Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Malicious replacement touchscreens could completely compromise phones, researchers demonstrate


Mobile users who substitute their damaged phone touchscreens or other hardware components with third-party replacements could be infecting their phones with malicious components that could allow attackers to completely compromise the device.

Indeed, after installing a replacement touchscreen containing a malicious microcontroller on a Huawei Nexus 6P smartphone, researchers Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren from Israel's Ben-Gurion University of the Negev proved they could perform a "touch injection attack" that records, exfiltrates, or injects touch events on a device, as well as a buffer overflow attack that lets the attacker execute arbitrary code within the privileged kernel.

In their research paper, which was publicly presented this month at a Canadian security conference, the researchers explain that combining these two techniques allowed them to conduct end-to-end attacks on the phone, including: maliciously installing software and apps into a device, taking a picture of the phone's user and exfiltrating the image via email, replacing a hand-typed URL with a phishing URL, and recording and exfiltrating the user's screen unlock pattern to an online whiteboard website. Worst of all, the researchers revealed that they could perform an attack that completely "compromises the phone, disables SELinux, and opens a reverse shell to a remote attacker."

The root cause of the problem, according to the research paper, is that third-party driver source code to support hardware components such as touchscreens is "integrated into the vendor's source code," and the "component driver's source code implicitly assumes that the component hardware is authentic and trustworthy," regardless of who supplies it. Consequently, there are very few integrity checks performed on communications between the phone processor and the component, allowing attackers to capitalize on this deficiency.

To mitigate this vulnerability and protect phones from malicious touchscreens, the researchers suggest implementing an I2C interface proxy firewall.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.