We often think of the need to authenticate the external parties, or the external systems, that our customers and corporate systems interact with. We could rely on trust, but networks that depend on trust suffer vulnerabilities which bad people will exploit. Now some academics working at Israel’s Ben-Gurion University of the Negev say we should also authenticate separate components of the same device. They use a striking example: if you cracked your smartphone screen, and replaced it with a new one, how do you know the replacement touchscreen has not been compromised already, and will not be used by criminals to control your phone?
In a new paper entitled “From Smashed Screens to Smashed Stacks: Attacking Mobile Phones Using Malicious Aftermarket Parts”, the researchers Omer Shwartz, Guy Shitrit, Asaf Shabtai and Yossi Oren explain how they used malicious touchscreen hardware to execute commands and gather data from an average Android phone. The following video demonstrates how they used a touchscreen to install malware.
ARVE Error: Mode: lazyload not available (ARVE Pro not active?), switching to normal mode
The risks are obvious, and getting worse thanks to the proliferation of the internet of things. Hardware components like screens and NFC readers may be produced by third parties instead of the big phone manufacturers, but there are few checks on the inputs and outputs flowing between the component and the main device.
Imagine a scenario where a customer is wailing that they never visited a phishing website, they never shared their password, they never made those calls and never downloaded that malware… and they never did, because the touchscreen on their phone did it without their knowledge. The customer experience will be terrible but the telco may take the blame – and be lumbered with ‘compensating’ the customer for their losses. This is yet another example where the telecoms service provider is at risk, even though the fault lies elsewhere.
To learn more, you may start by visiting the dedicated website set up by the research team.