Replacing a screen can get your phone hacked

Replacing a screen can get your phone hacked

If you're a long-time smartphone user, there's a pretty good chance that you've experienced the "pleasures" of getting a cracked touchscreen. It happens to the best of us - after all, phone displays are made out of glass, a material that tends to shatter when dropped, even if it carries the "Gorilla" branding.

After such an incident occurs, some learn to peacefully coexist with the spider web pattern on their display (if it remains functional), others just go out and buy a new handset, while quite a few people also choose to stop by a repair shop and get a replacement screen installed. Going for this third option might seem as a sensible thing to do, but it turns out that it might completely compromise the security of your phone. 

In a recently-published paper, Israeli researchers from the Ben-Gurion University of the Negev highlighted the threat of malicious peripheral existing inside consumer electronics. The team was able to booby-trap a third-party smartphone replacement screen. This was done with the help of a chip that can manipulate the data transfer from the device's hardware to the software drivers within the OS. 

The code found on this chip can be used to install malicious apps, replace user-selected URLs with phishing URLs, the logging of unlock patterns and keyboard inputs, and even taking pictures of the user and forwarding them via e-mail. The nasty peripheral can even turn off the power of the screen while the above actions are performed. Furthermore, the researchers claim that this "chip-in-the-middle" attack was performed with parts that cost less than $10 which can easily be mass-produced. To put the cherry on the cake, these booby-trapped displays can apparently be made to look identical to their stock counterparts and are invisible to most detection techniques, as the process is file-less. 

In the demonstration video (see below), one can see this method working on the Huawei Nexus 6P, but the researchers warn that iOS devices can be hacked just as easily. While the team also outlined several low-cost countermeasures which manufacturers can employ to combat such malicious peripherals, it is currently unknown when or if these will be implemented. As such, it would be advisable to stick to certified parts and service shops for the time being. 


Source: Yossi Oren via Engadget

FEATURED VIDEO

5 Comments

1. MINDoSOUL

Posts: 322; Member since: Feb 28, 2014

You don't have to replace your screen for this to be used, just buy a new device put the chip in it then put the device in it's prectine condition back. Give the device as a gift to the person you want to scam and blackmail. You are welcome! Remember there is nothing for free!

2. yann

Posts: 609; Member since: Jul 15, 2010

@PA - are you making advertisement of Apple "Right to repair" case? Defending Apple trying to monopolize repair service too?

3. Riki_Baker

Posts: 2; Member since: Aug 21, 2017

I'd love to see some proof and facts that show an Arduino being squeezed into a smartphones chassis and applied to real world use. Possible? Yes. A reason not to use third party repairs? No - and there's no proof in the article, source article or Engadgets article to say as much. Can you update the article with the 'cherry on the cake' please because without that it all seems like a big fuss about nothing. Scare mongering at the very best. A smartphone screen could also be used as a paddle for a canoe - if I write up a study of using various screens as paddles and then make various 'claims' can we have an article on that aswell?

4. Nine1Sickness

Posts: 896; Member since: Jan 30, 2011

Google and YouTube it. There are plenty of articles on Google and videos on YouTube where hackers were able to fit an arduino uno into an Apple watch.

5. Riki_Baker

Posts: 2; Member since: Aug 21, 2017

It is not possible to fit an Arduino Uno into the inside of a functional Apple Watch without making modifications to the watch that would be noticeable. There is no space within the watch to house it, much like there is no spare space within a smartphone to house the Arduino in the linked study.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.