Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Can Hijack Phones via Replacement Screens: Researchers

Touchscreens and other components that are often replaced in smartphones and tablets can hide malicious chips capable of giving attackers complete control over the device, warned researchers at the Ben-Gurion University of the Negev.

Touchscreens and other components that are often replaced in smartphones and tablets can hide malicious chips capable of giving attackers complete control over the device, warned researchers at the Ben-Gurion University of the Negev.

Researchers conducted their experiments on two Android devices: a Huawei Nexus 6P smartphone which uses a touchscreen controller from Synaptics, and an LG G Pad 7.0 tablet that uses an Atmel controller. However, the experts believe many other devices are also vulnerable to these types of attacks, including ones made by Apple.

In their tests, the researchers used a hot air blower to separate the touch screen controller from the main assembly board and access the copper pads. They then connected the pads to an integrated chip that manipulates the communication bus, effectively launching a chip-in-the-middle attack. STM32L432 and Arduino microcontrollers, which cost roughly $10 each, have been used in the experiments.

The malicious chip can exploit vulnerabilities in the device driver to compromise the phone or tablet while ensuring that it does not stop functioning correctly.

Videos have been published to show how a malicious touchscreen can be used to install arbitrary software, take pictures with the camera and send them to the attacker via email, replace a legitimate URL with a phishing URL, capture and exfiltrate screen unlock patterns, and take complete control of the targeted device.

Completely hijacking a phone takes the longest, roughly 65 seconds, but some operations, such as replacing a URL, take less than one second to complete.

Advertisement. Scroll to continue reading.

While attacks involving hardware replacements are not unheard of, the scenario described by Ben Gurion University researchers relies on replacing a component with a limited hardware interface, and assumes that the repair technician installing the replacement screen is not involved and does not conduct any operations other than replacing the broken component with a malicious one that has been provided to them.

The researchers notified Google of the Synaptics device driver vulnerabilities in February and patches were included in the June 2017 Android security updates. They are also working on notifying the developers of the Armel device driver of the discovered issues.

The experts have also proposed a series of hardware-based countermeasures to prevent such attacks.

Related: DARPA Wants Hardware With Built-in Security

Related: Rapid7 Adds Hardware Testing Capabilities to Metasploit

Related: Intel Offers Up to $30,000 for Hardware Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...