News

Research: Smartphones easy to attack with replacement components

By admin
Spread the love

A team of researchers warns that smartphones ‘trust’ the various internal components too easily. They state that a rogue parts manufacturer can easily provide a replacement screen with a chip that, for example, passes on user data.

According to the researchers, the problem lies in the fact that the central SOC of a smartphone unconditionally trusts the other hardware, such as the screen or the charging chip. Only external devices that are connected to the device via the USB port, for example, are subject to checks by the motherboard. The researchers argue that this dividing line between trusted and not immediately trusted is misplaced because malicious internal parts can also end up in a smartphone.

As part of the study, the researchers present a proof of concept that focuses on the screen and consists of two steps: a touch injection attack that mimics the user’s screen input and a buffer overflow attack that allows the attacker to execute commands. run with elevated privileges. According to their demonstrations, they manage to install malicious software and give it permissions, copy PINs, passwords and unlock patterns, and redirect users to phishing websites, among other things.

However, the researchers, a team of scientists from Ben-Gurion University in Israel, argue that arming phones against these types of attacks is not much of a challenge. An additional component that monitors traffic between the motherboard and the various daughterboards like a firewall should be enough to block malicious components.

However, being vigilant about rogue replacement parts is also a double-edged sword. Apple came under fire in 2016 after it turned out that an OS update disabled devices if they were equipped with an unofficial replacement home button, which also serves as a fingerprint sensor. After an update, the devices in question were usable again, but Touch ID remained disabled. Apple did so for the same security considerations that these researchers raise here.

Demonstration of the attacks on a Nexus 6P at factory settings (playlist of five videos)

You might also like
News

Apple has been working on its own search engine for years. It’s called…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses