We all fear it. Dropping our phones. Seeing the tell-tale signs of a massive crack across the screen, or even worse; the phone failing to boot up at all. Our first instinct in these horrible situations is to try and get it fixed. After all, no one wants to pay hundreds of pounds to rectify what can be solved with a fraction of that, right?
By all means, go ahead. But I would strongly recommend taking a few precautions first. Why is that? Well, new research has now shown that replacement hardware parts for phones where the primary manufacturer hasn’t guaranteed the security of the supply chain can actually infect the phone with all sorts of horrible malware. For example, a replacement screen for a Nexus 6P phone was used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones.
The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.
Scary, right? This is something that simply doesn’t occur to the vast majority of people who are understandably desperate to get their beloved smartphones fixed and up and running as soon as possible. However, as long as you take a few simple steps, you will be safe:
- ALWAYS go to a first-party repair shop if possible. This is by far the best way to ensure that the supply chain used in the repair of your phone is properly secured by the manufacturer of said phone.
- If that really isn’t possible for whatever reason, check that the third-party repair shop you’re going to use properly certifies their replacement parts (such as through a component white list) and/or is directly contracted by the primary manufacturer of the device.
Threats to your cyber world are growing exponentially on a daily basis. It’s up to all of us to be as aware as possible of the various ways that we can be exploited. Whether that be through software or even hardware. A little vigilance goes a long way.