Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y.
Workshop on Security for Embedded and Mobile Systems (SEMS’17), Paris, France (April 30, 2017)
In this preliminary study we present thefirst practical attack on a modern smartphone whichis mounted through a malicious aftermarket replacementpart (specifically, a replacement touchscreen).Our attack exploits the lax security checks on thepackets traveling between the touchscreen’s embeddedcontroller and the phone’s main CPU, and isable to achieve kernel-level code execution privilegeson modern Android phones protected by SELinux.This attack is memory independent and survives datawipes and factory resets. We evaluate two phonesfrom major vendors and present a proof-of-conceptattack in actual hardware on one phone and an emulationlevel attack on the other. Through a semiautomatedsource code review of 26 recent Androidphones from 8 different vendors, we believe that ourattack vector can be applied to many other phones,and that it is very difficult to protect against. Similarattacks should also be possible on other smart devicessuch as printers, cameras and cars, which similarlycontain user-replaceable sub-units.