At a recently concluded security conference, experts from an Israeli university have presented new research that describes a possible attack scenario which leverages replacement parts to carry out attacks on smartphones and other smart devices.

The attack — described as chip-in-the-middle — relies on the assumption that a malicious third-party is in the position of mass-manufacturing electronic spare parts that contain an additional chip for intercepting a device's inner communications, but also being capable of issuing malicious commands.

Attackers could hide malicious chips in phone spare parts

Researchers proved their theoretical attack true by building such malicious spare parts and using them to take over a test smartphone. Video proof is available at the end of this article.

While the attack looks complex, researchers said they used only off-the-shelf electronics that cost about $10. Although some practical skills in soldering and handling electronic parts are needed, the attack is not as sophisticated as some might think and does not involve complex machinery often installed in high-tech factories.

One of the phones featuring malicious replacement parts

One of the phones featuring malicious replacement parts

Two ways to carry out attacks via spare parts

With the malicious spare parts they created, researchers say they discovered two categories of attacks they could perform.

The first is a basic command injection into the communication streams between the phone and the spare component. This attack works best with malicious touchscreen displays because it allows the attacker to impersonate the user by mimicking touch actions and exfiltrating data.

The second method is a buffer overflow attack that targets a vulnerability in the touch controller device driver embedded within the operating system kernel. Attackers exploit this flaw to get elevated privileges on the phone and carry out attacks on the OS itself, without needing to mimic touch gestures. This second attack was specific to one set of device drivers, so it won't work universally.

The research team — formed by experts from the Ben-Gurion University of the Negev, Israel — present various hardware-based countermeasures for preventing attacks via spare parts in their research paper.

The countermeasures and other technical details are available in their paper titled "Shattered Trust: When Replacement Smartphone Components Attack," here and here. Researchers presented their work at the recently concluded USENIX W00T '17 security conference.

The five videos below show the research team carrying out chip-in-the-middle attacks on smartphones that contain malicious spare parts.