People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.

The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

The research, in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary." The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there's no reliable way to certify replacement parts haven't been modified.

The researchers, from Ben-Gurion University of the Negev, wrote:

The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defenses accordingly.

Chip-in-the-middle attack

To pull off the attacks, the researchers started with a normal touchscreen and embedded a chip in it that manipulates the communication bus, which transfers data from device hardware to the software drivers included with the OS. This technique simulates a "chip-in-the-middle" attack, in which a malicious integrated circuit sits between two end points and monitors or modifies the communications they exchange.

The malicious chip contains code required to surreptitiously carry out a variety of actions the end user never initiated. The researchers' booby-trapped touchscreen, for instance, logs unlock patterns and keyboard input, takes pictures of the user and sends them to the attacker, replaces user-selected URLs with phishing URLs, and installs apps of the attacker's choice. A second class of attacks uses the chip to exploit vulnerabilities in the OS kernel. To keep the attack stealthy, the chip can also turn off power to the display panel while the uninitiated actions are performed. (In the following demonstration videos, researchers left the display on, presumably to make it clearer how the attack worked.)

To send malicious commands to the drivers and touch screen, the researchers used an Arduino platform running on an ATmega328 micro-controller module. They also used an STM32L432 micro-controller and believe that most other general-purpose micro-controllers would also work. The researchers used a hot air blower to separate the touch screen controller from the main assembly and, with that, to gain access to the copper pads that connected them. They then connected the chips to the devices using wires that extended out of the phone. With slightly more work, the researchers believe the entire booby-trapped replacement part could be seamlessly hidden inside a reassembled phone.

Not just for Androids

While the researchers used Android phones for their demonstration, there's no reason similar techniques wouldn't work against tablets and phones running iOS. The researchers outline a series of low-cost hardware-based countermeasures manufacturers can implement that would protect devices from attacks that rely on malicious screens. The hardware countermeasures would have the added benefit of protecting against attacks that use modified firmware. Another defense might be for replacement parts to undergo some sort of certification process.

In one respect, it's unsurprising that someone with physical possession of a phone can severely compromise its security with almost no outward sign. Still, the demonstration makes a convincing case that these types of attacks are inexpensive, undetectable, and able to be carried out on a large scale. With one survey suggesting one in five smartphones may have a cracked screen and a plethora of third-party repair shop services that fix those problems, the threat of malicious replacement parts that can't be detected by the service technicians themselves is worth remembering.