Phone replacement parts can be used to hijack a phone

[spartaman64]

2 minutes ago, mr moose said:

you are literally trying to say risks are everywhere therefore don't even try.  there are risks and there are risks that can be minimized with a little forethought, you are dismissing even applying a little forethought.  sad really.

More assumptions. Now you are hypothesizing outcomes to mitigate a condition you don't even think has potential. 

what makes buying a used device less dangerous? i understand there are risks but even you probably would take that risk buying something used but when it comes to someone fixing your phone it becomes a big no no and i dont understand why. i would expect buying a used device a bigger risk than having someone fix your current one as they would have a limited amount of time with it while someone selling a used device has a lot of time to put all sorts of stuff on it

[DrMacintosh]

Just now, mr moose said:

More assumptions

Its not an assumption that there are no free connection points on the iPhone logic board or ever have been. It's not an assumption that the display connectors on the iPhones are fully occupied and can't be modified to accept anything else. And finally its not an assumption that something like this could be patched. 

[Not_Sean]

2 minutes ago, SpaceGhostC2C said:

I think it's more like saying locks can be picked, and in fact locksmiths can enter pretty much any house they want, not to mention the ones they installed the locks on. But it's still overall safe to have a lock, and to call locksmiths when in trouble. 

thank you. 

[Drak3]

3 minutes ago, DrMacintosh said:

Yeah no. Replacement glass that is a display, digitizer, and keylogger all-in-one that can fit and connect (not just connect, but also send the data anywhere) to something like the logic board on the iPhone or any other flagship is far from feasible today, or ever. 

 

For example, say Apple finds out about this before even 1 device is affected, all it would take is a software update to patch whatever vulnerability was being exploited. (if it could even connect to the logic board).

 

This whole thing is a giant tin-foil hat worthy scare. 

You say this. But here's the thing. This concept was being practiced years ago with CDROM distributed games. They would install rootkits, to combat DRM, that could be exploited and software couldn't fix the issue. Only mitigate it.

 

All it takes is for a black hat to decide to do it, and this is simply a reminder that it is possible.

Just now, DrMacintosh said:

Hmmm, I just took my phone into a shop and now my account was stolen......hmmmmmm... theres also this weird contraption in my phone that shouldn't be there.....HMMMMM

It's firmware. It lives on the EPROM/EEPROM of a component that is supposed to be there. Also, assuming they do it immediately and don't wait.

 

1 minute ago, DrMacintosh said:

The reason why they do is high margins. 

High margins can't fix nobody going there, as you imply.

 

1 minute ago, DrMacintosh said:

On the iPhone at least, unless you catch the first entry (assuming the user doesnt just scan it) you cant get the data off the phone via software. At least on the iPhone

Not by any means you're aware of. iOS isn't an inpenetrable fortress. But keep thinking that.

[mr moose]

3 minutes ago, SpaceGhostC2C said:

I think it's more like saying locks can be picked, and in fact locksmiths can enter pretty much any house they want, not to mention the ones they installed the locks on. But it's still overall safe to have a lock, and to call locksmiths when in trouble. 

so if someone showed you how a particular lock could be picked and there was a free way you could help prevent that from happening,  would you just ignore it as tinfoil? or would look into it?

[spartaman64]

1 minute ago, mr moose said:

so if someone showed you how a particular lock could be picked and there was a free way you could help prevent that from happening,  would you just ignore it as tinfoil? or would look into it?

pretty much all household locks are fairly simple to pick and i dont see you upgrading your lock to a bank vault grade one

[DrMacintosh]

1 minute ago, Drak3 said:

This concept was being practiced years ago with CDROM distributed games.

Comparing CDROM games and injecting malware into a smartphone via a display connector....nice. 

 

2 minutes ago, Drak3 said:

It's firmware.

And firmware can be stopped. Remember when Apple just diabled third party TouchID sensors? They can do it again. 

 

2 minutes ago, Drak3 said:

as you imply.

I never implied nobody goes to repair shops. The vast majority of people do not go to repair shops. Thats a fact.

 

3 minutes ago, Drak3 said:

iOS isn't an inpenetrable fortress.

It's pretty close, at least compared to the competition.  

 

 

[mr moose]

2 minutes ago, spartaman64 said:

what makes buying a used device less dangerous? i understand there are risks but even you probably would take that risk buying something used but when it comes to someone fixing your phone it becomes a big no no and i dont understand why. i would expect buying a used device a bigger risk than having someone fix your current one as they would have a limited amount of time with it while someone selling a used device has a lot of time to put all sorts of stuff on it

I never said it was a big no no, I said it was a risk that we should be weary of.    Why are you trying to dismiss one risk out of hand but then accept it as being real in a paralleled example?

2 minutes ago, DrMacintosh said:

Its not an assumption that there are no free connection points on the iPhone logic board or ever have been. It's not an assumption that the display connectors on the iPhones are fully occupied and can't be modified to accept anything else. And finally its not an assumption that something like this could be patched. 

You are assuming replacement parts need to have a modified phone.  You don't know that, it hasn't even happened yet and you are making assumptions as to why it won't.

 

 

[DrMacintosh]

Just now, mr moose said:

it hasn't even happened yet

EXACTLY! And you are already saying how this can be the next Y2K! 

[Not_Sean]

2 minutes ago, mr moose said:

so if someone showed you how a particular lock could be picked and there was a free way you could help prevent that from happening,  would you just ignore it as tinfoil? or would look into it?

There is no alternative to getting my iPhone screen replaced besides walking into apple and buying a new one if you want to prevent the chance of been hacked. So no I'll take off my tin foil and save a large amount of money thank you. 

 

Also don't turn your computer on, as there is a chance of been hacked that is more likely than phone hacked through a screen replacement. 

[spartaman64]

Just now, mr moose said:

I never said it was a big no no, I said it was a risk that we should be weary of.    Why are you trying to dismiss one risk out of hand but then accept it as being real in a paralleled example?

You are assuming replacement parts need to have a modified phone.  You don't know that, it hasn't even happened yet and you are making assumptions as to why it won't.

 

 

yes you should be weary of it but it doesnt mean you shouldnt have someone fix your phone. there is a certain amount of risk that you can accept and an example of that is that you are not upgrading your door lock to a bank vault grade lock so you are accepting some risk there

[mr moose]

4 minutes ago, spartaman64 said:

pretty much all household locks are fairly simple to pick and i dont see you upgrading your lock to a bank vault grade one

missed the point

2 minutes ago, DrMacintosh said:

EXACTLY! And you are already saying how this can be the next Y2K! 

No I am not. 

1 minute ago, Not_Sean said:

There is no alternative to getting my iPhone screen replaced besides walking into apple and buying a new one if you want to prevent the chance of been hacked. So no I'll take off my tin foil and save a large amount of money thank you. 

 

Also don't turn your computer on, as there is a chance of been hacked that is more likely than phone hacked through a screen replacement. 

Iphones are not the only phones and there are many iphones out there now that can have there screens replaced at booths in malls.

1 minute ago, spartaman64 said:

yes you should be weary of it but it doesnt mean you shouldnt have someone fix your phone. there is a certain amount of risk that you can accept and an example of that is that you are not upgrading your door lock to a bank vault grade lock so you are accepting some risk there

I never said you shouldn't have your phone fixed, I just said you should be weary when you have it fixed.   

 

Please tell me where I said you should avoid getting your screen fixed, and please tell me why I should not be weary of a danger that has already been proven possible.

[SpaceGhostC2C]

5 minutes ago, mr moose said:

so if someone showed you how a particular lock could be picked and there was a free way you could help prevent that from happening

Which free way? Refusing to buy third party spares or use third party repair services isn't free, that is the point. Three is a cost in saying "I'll only bring it to Apple, because I believe a rogue apple employee is less likely than a rogue Rosman or a hacked spare". 

It is a valid choice, but not free of cost. And I don't care what everyone decides for themselves anyway, I just said it's not an advice In willing to give based on what the risk seems to be. 

[Drak3]

Just now, DrMacintosh said:

The vast majority of people do not go to repair shops. Thats a fact.

Source? If you've done your own scientific study with a decent sample size and samples from all over the world, that can be replicated, that'll work.

 

Just now, DrMacintosh said:

It's pretty close, at least compared to the competition.

Keep telling yourself that, or provide the all knowing source that tells you these divine secrets.

 

1 minute ago, DrMacintosh said:

And firmware can be stopped. Remember when Apple just diabled third party TouchID sensors? They can do it again. 

Apple disabled TouchID sensors that had ID tags that weren't Apple's. Change the tags, and Apple's band aid no longer sticks. And if Apple does manage to band aid fix this, you realize it means that the phone will be rendered unusable as the firmware for the input and output method of said phone is now unusable, right?

[mr moose]

5 minutes ago, SpaceGhostC2C said:

Which free way? Refusing to buy third party spares or use third party repair services isn't free, that is the point. Three is a cost in saying "I'll only bring it to Apple, because I believe a rogue apple employee is less likely than a rogue Rosman or a hacked spare". 

It is a valid choice, but not free of cost. And I don't care what everyone decides for themselves anyway, I just said it's not an advice In willing to give based on what the risk seems to be. 

 

WTF are you even arguing about now?    I said a free way to "help prevent", not to avoid completely.  You do know how risk management works right?

 

It doesn't cost you anything to double check where your repairer gets their stock from or how legitimate they are.

 

 

 

[DrMacintosh]

4 minutes ago, Drak3 said:

you realize it means that the phone will be rendered unusable as the firmware for the input and output method of said phone is now unusable, right?

And you realize the alternative is allowing users data to be potentially stolen. Right?

 

4 minutes ago, Drak3 said:

If you've done your own scientific study with a decent sample size and samples from all over the world, that can be replicated, that'll work.

The market is its own scientific study. Apple has shipped 1 Billion units to date, and 1Billion people have certainly not gone to a repair shops. If you think 1Billion people have you are simply naive.  

[spartaman64]

7 minutes ago, mr moose said:

missed the point

No I am not. 

Iphones are not the only phones and there are many iphones out there now that can have there screens replaced at booths in malls.

I never said you shouldn't have your phone fixed, I just said you should be weary when you have it fixed.   

 

Please tell me where I said you should avoid getting your screen fixed, and please tell me why I should not be weary of a danger that has already been proven possible.

ok then we are not in disagreement and i dont think many of the other people you are debating with disagree with that either

[SpaceGhostC2C]

1 minute ago, mr moose said:

 

WTF are you even arguing about now?    I said a free way to "help prevent", not to avoid completely.  You do know how risk management works right?

What are you on, mate? I talked about the cost, not about whether it's 100% reduction or 59% or whatever...

 

1 minute ago, mr moose said:

 

It doesn't cost you anything to double check where your repairer gets there stock from or how legitimate they are.

But then we are saying the same thing, as opposed to the people saying "never haha your phone to a repairer!" 

In which case, stop pretending I'm disagreeing with you in particular, because my point has been the same from the beginning

 

[Drak3]

Just now, DrMacintosh said:

And you realize the alternative is allowing users data to be potentially stolen. Right?

Via method that cannot simply be fixed on any current device.

 

1 minute ago, DrMacintosh said:

The market is its own scientific study. Apple has shipped 1 Billion units to date, and 1Billion people have certainly not gone to repair shop. If you think 1Billion people have you are simply naive. 

Translated: You're full of shit and can't back up your claim with anything.

[DrMacintosh]

2 minutes ago, Drak3 said:

You're full of shit and can't back up your claim with anything.

You you believe that at least 500 Million people have been to repair shops to get their phones serviced?  

[Drak3]

Just now, DrMacintosh said:

You you believe that at least 500 Million people have been to repair shops?  

I believe that millions of people have been to repair shops. But I'm not making EXTREMELY stupid claims that next to no one does.

[DrMacintosh]

1 minute ago, Drak3 said:

I believe that millions of people have been to repair shops

Millions compared to the Billion iPhones alone that have been sold is still significantly less than the majority of users. 

 

Its not stupid its true. 

[Drak3]

Just now, DrMacintosh said:

Millions compared to the Billion iPhones that have been sold is still significantly less than the majority of users. 

Millions is still a sizeable target. And the issue isn't whether the majority of phone buyers go to repair shops, it's whether a significant number of users go to repair shops.

[DrMacintosh]

2 minutes ago, Drak3 said:

And the issue isn't whether the majority of phone buyers go to repair shops, it's whether a significant number of users go to repair shops.

Actually not its not  

 

Its the validity of a threat that presents itself in the form display units that inject malware into the device and keylog. 

[spartaman64]

3 minutes ago, Drak3 said:

Millions is still a sizeable target. And the issue isn't whether the majority of phone buyers go to repair shops, it's whether a significant number of users go to repair shops.

how many people does one repair shop service? thats about the amount of people you can target with that. its easier to just sell cheap used phones on ebay with keyloggers you will get a much bigger group of targets and who wouldnt buy a 50 dollar iphone 6