Touchscreens and other components that are often replaced in smartphones and tablets can hide malicious chips capable of giving attackers complete control over the device, warned researchers at the Ben-Gurion University of the Negev.
Researchers conducted their experiments on two Android devices: a Huawei Nexus 6P smartphone which uses a touchscreen controller from Synaptics, and an LG G Pad 7.0 tablet that uses an Atmel controller. However, the experts believe many other devices are also vulnerable to these types of attacks, including ones made by Apple.
In their tests, the researchers used a hot air blower to separate the touch screen controller from the main assembly board and access the copper pads. They then connected the pads to an integrated chip that manipulates the communication bus, effectively launching a chip-in-the-middle attack. STM32L432 and Arduino microcontrollers, which cost roughly $10 each, have been used in the experiments.
The malicious chip can exploit vulnerabilities in the device driver to compromise the phone or tablet while ensuring that it does not stop functioning correctly.
Videos have been published to show how a malicious touchscreen can be used to install arbitrary software, take pictures with the camera and send them to the attacker via email, replace a legitimate URL with a phishing URL, capture and exfiltrate screen unlock patterns, and take complete control of the targeted device.
Completely hijacking a phone takes the longest, roughly 65 seconds, but some operations, such as replacing a URL, take less than one second to complete.
While attacks involving hardware replacements are not unheard of, the scenario described by Ben Gurion University researchers relies on replacing a component with a limited hardware interface, and assumes that the repair technician installing the replacement screen is not involved and does not conduct any operations other than replacing the broken component with a malicious one that has been provided to them.
The researchers notified Google of the Synaptics device driver vulnerabilities in February and patches were included in the June 2017 Android security updates. They are also working on notifying the developers of the Armel device driver of the discovered issues.
The experts have also proposed a series of hardware-based countermeasures to prevent such attacks.
Related: DARPA Wants Hardware With Built-in Security
Related: Rapid7 Adds Hardware Testing Capabilities to Metasploit
Related: Intel Offers Up to $30,000 for Hardware Vulnerabilities