Mobile users who substitute their damaged phone touchscreens or other hardware components with third-party replacements could be infecting their phones with malicious components that could allow attackers to completely compromise the device.
Indeed, after installing a replacement touchscreen containing a malicious microcontroller on a Huawei Nexus 6P smartphone, researchers Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren from Israel's Ben-Gurion University of the Negev proved they could perform a "touch injection attack" that records, exfiltrates, or injects touch events on a device, as well as a buffer overflow attack that lets the attacker execute arbitrary code within the privileged kernel.
In their research paper, which was publicly presented this month at a Canadian security conference, the researchers explain that combining these two techniques allowed them to conduct end-to-end attacks on the phone, including: maliciously installing software and apps into a device, taking a picture of the phone's user and exfiltrating the image via email, replacing a hand-typed URL with a phishing URL, and recording and exfiltrating the user's screen unlock pattern to an online whiteboard website. Worst of all, the researchers revealed that they could perform an attack that completely "compromises the phone, disables SELinux, and opens a reverse shell to a remote attacker."
The root cause of the problem, according to the research paper, is that third-party driver source code to support hardware components such as touchscreens is "integrated into the vendor's source code," and the "component driver's source code implicitly assumes that the component hardware is authentic and trustworthy," regardless of who supplies it. Consequently, there are very few integrity checks performed on communications between the phone processor and the component, allowing attackers to capitalize on this deficiency.
To mitigate this vulnerability and protect phones from malicious touchscreens, the researchers suggest implementing an I2C interface proxy firewall.