Replacement screens for cracked smartphones bought from third party vendors could leave you vulnerable to hackers, a new study has revealed.
The research, carried out by Israel’s Ben-Gurion University of the Negev, has shown how hackers can use replacement screens to override and steal data from the refurbished phones.
Worryingly for users, the attack on these devices is almost unnoticeable to the owner and works via a malicious chip that is embedded into the new replacement touch screen.
The study outlined just how hard it is to catch the hack even when it is attacking the device, “the threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques.”
Tested on two separate Android devices: the Huawei Nexus 6P and the LG G Pad 7.0, the researchers were able to take control of the phones using the embedded malicious chip.
They then revealed how the hacked devices could be used to take a photo of the user and forward it to the would be hackers.
The findings were presented in a paper at the 2017 Usenix Workshop on Offensive Technologies in Vancouver, Canada. The event took place in mid-August and also highlighted how the compromised touch screens logged keyboard input and patterns, along with exploiting the operating system vulnerabilities of the devices in question.
According to research carried out in 2015 more than half of the people with a smartphone had damaged their screen at least once while 21% of smartphone users reported using their devices with a cracked screen.
So people are faced with the real possibility of either using a cracked screen device or taking their damaged phone back to official merchants. This can often prove to be too expensive for some people leaving them with no option but to resort to buying third-party screens online through websites such as eBay or taking their phones to unofficial vendors.
These replacement pieces can often cost as little as €10 but can lead to the loss of valuable data and personal information.
With the knowledge that many smartphone owners do resort to third party merchants the researchers have outlined how phone companies need to build devices that reflect this weakness in the product, “a well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defenses accordingly,” stated the researchers.
written by Shane Curtis, ESET We Live Security