Phone replacement parts can be used to hijack a phone

[DrMacintosh]

1 minute ago, spartaman64 said:

how many people does one repair shop service?

Actually yeah that's the one of the major flaws with this style of "attack" 

[Drak3]

1 minute ago, DrMacintosh said:

Actually not its not  

 

Its the validity of a threat that is in the form display units that inject malware into the device and keylog. 

It's an extremely valid threat.

 

Just now, spartaman64 said:

how many people does one repair shop service? thats about the amount of people you can target with that. its easier to just sell cheap used phones on ebay with keyloggers you will get a much bigger group of targets

Assuming that we're just talking about an individual employee doing it. It's not exactly rare for an interception of the supply chain to occur. A single truckload of digitized screens, for a wide spread attack makes. That's another route of executing this type of attack.

 

1 minute ago, DrMacintosh said:

Actually yeah that's the one of the major flaws with this style of "attack" 

Only if one is an idiot.

[DrMacintosh]

Just now, Drak3 said:

It's an extremely valid threat.

A threat is valid if there is a means to carry it out. 

 

This "threat" is about as serious as North Korea's threats to Guam. 

[spartaman64]

1 minute ago, Drak3 said:

It's an extremely valid threat.

 

Assuming that we're just talking about an individual employee doing it. It's not exactly rare for an interception of the supply chain to occur. A single truckload of digitized screens, for a wide spread attack makes. That's another route of executing this type of attack.

 

Only if one is an idiot.

so you are talking about a supplier of digitizers to sell keylogged ones to repair shops. repair shop people tend to know a bit about digitizers so you are almost asking to be discovered its much safer and easier to just sell used iphone units 

[ARikozuM]

On 8/20/2017 at 7:19 AM, Jito463 said:

Same here.  We ask for customer's PINs because we need to test the full range of the digitizer input, to make certain the new screen is working correctly without issue.  We've rarely had an issue with the customer refusing, although a few have chosen not to give it to us, so we weren't able to test it until they came to pick it up.

Is that standard practice? I usually ask people to change the password or PIN to 0000 for the repair. 

[Drak3]

Just now, DrMacintosh said:

A threat is valid if there is a means to carry it out. 

And we're back to the implications that basically no one has ever taken anything electronic to get repaired, ever. As so far, we've only talked about the threat being executed through repair shops.

 

Just now, DrMacintosh said:

This "threat" is about as serious as North Korea's threats to Guam. 

Elaborate. So far, we've only got you talking about how the potential target is too small, without providing actual numbers or sources.

1 minute ago, spartaman64 said:

so you are talking about a supplier of digitizers to sell keylogged ones to repair shops. repair shop people tend to know a bit about digitizers so you are almost asking to be discovered its much safer and easier to just sell used iphone units 

Not the supplier themselves. Intercepting a shipment of anything, means that you're stealing the original, and replacing them with counterfeits, then selling the orignals anyways. Rather common in China, were most electronic components see at least partial manufacture. And the risk isn't that large when you operate in a country that doesn't give a shit about stopping it.

[spartaman64]

4 minutes ago, Drak3 said:

And we're back to the implications that basically no one has ever taken anything electronic to get repaired, ever. As so far, we've only talked about the threat being executed through repair shops.

 

Elaborate. So far, we've only got you talking about how the potential target is too small, without providing actual numbers or sources.

Not the supplier themselves. Intercepting a shipment of anything, means that you're stealing the original, and replacing them with counterfeits, then selling the orignals anyways. Rather common in China, were most electronic components see at least partial manufacture. And the risk isn't that large when you operate in a country that doesn't give a shit about stopping it.

4

i find it hard to believe that nobody cares if people break in and replace a box with another

[DrMacintosh]

1 minute ago, Drak3 said:

As so far, we've only talked about the threat being executed through repair shops.

Where else would it be happening? 

 

If you ask me it sounds like you want this to happen. 

[Drak3]

Just now, DrMacintosh said:

Where else would it be happening? 

Any manufacturer that relies on another manufacturer for any part.

 

1 minute ago, DrMacintosh said:

If you ask me it sounds like you want this to happen.

Only to you.

 

1 minute ago, spartaman64 said:

i find it hard to believe that nobody cares if people break in and take a shipment and probably spend a couple of days with them and then put them back even with china

I can't believe I have to explain in detail what an interception is.

 

They don't break into a warehouse. Whilst mid shipment, they swap real product with counterfeits. The easiest method is to have one of the grunts take up employment with the target company. They can also pay off a regular employee or attempt a quiet swap covertly.

[spartaman64]

2 minutes ago, Drak3 said:

Any manufacturer that relies on another manufacturer for any part.

 

Only to you.

 

I can't believe I have to explain in detail what an interception is.

 

They don't break into a warehouse. Whilst mid shipment, they swap real product with counterfeits. The easiest method is to have one of the grunts take up employment with the target company. They can also pay off a regular employee or attempt a quiet swap covertly.

 

i edited my response afterwards and i cant believe that would happen without anyone caring and the shipping company wont have security cameras?

btw im chinese lol

[Drak3]

Just now, spartaman64 said:

i edited my response afterwards and i cant believe that would happen without anyone caring and the shipping company wont have security cameras?

In China, everything short of murder is fair business, and murder in business practically warrants a slap on the wrist.

At the warehouse, yes. On trucks, doubtful, and even if they do, it's not like it's hard to fake a technical issue.

[DrMacintosh]

5 minutes ago, Drak3 said:

Any manufacturer that relies on another manufacturer for any part.

So essentially you think that installing a conspiracy into a supply chain is going to be easy and could happen and nobody would notice. 

[Drak3]

Just now, DrMacintosh said:

So essentially you think that installing a conspiracy into a supply chain is going to be easy and could happen. 

Has happened. Not that hard.

[spartaman64]

Just now, Drak3 said:

Has happened. Not that hard.

not hard to start but probably hard to keep going 

[DrMacintosh]

Just now, Drak3 said:

Not that hard

No actually its extremely difficult. 

[Drak3]

Just now, spartaman64 said:

not hard to start but probably hard to keep going 

They only need to do it once.

 

Just now, DrMacintosh said:

No actually its extremely difficult. 

No, it isn't. Security on component transportation is nonexistent. And as far as manufacturers are concerned, they're not going to check every in and out of the shipment. Just shipment numbers and arrival state. Anything beyond that is seen as a waste of resources.

[spartaman64]

Just now, Drak3 said:

They only need to do it once.

 

No, it isn't. Security on component transportation is nonexistent. And as far as manufacturers are concerned, they're not going to check every in and out of the shipment. Just shipment numbers and arrival state. Anything beyond that is seen as a waste of resources.

idk it doesnt seem like you can get in more than a few hundred that way unless people really dont care that there is a gang of 20 people moving boxes around all day

[Drak3]

Just now, spartaman64 said:

idk it doesnt seem like you can get in more than a few hundred that way unless people really dont care that there is a gang of 20 people moving boxes around all day

Few hundred is all they need. And they're not stopping at your friendly Walmart parking lot or Maverick to do the exchange. They're going to be a tad more discreet about it.

[Jito463]

2 hours ago, spartaman64 said:

that is illegal. banks are required by law to insure your account up to a pretty large amount so only millionaires and the sort would be having trouble with that and i think a millionaire would have no trouble just buying 50 new phones

It depends on the country you live in.  Not everyone lives in the US (or somewhere that has similar banking laws).

51 minutes ago, DrMacintosh said:

A threat is valid if there is a means to carry it out. 

 

This "threat" is about as serious as North Korea's threats to Guam. 

Were they threatening to tip them over?  

[mr moose]

4 hours ago, DrMacintosh said:

So essentially you think that installing a conspiracy into a supply chain is going to be easy and could happen and nobody would notice. 

The university dude quoted in the article does claim: "As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques. A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets".

 

Getting someone in china to mass manufacture these parts is not hard at all, in fact for the last 20 years manufacturers have been battling against counterfeit electronic parts coming out of china, many of them so good they fool the specialists who work with them everyday only being discovered when they fail earlier than they should.

[markr54632]

Funniest topic in a while. I could see how a compromised device would be able to intercept data,, but not how it could send it. Your input device should not have sufficient priviledges. Even if it did manage to do so I will continue repairing my phones with Chinese parts. Without cheap Chinese parts I would go years without a phone. I can only afford to upgrade once every 2-3 years. If it breaks I fix it. If I cant fix it I will go without or use an old flip phone.

[mr moose]

29 minutes ago, markr54632 said:

Funniest topic in a while. I could see how a compromised device would be able to intercept data,, but not how it could send it. Your input device should not have sufficient priviledges. Even if it did manage to do so I will continue repairing my phones with Chinese parts. Without cheap Chinese parts I would go years without a phone. I can only afford to upgrade once every 2-3 years. If it breaks I fix it. If I cant fix it I will go without or use an old flip phone.

according to the article the screen drivers are not considers a security risk (because they are closely guarded in house drivers only available on that specific device). Thus the screen has what amounts to kernal access. 

 

I do the same with phones.  I upgrade once every 2-3 years and go back to a flip phone (I actually prefer them) if I bust mine. 

[RedRound2]

11 hours ago, SpaceGhostC2C said:

It's impasible to know if OEM repairer does something like that either. 

1

That's where probability comes in. The chances of authorized Apple service centers ever doing that is close to zero while its impossible to say the same of third parties when there is no one governing them, proving your point moot

[SpaceGhostC2C]

5 hours ago, RedRound2 said:

That's where probability comes in.

So you are agreeing with me?

5 hours ago, RedRound2 said:

The chances of authorized Apple service centers ever doing that is close to zero while its impossible to say the same of third parties when there is no one governing them, proving your point moot

Or rather proving once again that 83.7% of quantitative statements are made up... 

 

[mr moose]

5 hours ago, SpaceGhostC2C said:

So you are agreeing with me?

Or rather proving once again that 83.7% of quantitative statements are made up... 

 

11 out of 10 people know this isn't true.