Have you ever had your smartphone’s display replaced? We bet you have. After all, more than half of all smartphone owners have, at some point, had to have a display replaced following a breakage, and as phones with smaller and smaller bezels and larger and larger screens become the norm, breaking a display is set to become something we all might become familiar with.
Unfortunately, getting displays replaced can be a costly experience, but did you ever consider that it may also jeopardize your device’s security? Probably not.
As it turns out, though, if you have a display fitted by the wrong people, then that is exactly what can happen, according to a new paper published by the Ben-Gurion University of the Negev and shared by Ars Technica. In that paper, simulated attacks are outlined during which a display is compromised by the installation of a malicious chip, embedded into a third-party screen.
“Our attack assumes that the phone’s touch controller had been replaced with a malicious component, but that the rest of the hardware and software on the phone is authentic and trusted,” one of the the researchers involved in the paper wrote.
The beauty of such an approach for hackers is that such a thing would be very difficult to detect while also potentially giving them unfettered access to data, including photos. Such a hack would also continue to work no matter which software updates are applied or how many restarts or resets are carried out.
A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defenses accordingly.
The simulated attacks were carried out on a Huawei Nexus 6P and LG G Pad 7.0, although other smartphones and tablets would be susceptible. The chances of you falling foul of such an attack are extremely remote, of course, but not impossible. People have done much more outlandish things to get their hands on things they shouldn’t have before now.