Smashed touchscreens 'latest hack vulnerability'

Smashed touchscreen is ‘latest hack vulnerability’

On:Monday, 4 September, 2017

Cybersecurity researchers from an Israeli university have discovered yet another hacking vulnerability in smartphones, this time in replacements for broken touchscreens.

We’re inundated with warnings about our phones being low security and easy access, but this latest weakness is a surprise even to journalists at SIMOnlyDeals.co.uk.

Screens are fragile things and if you repeatedly drop your phone there’s a decent chance you’ll end up with a nasty case of the splits and cracks.

In fact, more than half of all smartphone users globally admit to having accidentally smashed their touchscreens.

Four researchers at Israel’s Ben-Gurion University found that hackers could potentially exploit a security weakness in screens that were not replaced by the manufacturer.

It’s common to search for online or local repairs for touchscreens because of the prohibitive cost of getting a new one direct from Apple, Samsung or any of the other major manufacturers.

But the fear is now real that replacement parts installed by repair shops – whether they know it or not – could contain malicious hardware that could hijack your phone.

Researchers Omar Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren presented their findings in Shattered Trust: When Replacement Smartphone Components Attack, showing how they were able to place a hostile chip at the heart of that hardware.

The implanted chip managed to get access to typed inputs and send the hacked info back to the university, using the same kind of systems that keylogging malware does on computers.

The white-hat hackers were able to log passwords, take pictures and email them to themselves as well.

Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves.

As a result of this trust, very few integrity checks are performed on the communications between the component and the device’s main processor.

In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin.

We construct two standalone attacks, based on malicious touchscreen hardware, that function as building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations.

Combining the two building blocks, we present and evaluate a series of end-to-end attacks that can severely compromise a stock Android phone with standard firmware.

The most worrying component of all of this is that hacked touchscreens could be near-impossible to detect.

Unless technicians took the phone to pieces and inspected each individual component, it would be very difficult to distinguish between the hacked element.

The answer must be more training for manufacturers and service techs who are in charge of handling your phone’s data security.

MAIN IMAGE: Daniel Oines/Flickr