Screen repairs could result in hacked smartphones

Compromised components could be used to spy on users

Smartphone users have been warned that repaired devices could leave them vulnerable to spying my malicious actors.

Security researchers at the Ben-Gurion University of the Negev in Israel discovered that replacement screens could harbour malware on a chip integrated with the display that could allow hackers to remotely control a smartphone or eavesdrop on conversations and messages.

Advertisement - Article continues below

In a YouTube video, the researchers set up a demonstration of the problem using a Huawei Nexus 6P and an LG G Pad 7.0. Both were fitted with a screen modified with a chip that allowed them to access systems on the devices.

The modified screen could snoop on anything entered on a keyboard, direct victims to phishing websites and install rogue apps, as well as use the phone's camera to take pictures. Other attacks allowed researchers to control the operating system of the devices. The modified screens appear identical to those made by the phone manufacturers themselves.

"In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor," said researchers.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In an accompanying research paper, they said that the threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. 

"Attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well-motivated adversary may be fully capable of mounting such attacks in a large-scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defences accordingly," said the researchers.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020