From Smashed Screens to Smashed Stacks: Attacking Mobile Phones Using Malicious Aftermarket Parts

In this preliminary study we present the first practical attack on a modern smartphone which is mounted through a malicious after market replacement part (specifically, a replacement touchscreen). Our attack exploits the lax security checks on the packets traveling between the touch screen's embedded controller and the phone's main CPU, and isable to achieve kernel-level code execution privileges on modern Android phones protected by SELinux. This attack is memory independent and survives data wipes and factory resets. We evaluate two phones from major vendors and present a proof-of-concept attack in actual hardware on one phone and an emulation level attack on the other. Through a semi-automated source code review of 26 recent Android phones from 8 different vendors, we believe that ourattack vector can be applied to many other phones, and that it is very difficult to protect against. Similar attacks should also be possible on other smart devices such as printers, cameras and cars, which similarly contain user-replaceable sub-units.