Smartphone owners who replace smashed screens at third party outlets could be at risk of having their devices hacked, a study has revealed.
Researchers at the University of the Negev have shown that replacement screens for Android smartphones can be manipulated to steal personal information and take control of a repaired device.
The attack, which is almost undetectable, can be used to “severely compromise” a victims’ smartphone, the researchers said.
It works through a malicious chip that is embedded within the replacement display. The chip can be applied to the screen with relative ease and then used to hack into the phone.
The researchers demonstrated the attack by hijacking a Huawei Nexus 6P smartphone and an LG G Pad 7 tablet. They were able to record what was typed on the affected devices, such as passwords, download apps onto it, and send users to malicious websites.
The researchers could order the compromised device to take a photo of the user and forward it to hackers in an email. With a small amount of additional work they were also able to use the manipulated screen to access the operating system of the affected devices.
They said the hack could work on an iPhone as well, but did not demonstrate this.
The vicious attack is imperceptible, even to smartphone technicians, as the malicious chip can be made to look like an official one. Because it is a physical attack, it also can’t be detected with anti-virus tools.
The researchers urged smartphone manufacturers to create a physical defence system that would prevent such a hack from being possible.
“A well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets,” said the University of the Negev researchers. “System designers should consider replacement components to be outside the phone’s trust boundary and design their defences accordingly.”
Apple has long been criticised for making it difficult for third party technicians to replace iPhone and iPad screens.
Australia’s consumer watchdog sued Apple earlier this year over claims it purposefully stopped devices working after cracked screens were replaced by third parties.