back to article How to pwn phones with shady replacement parts

A group of researchers has shown how, for instance, a repair shop could siphon data from Android handsets or infect them with malware with nothing more than a screen repair. Omer Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren, all from Israel's Ben-Gurion University of the Negev, this week warn that smartphone makers are not …

  1. Paratrooping Parrot
    Mushroom

    Fantastic way to make phones unrepairable

    This seems to be the way to make sure that only the manufacturers can repair phones. No more cheap phone repairs, just make sure everyone chucks their old phones away to buy new ones, or pay over the odds so then Apple or Samsung or their partners can repair phones.

  2. SuccessCase

    Re: Fantastic way to make phones unrepairable

    "This seems to be the way to make sure that only the manufacturers can repair phones."

    "The way" being reality. You have just anthropomorphised an inconvenient fact, presumably to make it sound like the manufacturer is an evil actor "doing this" to make us have to pay more.

  3. Blotto

    Re: Fantastic way to make phones unrepairable

    @Paratrooping Parot

    Ffs, Do you want your portable device to be vulnerable to attack or not?

    It's not the phone manufacturers coming up with compromised replacable parts.

    Get the genuine oem stuff from the manufacturer or its approved resellers, not the shady cheaper , no recognisable brand thing off eBay arriving from some unknown Chinese seller at a fraction of the price.

    It's like when a company outsources their IT to a developing nation, on paper it's the same tasks being performed but we all know the quality will be vastly different, and who knows what back doors are being left wide open exposing company data to all.

    I'm reminded of that golf advert, the dealer closing a car door and saying "see it sounds just like a golf", the girl looking back as if to say no chance.

  4. macjules Silver badge

    Re: Fantastic way to make phones unrepairable

    And talking of which, Samsung just re-re-released the Note 7. This time as the Note Fanboi Edition, or Note FE and made with salvaged parts from the Note 7. Hopefully not the battery.

  5. Anonymous Coward
    Anonymous Coward

    Re: Fantastic way to make phones unrepairable

    @Blotto

    Not all manufacturers will sell parts for repairs on the open market and only permit authorised repairers to get their hands on them.

  6. Anonymous Coward
    Anonymous Coward

    This is news?

    I remember working for PC repair shops back in the mid-2000's, and it was (and still is) a common request to have your hard drive checked for malware. But in doing so that also implicitly grants access to your files, and so the shady repair shops could use that as a way to siphon your data.

    So why are we getting worked up over the same thing happening to smartphones? It's been common knowledge for a long time that on Android you can access the entire storage by plugging it into a USB port while in the fastboot or recovery modes, and every non-Google OEM does their firmware flashes over USB with similarly-designed proprietary tools. I believe Apple has similar methods to download firmware at the factory, but I don't use iOS devices and can't confirm.

    Physical access has always been a guaranteed method for pwning a device. This isn't surprising or newsworthy.

  7. Paul Crawford Silver badge

    Re: This is news?

    I am also thinking, why would they do this? As in, why would a cheap repair shop be using more expensive parts to compromise phones that are probably mostly used by customers on lower budgets?

    Sure it might make sense to do such a nefarious swap on some drug baron's phone to bypass security as part of a CIA sting operation, but I don't see enough general revenue for the risks to make a cheap repair shop go down that route. Not with Google already whoring most of your data from advertiser to advertiser as a "legitimate" business.

  8. moiety

    Re: This is news?

    Surely any drug baron worthy of the name is going to be using burner phones and chucking them at intervals? Repair isn't something that would happen.

    Might be worth doing for the shop if they could extract identity/financial data to sell on.

  9. Anonymous Coward
    Anonymous Coward

    Re: This is news?

    Except connecting via ADB doesnt decrypt the volume containing personal stuff on most phones, just allows low level access to the OS.

    At best you could plant malware but you'll struggle to siphon data off in a lot of cases.

  10. Ken Hagan Gold badge

    Re: This is news?

    "At best you could plant malware but you'll struggle to siphon data off in a lot of cases."

    That's what the malware would be for. After the user has done their thing to decrypt the drive, your malware can siphon whatever it likes.

  11. BebopWeBop Silver badge

    Having bust the screen on my iPhone (OK....) before taking ti to be repaired at the local moderately cheap screen repairer I was careful to wipe the phone (not that any dodgy images I might have had would titillate anyone other than a landscape fetishist). I was very pleased to see them ask whether I had and suggest that if I had not I should do so and then bring it back. Now they might have been careful make them wary because of previous problems with their own staff (small), but I like to think that they were simply covering their (and their customers) backs.

  12. Anonymous Coward
    Anonymous Coward

    I would be out of business in two shakes of a duck's tail should I even suggest customers wipe their devices to get their screen replaced.

  13. Anonymous Coward
    Anonymous Coward

    I would be out of business in two shakes of a duck's tail should I even suggest customers wipe their devices to get their screen replaced.

    And I would if I did not because my customers trust us to protect their privacy in every move we make - in other words, they would become very concerned if we did not ask that question. It simply depends on who your customers are and what they expect of you.

  14. redpawn Silver badge

    Identify and Warn

    Let the user know that a part has been replaced and give them the opportunity to green light the part if they so desire.

  15. John Smith 19 Gold badge
    Childcatcher

    sounds like a great way to extend the mfg ID chip on some printer cartridges to phones

    Y'know, for your own good.

    Yes I understand the theory.

    No I do not want.

  16. Updraft102 Silver badge

    So just pop out the Micro SD card containing all your personal stuff and...

    Ohh, right.

  17. mark l 2 Silver badge

    If someone has physical access to my device then I assume that someone with sufficient technical knowledge can gain access to the contents. The only thing I have on there that would be of concern to someone tampering is my banking app.

    I am more concerned with manufacturers fixing remote exploits that affect millions of handsets than something that will only affect a small number of devices.

    But then again I usually buy low end phones that cost about 100 quid so if the screen breaks its probably cheaper to just go and buy a new phone.

  18. Trilkhai

    Or repair it yourself

    I usually buy low-end or used phones that cost a little over half that much, but I fix/replace any bad parts myself if at all possible, since most of the repairs are pretty simple. My logic is that if hardware is damaged enough that it needs a professional to work on it, then whatever problem I'm noticing is likely just the tip of the clusterfuck, and in that case I just sell it as-is for parts.

  19. Jonathan 27

    I really disagree with the conclusions here, why is it the manufacturer's duty to guard against the possible evils of third party hardware? It's the customer's choice to go which cheap knock-off parts and guarding against them is explicitly anti-consumer, plus it costs the manufacturer more money for the additional components.

    For the vast majority of customers this would be a negative.

  20. Kanhef

    Most shops don't have the ability to fabricate or program components like this; I'd worry about problems starting much higher in the supply chain. I can see a (probably Chinese) component manufacturer being paid to include ad-injection code. Not terribly different in principle from the bloatware cruft that PCs come preloaded with so often, but much harder to get rid of.

  21. Charles 9 Silver badge

    If that were true, why isn't it happening already at the point of manufacture? Perfect and unavoidable point for hardware pwnage.

  22. Doctor Syntax Silver badge

    "If that were true, why isn't it happening already at the point of manufacture?"

    It would depend on the brand. An expensive brand has a reputation to protect and could be destroyed when it leaked out if they did this. However, a component manufacturer selling to repair shops is unknown to the public, doesn't have that reputation to protect and could do this without repercussions - just burn their brand and start again in the event of real trouble.

  23. Ken Hagan Gold badge

    Those expensive brands don't make all their own components, so they would be neither liable nor aware if they were fed dodgy components from somewhere. So, um, where do the big brands do all their manufacturing and component supply these days?

  24. Anonymous Coward
    Stop

    Error 53

    Perhaps Apple were actually doing the right thing here?

  25. bazza Silver badge

    Re: Error 53

    I think partly yes, and then again no.

    It's possible, so guarding against it is a good idea.

    On the other hand, the cost/reward ratio for someone doing this isn't that favourable. You'd have to do some serious bank account drainage to make it worthwhile I suspect. And if it became a common thing people would simply stop using the dodgy repair guys, lesson learned.

    I think Apple's reasons were more related to revenue "protection".

  26. DougS Silver badge

    Re: Error 53

    Why do people always assume Apple is doing this for revenue, as if repairing iPhones is a huge business for them? Considering the ridiculous rent where they locate their stores, while the cost to have Apple replace your screen is higher than at the mall kiosk, given the cost involved and the fact you get genuine parts with full warranty, they can't be making any more money at it than the mall kiosk guys.

    Apple has taken the blame for dodgy third party parts before, so they need to protect themselves. Now maybe an "error 53" wasn't the right way, and instead the phone should raise a stink at you when it boots and require you to hit 'OK' to acknowledge use of non-Apple approved parts that may compromise functionality and aren't covered under your warranty, but letting people put low quality parts that weren't designed to be used is undesirable for Apple and its customers.

  27. Trilkhai

    Re: Error 53

    Even if the income from repairing a phone is negligible, it gives Apple the chance to sell other stuff to the person while they're in their store, particularly things that would relate to whatever had been wrong with the phone.

    Also, it could be a pretty decent generator of sales of new iPhones. Apple stores aren't easily accessible everywhere (do they offer mail-in repairs?), so if the option of taking an iPhone to a third-party repair shop wasn't available, the user would donate or sell a broken one as-is and buy a replacement. The same outcome would be likely to result for people (especially non-technical types who got the news third-hand) who got the impression that all repairs lead to the iPhone being unable to tolerate upgrades.

  28. bazza Silver badge

    Re: Error 53

    I sometimes wonder if people ever stop and think about why phone manufacturers like Apple are fond of sleek, smooth materials like glass, used in places where glass is not required.

    Looks nice? Sure. Breaks easily? Fairly easily. Encourages you to buy a new one when the back of your old one is trashed? Yes.

    They're certainly not made for durability, which plastic is actually much better at.

    Not that durability requires plastic. When Apple had the opportunity to move over to sapphire glass, which is nigh on indestructible, they decided not to. Part of that decision might have been the motivation to not make a phone that really would last forever.

  29. DougS Silver badge

    Re: Error 53

    Where do they use glass that glass doesn't belong on the last few year's worth of models? You can't very well use plastic for the display, it scratches WAY too easily. Sapphire would have made the display scratch proof (unless you carry loose diamonds in your pocket) but wouldn't have made it shatterproof. Corning even claimed a sapphire screen would be MORE prone to shattering than Gorilla Glass, but they're hardly impartial. At any rate, Apple didn't "decide" not to do the sapphire screens, the company they were working with to produce the screens was unable to produce them in sufficient numbers at sufficient quality, or so it was reported.

    Apple lost a few hundred million dollars on the whole fiasco, they obviously wanted the sapphire screens as a competitive advantage - that's why the exclusive relationship with GT so competitors like Samsung would have to find their own supply. If they could make the 'holy grail' shatterproof and scratchproof screen they'd obviously do it - what a competitive advantage that would be! The loss of repair revenue and "unforced upgrades" would be chickenfeed to compared to Android users who would come over to Apple to get a phone that would never break when dropped.

    The glass backs are reportedly making a comeback with the iPhone 8, because a metal back doesn't work well with wireless charging that will reportedly have. I guess the conspiracy theorists will claim it is because Apple wants more phones breaking...probably in many cases the same people who have been whining about Apple not having wireless charging!

  30. Anonymous Coward
    Anonymous Coward

    Not really, you can keyboard and mouse intercept a MAC just fine....

  31. Trilkhai

    Mac, not MAC

    The computer's called a "Mac" — a "MAC" is the unique network address that a device has to identify it on a network.

  32. Anonymous Coward
    Anonymous Coward

    Re: Mac, not MAC

    I think that was what was meant: use a rogue USB device to sniff out a system. Cloning a MAC allows for an impersonation attack.

  33. Anonymous Coward
    Anonymous Coward

    Do I undestand correctly

    That the research illustrates that individual hardware components can subvert the security model of the phone as a whole and access not just already existing data, which may or may not be there depending on whether the customer to the precaution to wipe the phone before handing control of it to a third party, but it also allows the rogue component to produce and manipulate new data, such as recording video and audio, logging user inputs, and tampering with arbitrary phone functions?

    Or is it my fault for having read the article?

  34. uncommon_sense

    >not doing enough<

    Those who have had an iPhone error 53 might think otherwise!

  35. patrickstar

    I totally fail to envision a scenario - any scenario at all - where the HARDWARE ITSELF wouldn't be considered trusted...

  36. Charles 9 Silver badge

    BadUSB? SMM pwnage?

  37. patrickstar

    My point is that you essentially HAVE to consider the hardware trusted. If it's compromised, game over.

    If an attacker can replace basic hardware components they have already won.

  38. Charles 9 Silver badge

    WHY do you HAVE to consider the hardware trusted? What prevents you from considering it UNtrusted? What about things like Protected Hardware Paths that require hardware authentication?

  39. Ken Hagan Gold badge

    If I may just butt in on your exchange with Charles 9, I think the issue is what you understand by the phrase "the hardware itself". The difficulty is in the first word: "the".

    Some hardware needs to be trusted. To my knowledge, no-one has found a way of building a trusted plaform on top of an untrusted CPU. At some point, the data has to be processed. Building a transparent hardware encryption of memory is conceivable, but I don't know of anyone who has done it. I imagine the cost (in performance) is a worry and I imagine that replacing "needs to trust memory" with "needs to trust the memory controller" isn't reckoned to be worth the effort. You can, however, build a trusted data volume on an untrusted drive and this is now commonplace.

    Once you get to "hardware that you plug in", like USB sticks and eSATA drives, there is an expectation that "the hardware" should not blindly trust "the peripheral" and some bus architectures have been crtiticised (well, actually, more like written off as "do not use, ever") on this site and elsewhere for allowing precisely that.

    With that context, I'd say it makes a big difference whether the hardware is outside or inside "the box" and that test should be interpreted as "end-user serviceable" rather than taken literally. So the SD card counts as "outside" even if you have to take the case off and remove the battery in order to get to it. The screen, however, is definitely "inside" for a phone or laptop, but would be equally definitely "outside" if it is a desktop machine with graphics card and a cable socket.

    There is no shame in building systems that trust the hardware inside the box. There is plenty of shame in trusting hardware outside the box. Vendors should probably design their boxes so that you just need fingernails to access the outside parts but you need a screw-driver (possibly one of those stupid ones that no normal person has) to access the inside parts. Then everything is clear.

  40. patrickstar

    Yes - good clarification.

    I think the general cutoff between untrusted/trusted should be something along the lines of "if the screen is locked / user logged out, can this be reasonably be used to bypass that?"

    So USB sticks would be untrusted. The motherboard would be trusted even though you could theoretically hook up a logic analyzer and signal generator to it. Memory would be trusted as long as it remains in the box (you'd expect someone to be able to remove the memory and read it out so you'd scramble the contents, but not expect it to be under attacker control as long as it remains in place).

    Other considerations might apply if you have an advanced threat model, but then the answer isn't to attempt to build a box where nothing trusts anything else or even itself, but rather to prevent someone from getting in the box in the first place (tamper detection and/or filling the entire thing with epoxy and/or applying physical security like locks and safes around it).

  41. Charles 9 Silver badge

    "Some hardware needs to be trusted. To my knowledge, no-one has found a way of building a trusted plaform on top of an untrusted CPU. "

    But that raises a scary prospect. Given (1) that ARM CPU designs can be tinkered at the licensor's discretion (which is how these SoCs come into being), and (2) that some State agencies are loony enough to want control at the hardware level, including hidden stuff in the CPU, doesn't this raise some serious DTA prospects?

  42. patrickstar

    This is, of course, not a new concept or fear.

    In the case of a pure CPU backdoor at the mask level, it would be pretty easy to insert a backdoor that for example would allow a local attacker full kernel compromise. For example "if certain conditions are true, then bypass all page protection checks". This would be very desirable for a TLA looking to compromise phones - then all they would need would be a single clientside exploit in any app (of which there are plenty), instead of the usual chain of clientside exploit -> sandbox escape / local privilege escalation.

    The same thing could be done with desktop systems of course, but somehow I imagine/hope it's more difficult to sneak a backdoor in at Intel than at some obscure SoC vendor...

  43. Charles 9 Silver badge

    Intel's an American company. Most of the SoC makers are based in China. BOTH are known to be interested in such a thing, and doing it at the manufacturer level would be a win-win for them: ubiquitous so hard to avoid, relatively inexpensive, plus plenty of room for plausible deniability.

  44. Joe Gurman

    Come again?

    Why can't you envision that? It's exactly what the article was about. Given the vast supply of used parts, down to the chip level, in China and other countries, what it to stop criminal gangs or state actors from posing as low-priced sources of replacement parts?

  45. patrickstar

    Re: Come again?

    Again - my point is that you HAVE to consider the hardware trusted, not that someone can't actually compromise the hardware with physical access.

    If someone has access to your phone to the point where they can change the screen, it's game over.

    If you want to prevent that, you don't do it by putting some DRMish stuff in the screen to authenticate it (a la Apple and the fingerprint sensor). This is completely meaningless even if we assume there's no way to stick an evil screen in place considering that they have unrestricted access to literally everything.

    To prevent this, you simply don't allow untrusted parties to have that sort of access to the phone in the first place.

    It would be relevant if this was about connecting an external screen to a desktop computer, or perhaps some sort of Lego phone where replacing the screen does not involve taking it apart.

    It's not relevant here.

  46. Charles 9 Silver badge

    Re: Come again?

    "If you want to prevent that, you don't do it by putting some DRMish stuff in the screen to authenticate it (a la Apple and the fingerprint sensor). This is completely meaningless even if we assume there's no way to stick an evil screen in place considering that they have unrestricted access to literally everything."

    What about 4K BluRay Players and modern gaming consoles that use protected hardware paths (to prevent pirating)? Doesn't that work by using black-boxed keys inside each component so that every link in the chain is encrypted and authenticated to prevent tampering (replace even one component and you break the chain since you change that part's key which, being black-boxed, can't be extracted or copied)? Don't some Android devices use the same technique to prevent rooting and the use of custom builds? And don't these chains INCLUDE the CPU in having encryption keys (cryptoprocessors spring to mind)?

  47. patrickstar

    Re: Come again?

    You don't need to replace any hardware in a phone to pwn it. You might simply add a bug - this has been done since the early days of telephony.

    Or you could replace the entire contents of the phone with something that just shows you a fake login screen and then errors out after entering the password/PIN code, sending it to the guy in possession of the real phone, if that's what you're after.

    Etc.

    Also, the threat models are radically different, but that's probably another discussion.

  48. Charles 9 Silver badge

    Re: Come again?

    "You don't need to replace any hardware in a phone to pwn it. You might simply add a bug - this has been done since the early days of telephony."

    But in a trusted hardware chain, that breaks the chain, resulting in a brick. And in the protected hardware path approach, even the wires are sending all-encrypted data. And the devices are designed to close up on a brick due to the encrypted links, meaning you can't take advantage of the brick to extract data. And I don't think the threat models are THAT different given that BOTH this and the movie/gaming companies are trying to prevent exfiltration of data that can in turn be used to exfiltrate other data.

    "Or you could replace the entire contents of the phone with something that just shows you a fake login screen and then errors out after entering the password/PIN code, sending it to the guy in possession of the real phone, if that's what you're after."

    If you're gonna go THAT far, it would be more trivial to switch out the entire phone with a replica.

  49. patrickstar

    Re: Come again?

    You simply need to add a small circuit board with a microphone (or other listening device - radio/EM fields/position/etc) on it. This is not stopped in any way whatsoever by any chain of trust.

    Rather it's stopped by tamper protection and physical security, both of which are, by definition, not relevant if you just handed your phone to someone and expect him to switch out the screen.

    There's no way to compare keeping secrets on a phone unreadable to preventing home users from pirating BluRay discs - there are simply no commonalities between the scenarios.

    Regarding switching out the entire phone - sure, but it might be a tad suspicious if you hand in your old worn thing (probably dinged up from whatever broke the screen as well) and get back a brand new phone. Just sayin'.

  50. nijam Silver badge

    > ... Protected Hardware Paths ...

    Oh, that bit's trustworthy, is it?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018