Beware of Shady Repair Shops
A report presented this month at the 2017 Usenix Workshop on Offensive Technologies was pretty offensive – and not in the way they meant in the workshop title.
Offensive security is what spies do – go out and attack a system.
The report demonstrated a proof of concept attack that would work if someone took their phone into some repair place. The attack, works by surreptitiously inserting hardware, say behind a replacement for a cracked screen, that “added” a few “features”.
They demonstrated putting these hacked screens into two Android phones – an Huewai and a Nexus – but they say the attack will work with iPhones as well.
This attack works because the manufacturers assume a trust boundary, meaning that they trust that the hardware has not been compromised. In this case, that trust is broken.
In reality, this is nothing new. Stories abound of PC and Mac repair places inserting extra software and sometimes even hardware into a computer to be able to monitor it. There was a big dust-up a year or two ago when it was discovered that some repair technicians were being paid by the FBI to feed them information from computers in for repair.
In this case, the modified screen would be able to read the keyboard, capture screen patterns (for pattern screen locks), install malicious apps and take pictures and send them to the hacker.
All this for about ten bucks in parts.
The problem occurs because you lose control of the device – phone, tablet or computer – when you leave it with the repair person.
They say that this particular attack is so subtle that it is unlikely to be detected, even by another repair technician unless he or she knows what to look for.
The researchers say that there are some inexpensive countermeasures that manufacturers can add, but there is really nothing that you can do yourself.
They say that this attack could easily scale up to be done to a lot of phones and, of course, would also scale down to targeted phones.
As a user, the only thing that you can do is choose your repair center wisely. If you can use a manufacturer’s repair center, that is probably less risky. If not, then do your homework and check out the place and also ask them how they vet the individuals working on your device.
Great – something else to worry about.
For more details about the hack, see the article in Ars Technica.