Hacking Your Phone’s Touchscreen

We often think of the need to authenticate the external parties, or the external systems, that our customers and corporate systems interact with. We could rely on trust, but networks that depend on trust suffer vulnerabilities which bad people will exploit. Now some academics working at Israel’s Ben-Gurion University of the Negev say we should also authenticate separate components of the same device. They use a striking example: if you cracked your smartphone screen, and replaced it with a new one, how do you know the replacement touchscreen has not been compromised already, and will not be used by criminals to control your phone?

In a new paper entitled “From Smashed Screens to Smashed Stacks: Attacking Mobile Phones Using Malicious Aftermarket Parts”, the researchers Omer Shwartz, Guy Shitrit, Asaf Shabtai and Yossi Oren explain how they used malicious touchscreen hardware to execute commands and gather data from an average Android phone. The following video demonstrates how they used a touchscreen to install malware.

The risks are obvious, and getting worse thanks to the proliferation of the internet of things. Hardware components like screens and NFC readers may be produced by third parties instead of the big phone manufacturers, but there are few checks on the inputs and outputs flowing between the component and the main device.

Imagine a scenario where a customer is wailing that they never visited a phishing website, they never shared their password, they never made those calls and never downloaded that malware… and they never did, because the touchscreen on their phone did it without their knowledge. The customer experience will be terrible but the telco may take the blame – and be lumbered with ‘compensating’ the customer for their losses. This is yet another example where the telecoms service provider is at risk, even though the fault lies elsewhere.

To learn more, you may start by visiting the dedicated website set up by the research team.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.
  • Akrittok

    There was a story a while back about Microsoft laptops being shipped with malware on straight from the production line in China.
    This point is valid and quite problematic, and does not concern HW only.
    Blockchain will help things once it gets more adoption. But telco processes are way behind on this.