to the phone over the touch controller in- terface, an attacker can exploit vulnerabilities within the device driver and gain kernel execution capabilities.

They tested the attacks on a Huawei Nexus 6P smartphone and a LG G Pad 7.0 tablet (both running Android), but it’s likely that they would also work against devices running iOS.

Possible protection

The researchers believe that threat of a malicious peripheral existing inside consumer electronics should not be taken lightly.

“A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defenses accordingly.”

In this particular case (they tested the attacks by using a malicious replacement screen), a good way to prevent compromises would be a I2C interface proxy firewall – a low-cost, hardware-based solution.

“Such a firewall can monitor the communication of the I2C interfaces and protect the device from attacks originating from the malicious screen. Placing this device on the motherboard means that it will not be affected by malicious component replacement. The use of a hardware countermeasure allows for protection against both added malicious components and modified firmware attacks. It may also detect malicious behavior of firmware code that was modified by an insider and may be officially signed or encrypted,” they pointed out.

The final reason why it would be the perfect solution is that it does not require any changes on the CPU or component side.