Abstract:In this preliminary study we present the first practical attack on a modern smartphone which is mounted through a malicious aftermarket replace- ment part (specifically, a replacement touchscreen). Our attack exploits the lax security checks on the packets traveling between the touchscreen’s embed- ded controller and the phone’s main CPU, and is able to achieve kernel-level code execution privileges on modern Android phones protected by SELinux. This attack is memory independent and survives data wipes and factory resets. We evaluate two phones from major vendors and present a proof-of-concept attack in actual hardware on one phone and an emulation level attack on the other. Through a semi-automated source code review of 26 recent Android phones from 8 different vendors, we believe that our attack vector can be applied to many other phones, and that it is very difficult to protect against. Similar attacks should also be possible on other smart devices such as printers, cameras and cars, which similarly contain user-replaceable sub-units.


Topic Group - Malicious component replacement: [SEMS 2017 (first results)][WOOT 2017 (full attack)]