Aug. 24, 2017 | By Stone Tillotson
Counterfeit and compromised parts are increasingly making their way into the consumer supply chain. A research security team from Ben-Gurion University recently published a paper detailing how cell phones, tablets, laptops, and others are easy targets for compromised parts. The proliferation of on-the-go devices has led to a growth industry in pop-up fix-it shops, offering everything from replacement-screens-while-you-wait to near rebuilds. These shops exhibit wide variation in quality, but most alarmingly, they usually do not possess the capability for in-depth supply chain verification. This gap allows replacement parts containing malicious driver code, once installed, to interface directly at a system level, thus bypassing the usual security and code signing requirements for accessories. Malicious parts may not even need privilege escalation or to exploit the rest of the phone to wreak havoc. A compromised touch screen alone would be sufficient to capture a majority of user activity and without displaying any signs of doing so. A compromised user would often be helpless in even identifying that such a compromise has taken place.
IISP Analyst Stone Tillotson: "Racing home, you're desperate to check your front door. After getting excellent service during a lock-out, a casual internet search revealed your locksmith to be a convicted burglar, your new flatscreen foremost on your mind...
That's the scenario we face with replacement parts, but then, which new locksmith will you call for peace of mind? The invasiveness and cryptic nature of attacks like this make them incredibly difficult to detect. The military has been confronting this for years now, but this problem is only recently making its way into the consumer world. Even vendors which attempt to lock down their supply chains have the occasional misstep. Readily breakable glass screens, probably the typical cell user's biggest headache, are the biggest facilitator and the lack of widespread, affordable device servicing by manufacturers is the next. Resolving either of these would put a huge dent in the viability of this attack vector. Perhaps with device driver verification and signing, it could be even more diminished. Nevertheless, these kinds of attacks are predicated on a willing user handing over a device with security needs to an unknown party for the express purpose of physical access, and as the adage goes: With physical access, there is no security."
A co-author of the Ben-Gurion project, Yossi Oren, will be at Georgia Tech on Sept. 13 to present his findings to doctoral students.
For further reading
- Research Paper, Ben-Gurion University: https://iss.oy.ne.ro/Shattered
- ArsTechnica: https://arstechnica.com/information-technology/2017/08/a-repair-shop-could-completely-hack-your-phone-and-you-wouldnt-know-it/
- U.S. Government Accountability Office: http://www.gao.gov/products/GAO-12-213T
- Motherboard: https://motherboard.vice.com/en_us/article/jpyevp/ibm-malware-usb-drives-storwize