From Smashed Screens to Smashed Stacks: Attacking Mobile Phones Using Malicious Aftermarket Parts

Shwartz, Omer; Shitrit, Guy; Shabtai, Asaf; Oren, Yossi

doi:10.1109/eurospw.2017.57

Cited by 7 publications

(4 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the main attack demonstrated here is crafted to the Nexus 6P phone, many more phones use similar device drivers [12]. A small scale review performed by the authors on three additional phones that contain a Synaptics touch controller (Samsung Galaxy S5, LG Nexus 5x, LG Nexus 5) shows similar vulnerabilities to the ones exploited in the attack described here.…”

Section: Attacking Additional Devicesmentioning

confidence: 73%

“…As stated in [12], attacks based on malicious hardware can be divided into two different classes. First-order attacks use the standard interaction modes of the component, but do so without the user's knowledge or consent.…”

Section: What Sort Of Damage Can It Cause?mentioning

confidence: 99%

“…The authors raised the concern that the customizations performed by vendors can potentially undermine Android security. In a previous work [12] we focused on driver customizations, reviewing the source code of 26 Android phones and mapping the device drivers that are embedded in the kernel of their operating system. Our survey found a great deal of diversity in OEMs and device drivers.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Shattered Trust: When Replacement Smartphone Components Attack

Shwartz¹,

Cohen²,

Shabtai³

et al. 2018

Preprint

Self Cite

View full text Add to dashboard Cite

Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by thirdparty manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor's source code. In contrast to "pluggable" drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor.In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin. We analyze the operation of a commonly used touchscreen controller. We construct two standalone attacks, based on malicious touchscreen hardware, that function as building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations. Combining the two building blocks, we present and evaluate a series of end-to-end attacks that can severely compromise a stock Android phone with standard firmware. Our results make the case for a hardware-based physical countermeasure.

show abstract

Section: Attacking Additional Devicesmentioning

confidence: 73%

Section: What Sort Of Damage Can It Cause?mentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Shattered Trust: When Replacement Smartphone Components Attack

Shwartz¹,

Cohen²,

Shabtai³

et al. 2018

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Examples of devices that incorporate FRUs include interface cards in routers, touch screens and sensor assemblies in mobile phones, ink cartridges in printers, batteries in health sensors, and so on. As noted by Shwartz et al [8], third-party FRU installations often use cheap components of unknown pedigree, and thus may introduce, knowingly or unknowingly, counterfeit or malicious components into otherwise secure devices. Shwartz et al divided attacks based on malicious FRUs into two different classes: first-order attacks, in which the malicious FRU falsifies interactions with the device in the ways a standard user would, but without the user's consent, and second-order attacks, which go beyond exchanging properly formed data, and attempt to cause a malfunction in the device driver and compromise the operating system kernel.…”

Section: Introductionmentioning

confidence: 99%

Practical, Low-Cost Fault Injection Attacks on Personal Smart Devices

Oren

2022

Applied Sciences

Self Cite

View full text Add to dashboard Cite

Fault attacks are traditionally considered under a threat model that assumes the device under test is in the possession of the attacker. We propose a variation on this model. In our model, the attacker integrates a fault injection circuit into a malicious field-replaceable unit, or FRU, which is later placed by the victim in close proximity to their own device. Examples of devices which incorporate FRUs include interface cards in routers, touch screens and sensor assemblies in mobile phones, ink cartridges in printers, batteries in health sensors, and so on. FRUs are often installed by after-market repair technicians without properly verifying their authenticity, and previous works have shown they can be used as vectors for various attacks on the privacy and integrity of smart devices. We design and implement a low-cost fault injection circuit suitable for placement inside a malicious FRU, and show how it can be used to practically extract secrets from a privileged system process through a combined hardware-software approach, even if the attacker software application only has user-level permissions. Our prototype produces highly effective and repeatable attacks, despite its cost being several orders of magnitude less than that of commonly used fault injection analysis lab setups. This threat model allows fault attacks to be carried out remotely, even if the device under test is in the hands of the victim. Considered together with recent advances in software-only fault attacks, we argue that resistance to fault attacks should be built into additional classes of devices.

show abstract