Phone replacement parts can be used to hijack a phone

[Jito463]

10 minutes ago, SpaceGhostC2C said:

Some people demonstrated an academic risk, and we start freaking out like we are playing Russian roulette every time we dare repair something...

[mr moose]

20 minutes ago, SpaceGhostC2C said:

Some people demonstrated an academic risk, and we start freaking out like we are playing Russian roulette every time we dare repair something...

 

 

 

 

Sometimes there isn't a great deal of time between proof of concept and it actually happening in the wild.   As I said earlier, we used to think ATM's and eftpos machines were immune to compromise with very small undetectable card readers, intercepts and cameras.   It may not be something to worry about today, but it is something we are going to have to be weary of going into the future.

 

 

[Not_Sean]

Meh.. more Fear mongering. Go for it, Hack my phone. steal Every bit of info I have on there. It won't get you anywhere. Oh no you know who I phone and text!! 

 

Better stop sending my Bank details and Missile launch codes over whatsapp than. 

[mr moose]

15 minutes ago, Not_Sean said:

Meh.. more Fear mongering. Go for it, Hack my phone. steal Every bit of info I have on there. It won't get you anywhere. Oh no you know who I phone and text!! 

 

Better stop sending my Bank details and Missile launch codes over whatsapp than. 

A lot of people carry out banking on there mobiles.  

[Not_Sean]

2 minutes ago, mr moose said:

A lot of people carry out banking on there mobiles.  

A lot of people carry out banking in Internet explorer.. Which you think is more Dangerous.. 

 

Also banks cover this kind of thing. My account was hacked a day after pay day. cleaned out, phoned the bank they saw it was a transaction from another city in the world, asked me if i was currently there, after a laugh they marked it as fraud and a day later I was fully refunded. Shit happens. Going defcon 9 won't change any of that, and still the best defense is some damn common sense. 

[mr moose]

1 minute ago, Not_Sean said:

A lot of people carry out banking in Internet explorer.. Which you think is more Dangerous.. 

 

Also banks cover this kind of thing. My account was hacked a day after pay day. cleaned out, phoned the bank they saw it was a transaction from another city in the world, asked me if i was currently there, after a laugh they marked it as fraud and a day later I was fully refunded. Shit happens. Going defcon 9 won't change any of that, and still the best defense is some damn common sense. 

 

Well that's awesome advice,  Just don't worry about security because it isn't an inconvenience to you.  For some people having to deal with banks is not always an easy task. some of them just tell you to suck it up.  

 

A legitimate threat is posed and some people don't like it being discussed.  Not sure why you or anyone would think it prudent to dismiss such a threat out of hand and accuse anyone who does want to discuss it as being irrational over reacting?

[SpaceGhostC2C]

22 minutes ago, mr moose said:

 

Sometimes there isn't a great deal of time between proof of concept and it actually happening in the wild.   As I said earlier, we used to think ATM's and eftpos machines were immune to compromise with very small undetectable card readers, intercepts and cameras.

And still the outcome is that there is an ATM in every corner and everybody uses the all the time. 

I'm not saying nothing can ever happened, I'm saying there's an overreaction and a call for extreme attitudes ("never buy spare parts! Never use third party repair shops!") hard to justify on the actual risk. 

 

There is no such thing as zero risk in life, so at the end of the day it is always a matter of magnitudes and risk-benefit tradeoffs. 

[spartaman64]

1 minute ago, mr moose said:

 

Well that's awesome advice,  Just don't worry about security because it isn't an inconvenience to you.  For some people having to deal with banks is not always an easy task. some of them just tell you to suck it up.  

 

A legitimate threat is posed and some people don't like it being discussed.  Not sure why you or anyone would think it prudent to dismiss such a threat out of hand and accuse anyone who does want to discuss it as being irrational over reacting?

that is illegal. banks are required by law to insure your account up to a pretty large amount so only millionaires and the sort would be having trouble with that and i think a millionaire would have no trouble just buying 50 new phones

[DrMacintosh]

57 minutes ago, mr moose said:

doesn't negate the fact it should be considered a real threat.

What does negate it is that nobody has done it.....

[mr moose]

5 minutes ago, SpaceGhostC2C said:

And still the outcome is that there is an ATM in every corner and everybody uses the all the time. 

I'm not saying nothing can ever happened, I'm saying there's an overreaction and a call for extreme attitudes ("never buy spare parts! Never use third party repair shops!") hard to justify on the actual risk. 

 

There is no such thing as zero risk in life, so at the end of the day it is always a matter of magnitudes and risk-benefit tradeoffs. 

but people who are weary of such devices can look and use a different one if they see it.  Makes life a lot easier if people know where a threat may lie. 

2 minutes ago, spartaman64 said:

that is illegal. banks are required by law to insure your account up to a pretty large amount so only millionaires and the sort would be having trouble with that and i think a millionaire would have no trouble just buying 50 new phones

If your bank bends over backwards to help then that's great, but for some living without any access to money is way too much of a headache that can be avoided.

2 minutes ago, DrMacintosh said:

What does negate it is that nobody has done it.....

Just because it isn't wild yet doesn't mean it isn't a threat we should be weary of.

 

It's a proof of concept, of course no one has done it...  yet.   The question is how long until it is something we have to be weary of?  How long is a piece of string?

 

The people who got done with ATM fraud didn't know about it until after it happened, now we have advanced warning and you are telling people to ignore it.  Great advice.

[DrMacintosh]

Just now, mr moose said:

How long is a piece of string?

There is no string. 

[mr moose]

1 minute ago, DrMacintosh said:

There is no string. 

 

Answer the other question.

[Drak3]

10 minutes ago, DrMacintosh said:

What does negate it is that nobody has done it.....

That you know of.

 

We've developed such a bond, that I'm finishing your sentences! <3

 

 

*shudders*

3 minutes ago, mr moose said:

It's a proof of concept, of course no one has done it...  yet.   The question is how long until it is something we have to be weary of?

I'd like to say that Drake has been weary of this of this for awhile. Drake always knew that this was possible.

 

And Drake likes to refer to themself in the third person.

[spartaman64]

Just now, mr moose said:

but people who are weary of such devices can look and use a different one if they see it.  Makes life a lot easier if people know where a threat may lie. 

If your bank bends over backwards to help then that's great, but for some living without any access to money is way too much of a headache that can be avoided.

Just because it isn't wild yet doesn't mean it isn't a threat we should be weary of.

 

It's a proof of concept, of course no one has done it...  yet.   The question is how long until it is something we have to be weary of?  How long is a piece of string?

 

The people who got done with ATM fraud didn't know about it until after it happened, now we have advanced warning and you are telling people to ignore it.  Great advice.

its not bending over backwards its required by law. unless your bank wants to risk a potentially much bigger fine they will follow the law

[DrMacintosh]

7 minutes ago, mr moose said:

The question is how long until it is something we have to be weary of?

Probably the end of time. How do I know that? 

 

1.) The low amount of people that bring their phone in for repair, let alone 3rd party repair

2.) The risk associated with repair shops that get caught doing this (there is a direct link) 

3.) The gain. A lot of people bank on their phone, a lot of people dont. Even with that, if I had my phone repaired right now, they cant get my bank info, that is secured by fingerprint, not passcode. 

[mr moose]

6 minutes ago, spartaman64 said:

its not bending over backwards its required by law. unless your bank wants to risk a potentially much bigger fine they will follow the law

They can negate their legal responsibilities by taking weeks to refund stolen money.  And laws are different in every country.

 

You are essentially saying leave your door unlocked the insurance will cover it.   Even if it does in every single case, the inconvenience and costs still mount.

5 minutes ago, DrMacintosh said:

Probably the end of time. How do I know that? 

 

1.) The low amount of people that bring their phone in for repair, let alone 3rd party repair

2.) The risk associated with repair shops that get caught doing this (there is a direct link) 

3.) The gain. A lot of people bank on their phone, a lot of people dont. Even with that, if I had my phone repaired right now, they cant get my bank info, that is secured by fingerprint, not passcode. 

You make an awful lot of assumptions.  None of which actually prove why this will not happen let alone why we should not consider it a plausible threat.  

[DrMacintosh]

1 minute ago, mr moose said:

plausible threat

Whats the threat!?!

[spartaman64]

2 minutes ago, mr moose said:

They can negate their legal responsibilities by taking weeks to refund stolen money.  And laws are different in every country.

 

You are essentially saying leave your door unlocked the insurance will cover it.   Even if it does in every single case, the inconvenience and costs still mount.

You make an awful lot of assumptions.  None of which actually prove why this will not happen let alone why we should not consider it a plausible threat.  

yes they can take 10 days to refund your money but you can use a credit card in the mean time or if you have another account use money from that

[mr moose]

Just now, DrMacintosh said:

Whats the threat!?!

now your just being a troll.

 

But I'll bite:  The threat is that someday in the not too distant future you can expect replacement glass for phones that are essentially keyloggers that can email anything you type.

[spartaman64]

3 minutes ago, mr moose said:

now your just being a troll.

 

But I'll bite:  The threat is that someday in the not too distant future you can expect replacement glass for phones that are essentially keyloggers that can email anything you type.

you face the same risks if you buy a used phone or computer so people should never buy anything used

[Drak3]

10 minutes ago, DrMacintosh said:

1.) The low amount of people that bring their phone in for repair, let alone 3rd party repair

Source?

If it were as bad as you said, 3rd party repair shops wouldn't exist.

10 minutes ago, DrMacintosh said:

The risk associated with repair shops that get caught doing this (there is a direct link)

An individual employee can do this and then duck out. That's also assuming that the specific attack is easy to trace.

 

11 minutes ago, DrMacintosh said:

The gain. A lot of people bank on their phone, a lot of people dont. Even with that, if I had my phone repaired right now, they cant get my bank info, that is secured by fingerprint, not passcode. 

All they need is a credit card number, CVC, expiration date, and name. All of which isn't hard to lift with a piece of modified firmware.

 

2 minutes ago, mr moose said:

The threat is that someday in the not too distant future you can expect replacement glass for phones that are essentially keyloggers that can email anything you type.

Assuming that it hasn't been happening already, at a small scale. Which is actually a fairly bad assumption.

 

Just now, spartaman64 said:

you face the same risks if you buy a used phone or computer so people should never buy anything used

Yes, you do face the same risks, which are admittedly small. But it is something to consider.

[DrMacintosh]

Just now, mr moose said:

The threat is that someday in the not too distant future you can expect replacement glass for phones that are essentially keyloggers that can email anything you type.

Yeah no. Replacement glass that is a display, digitizer, and keylogger all-in-one that can fit and connect (not just connect, but also send the data anywhere) to something like the logic board on the iPhone or any other flagship is far from feasible today, or ever. 

 

For example, say Apple finds out about this before even 1 device is affected, all it would take is a software update to patch whatever vulnerability was being exploited. (if it could even connect to the logic board).

 

This whole thing is a giant tin-foil hat worthy scare. 

[SpaceGhostC2C]

12 minutes ago, mr moose said:

 

You are essentially saying leave your door unlocked the insurance will cover it.   Even if it does in every single case, the inconvenience and costs still mount.

 

I think it's more like saying locks can be picked, and in fact locksmiths can enter pretty much any house they want, not to mention the ones they installed the locks on. But it's still overall safe to have a lock, and to call locksmiths when in trouble. 

[DrMacintosh]

3 minutes ago, Drak3 said:

3rd party repair shops wouldn't exist.

The reason why they do is high margins. 

 

3 minutes ago, Drak3 said:

That's also assuming that the specific attack is easy to trace.

Hmmm, I just took my phone into a shop and now my account was stolen......hmmmmmm... theres also this weird contraption in my phone that shouldn't be there.....HMMMMM

 

3 minutes ago, Drak3 said:

All of which isn't hard to lift with a piece of modified firmware.

On the iPhone at least, unless you catch the first entry (assuming the user doesnt just scan it) you cant get the data off the phone via software. 

 

 

[mr moose]

4 minutes ago, spartaman64 said:

you face the same risks if you buy a used phone or computer so people should never buy anything used

you are literally trying to say risks are everywhere therefore don't even try.  there are risks and there are risks that can be minimized with a little forethought, you are dismissing even applying a little forethought.  sad really.

1 minute ago, DrMacintosh said:

Yeah no. Replacement glass that is a display, digitizer, and keylogger all-in-one that can fit and connect (not just connect, but also send the data anywhere) to something like the logic board on the iPhone or any other flagship is far from feasible today, or ever. 

 

For example, say Apple finds out about this before even 1 device is affected, all it would take is a software update to patch whatever vulnerability was being exploited. (if it could even connect to the logic board).

 

This whole thing is a giant tin-foil hat worthy scare. 

More assumptions. Now you are hypothesizing outcomes to mitigate a condition you don't even think has potential.