In this preliminary study we present the
first practical attack on a modern smartphone which
is mounted through a malicious aftermarket replacement
part (specifically, a replacement touchscreen).
Our attack exploits the lax security checks on the
packets traveling between the touchscreen’s embedded
controller and the phone’s main CPU, and is
able to achieve kernel-level code execution privileges
on modern Android phones protected by SELinux.
This attack is memory independent and survives data
wipes and factory resets. We evaluate two phones
from major vendors and present a proof-of-concept
attack in actual hardware on one phone and an emulation
level attack on the other. Through a semiautomated
source code review of 26 recent Android
phones from 8 different vendors, we believe that our
attack vector can be applied to many other phones,
and that it is very difficult to protect against. Similar
attacks should also be possible on other smart devices
such as printers, cameras and cars, which similarly
contain user-replaceable sub-units.