Can we trust where Smartphone Manufacturers source their Components?

The Woot 17 Conference had some interesting topics on its agenda from 16 to 18 August 2017. It released its workshop papers on a free, open source basis because it wants a wider public to benefit from research. Today, we focus on a report titled ‘Shattered Trust: When Replacement Smartphone Components Attack’ by researchers from Ben Gurion University.

They question whether we are right to trust non-franchise repairers with our phones just because they may be cheaper. They are concerned that smartphone manufacturers buy in some components from third parties. These could include near field communication readers, wireless controlling chargers and orientation sensors. Hence, they are not in control of cowboy phone repairers that source them directly from component manufacturers.

How a Cowboy Phone Repairer Could Hack Your Phone
We wish we were there ourselves and could report directly. Hence, we are grateful for input from Ars Technica we acknowledge freely. The researchers simulated two standalone attacks using malicious touchscreen hardware, with secret chips that compromised a stock Android phone.

Their two ‘victims’ were a Huawei Nexus 6P, and a LG G Pad 7.0. In both instances, they replaced the screens with ones they had tampered with. Then they were able to log keyboard patterns and inputs covertly, upload malware apps, and even take pictures and email them back to them. This suggests a targeted phone user’s privacy could literally go out the window.

Worse still, the malicious parts ‘booby trapping the screens cost less than $10 and bypassed the phones’ on-board security features. Moreover, the devices – which were potentially open to mass-manufacture – were ‘indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness.’ Only a skilled technician might be able to detect them if they took the device apart.

The Research Serves to Highlight a Security Disparity
The researchers confirm the original phone manufacturers ‘closely guard’ the iOS and Android operating systems, and that they remain within a ‘trust boundary’ until they leave the works in a sealed box. It is also safe to assume the hardware is similarly reliable, provided the manufacturers maintain their quality systems intact.

The disparity takes over as soon as a third party services their product outside the trust boundary, because this not under their sphere of control. The researchers conclude, “The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques.

“A well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defences accordingly.

The ‘Chip-in-the-Middle’ Basis Behind The Successful Attacks
The Ben Gurion University researchers embedded a chip in a normal, standard touchscreen. This affected the communication bus responsible for transferring data from the device hardware to the software drivers in the operating system. The malicious integrated circuit placed between the two dimensions was able to modify, monitor, or interfere with their communications.

This chip-in-the-middle contained code able to covertly complete actions not initiated by the phone user. It could, for example unlock patterns and keyboard inputs, take photos and relay them, substitute phishing urls, and remotely install apps without the phone owner knowing this happened.

A hot air blower was all the researchers needed to separate the touchscreen controllers so they could connect the chips. They suggest a variety of countermeasures they think phone manufacturers should take. They also think the industry needs a certification program for aftermarket parts. We had no idea how wide open we were until we uncovered the research.