Screen repairs could result in hacked smartphones
Compromised components could be used to spy on users
Smartphone users have been warned that repaired devices could leave them vulnerable to spying my malicious actors.
Security researchers at the Ben-Gurion University of the Negev in Israel discovered that replacement screens could harbour malware on a chip integrated with the display that could allow hackers to remotely control a smartphone or eavesdrop on conversations and messages.
In a YouTube video, the researchers set up a demonstration of the problem using a Huawei Nexus 6P and an LG G Pad 7.0. Both were fitted with a screen modified with a chip that allowed them to access systems on the devices.
The modified screen could snoop on anything entered on a keyboard, direct victims to phishing websites and install rogue apps, as well as use the phone's camera to take pictures. Other attacks allowed researchers to control the operating system of the devices. The modified screens appear identical to those made by the phone manufacturers themselves.
"In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor," said researchers.
In an accompanying research paper, they said that the threat of a malicious peripheral existing inside consumer electronics should not be taken lightly.
"Attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well-motivated adversary may be fully capable of mounting such attacks in a large-scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defences accordingly," said the researchers.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now