Monday August 21, 2017

Malicious Smartphone Replacement Parts

A group of researchers from Israel's Ben-Gurion University of the Negev have shown how aftermarket parts for smartphones such as replacement screens could be used to attack the device, or impersonate the user and exfiltrate data. The group has demonstrated that because most phones do not have a security check on it's display hardware, a replacement screen fitted with a microcontroller can be used to compromise a smartphone.

Pretty scary stuff when you think of how many screen replacements are done each year, and how many smartphone repair shops have popped up all over the place. That said having qualified or approved hardware for replacement parts will be pretty tricky to implement without compromising the ability to repair your devices. The full article can be found here.

The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone's trust boundary, and design their defenses accordingly.