Touchscreens ‘at risk from chip in the middle attack’, warn researchers

Using non-official (or even completely dodgy aftermarket) parts for do-it-yourself repairs historically has just meant, at worst, accepting some risk for the shelf life of your appliance. But smartphones, with all their unfettered access to our lives, are a very tempting target for attackers, and new research shows that even shattered screen or battery replacement mall kiosks could potentially introduce new risks to our privacy.

The research, called “Shattered Trust: When Replacement Smartphone Components Attack,” by researchers at the Ben-Gurion Univesity of the Negev in Israel raises the possibility that someone with hardware know-how could cause serious harm to a smartphone owner who takes their phone in for repairs or tries to DIY with compromised parts.

Reseachers published a proof-of-concept that it is possible for an attacker, who merely need access to inexpensive hardware and a smartphone (say, one that’s in the shop for repairs) to replace the old touchscreen with one that’s malicious — in other words, it has additional hardware sneakily installed to aid the attacker.

The malicious touchscreen could be used to intercept and record the phone’s unlock code, modify permissions and configurations, download malicious apps, redirect web browsers to phishing pages, and even attack device drivers to completely compromise the phone. They’re calling this “chip-in-the-middle” attack, after the man-in-the-middle attack, where an attacker intercepts web traffic to monitor and even redirect the browsing of an unwitting victim.

The chip-in-the-middle proof of concept isn’t exactly subtle in its current state: There are a lot of wires and chipsets hanging out of the opened phone assembly:

The proof-of-concept was modeled on an Android phone, so it’s not known if an Apple phone is as vulnerable to the same methods of attack. So — as far as we know — trying to use this attack vector isn’t yet viable in a subtle way.

However, the researchers argue that it’s only a matter of time and effort for someone to miniaturize the attack they’ve modeled, and it is absolutely possible for someone to fit the chipset into the tight spaces of a smartphone.

How big a problem could this be? From the paper itself:

Conservative estimates assume that there are about 2bn smartphones in circulation today. Assuming that 20% of these smartphones have undergone screen replacement, there are on the order of 400m smartphones with replacement screens in the world. An attack which compromises even a small fraction of these smartphones through malicious components will have a rank comparable to that of the largest PC-based botnets.

This is undoubtedly the argument that “walled garden” hardware and software advocates, like Apple, will continue to make, perhaps with the CitM attack being cited as a prime reason why they, the OEM (original equipment manufacturer), should have sole control over the hardware supply chain: stricter controls over hardware manfuacturing and quality control, dedicated diligence to try to prevent an outside force from manipulating hardware for devious means.

However, a key point raised in the research is that a number of hardware components made for smartphones, including the charging cables and touchscreen, are already not manufactured under the control of the phone vendor, and counterfeit parts abound for Apple and Google phones alike — meaning the genie is already out of the bottle on that front.

The research isn’t meant to stoke fears about third-party repairs; rather, it’s a call for increased diligence by phonemakers to recognize that compromised hardware has been and will continue to be a real possibility, and that phones should not automatically assume that the hardware it is using is 100% trustworthy.

Instead, the researchers call for “hardware-based countermeasures”, including a proxy firewall to intercept attacks from the screen and protect the rest of the device. The paper says:

Placing this device on the motherboard means that it will not be affected by malicious component replacement.

If you want to see proofs of the concept for yourself, the researchers modeled several of the attacks on video: