Hiding malware in boobytrapped replacement screens would undetectably compromise your mobile device


#1

Originally published at: http://boingboing.net/2017/08/18/all-bets-off.html


#2

Tip for the paranoid: when it doubt, don’t repair anything. Just buy a new in box gadget from some random brick and mortar shop.


#3

Wow, computers suck.


#4

Electronics aren’t meant to be repaired anyway; they’re meant to be discarded, heavy metals and all, in your all-American landfill. Centuries from now, when our mutated great-grandchildren crawl across a blasted landscape searching for sustenance, that landfill will be like a gold mine - a toxic toxic gold mine!


#5

Synaptics prefers not to talk about it; but Atmel’s brochure for some controllers likely similar to the 641 mentioned in the article mention “8/16 bit or 32 bit Atmel AVR CPU” (Synaptics probably uses something of approximately similar power; differing mostly in being less helpful on documentation).

Depending on how tightly they cut the parts down; odds are decent that you might be able to skip the extra MiTM microcontroller and go with maliciously modified controller firmware instead. Lower assembly costs, much less visible; as robust unless the target device actively interrogates the controller firmware for anomalies.

Plus, if you can do it in firmware; it becomes either a mechanism for replacement hardware to compromise the OS; or an OS or application compromise to build a little beachhead from which to either do things it’s compromise of the system wouldn’t be thorough enough to allow; or to survive even a full wipe.

All kinds of possible fun for the whole family.

So, any bets on how long it will be before this becomes a talking point against the ‘right to repair’ legislation? Sure, it’s well known that ‘legitimate’ supply chains have plenty of fakes sloshing around; but never mind that! only making cryptographically verified and properly licensed vendor FRUs mandatory can save us from this threat!


#6

hiding it in original manufactured screens would be a much better idea. /s


#7

Nonsense. They’re made to be “recycled” overseas.


#8

I dunno, it’s not entirely bonkers to regard mountains of dumped electronics as a valuable resource as well as (or, with planning, instead of) an environmental hazard. You could imagine a landfill designed as a kind of inorganic compost heap, where rainwater washes through it into a non-porous evaporation basin where, after a few decades, you can easily mine deposits of delicious salts of copper and nickel and chromium and tantalum and that sort of thing. After all, metals do come from the ground.


#9

I’ve always wondered if proof-of-concept things like this ever actually spur real-world exploitations of these vulnerabilities.


#10

I woulndn’t be too surprised if this is actually being done.
A limited batch from a special production run every now and then, carefully routed into the distribution chain to make sure they end up in a certain area.
Sure, it’s fishing with a large and coarse net. But it’s cheap and easy to implement.
Let’s say a batch ends up in the San Francisco area just in time for x-mas shopping. A couple of them are bound to end up being used by people (or people they share information with) who are working on stuff that is interesting in terms of industrial espionage.


#11

When I buy a phone, it is shipped to me direct “from China” which could just as easily be Langley.


#12

I think it’s been done, in science fiction, lots of times.


#13

It’d be easier to compromise them in China with chips on the board that aren’t quite what they’re labeled as.


#14

Yes that part seems obvious. Maybe you took Langley too literally? ‘Langley’ can be in a factory in China, no problem as far as I can tell.


#15

While I’m curious to read about the proof of concept, the linked URL is https://iss.oy.ne.ro/Shattered.pdf which seems more like obfuscation. Not sure if thats how ARS does it now or not.


#16

Or “Langley” could add their own compromise on top of the factory one.

It’s a shame that devices don’t conform to the superstition that “appearance without reflects the moral character within”. Then some people’s phones would make ominous noises and drip green-glowing toxic drops.


#17

We know that interception of target devices to receive ‘implants’ is a thing; though the TAO obviously isn’t too helpful about the details, scope, etc. of the operation.

An attack like this seems amenable to an operation like that, to being done at the factory in a suitably compromised supply chain, to be done in the field if someone suitably interesting brings in a phone for repair, or all of the above.

So I wouldn’t necessarily bet on getting to hear about it if it happens; but definitely wouldn’t bet against it happening.

(Also, since technology, especially ‘mobile’, seems to revel in immanentizing the cyberpunk dystopia; I can’t shake the unpleasant possibility that some terrible person will attempt a ‘sponsored screens’ business model, where ‘ad-supported’ malicious replacements will be cheaper than the standard ones in exchange for attacks by our trusted advertising partners as outlined in the privacy policy and EULA; and that, worse, he might get some takers for the idea…)


#18

I wouldn’t be at all suprised. I got a Kindle Fire as an entry-level tablet/e-reader. It has Amazon ads, both full-screen and occasional notifications. I could pay a fee to get them removed, but they aren’t annoying enough (yet) for me to get rid of them. Someone less reputable could easily do the same thing…


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.