Some smartphone attacks necessitate physical access to the device and interactions with the touchscreen. So, as long as no one touches your phone, it’s safe, right? Wrong, according to a new study by security researchers from Zhejiang University in China and the Technical University of Darmstadt in Germany.
The paper (PDF), which will be presented at the Usenix Security Symposium in July, introduces GhostTouch, a type of attack that can execute taps and swipes on the phone’s screen from up to 40 millimeters away.
About Electromagnetic Interference
Capacitive touchscreens, which provide multi-touch capabilities and can measure small electric fields, are used in today’s smartphones and tablets. Capacitive touchscreens, on the other hand, are sensitive to the environmental impact of electromagnetic interference (EMI) and charger noise.
Previous research has shown that EMI can disrupt touchscreen user experiences and potentially cause random and harmful behavior. Because of EMI signals, a phone that was placed on a charger booked a very expensive hotel room in one case.
The researchers wanted to see if they could use EMI to create controllable touch events and trigger arbitrary behavior on capacitive touchscreens when developing GhostTouch.
Controllable Touch Events
The basic idea behind GhostTouch is to interfere with capacitance measurements on touchscreens by injecting electromagnetic signals into the receiving electrodes built into the touchscreen.
The researchers developed a technology stack consisting of a waveform generator that generates the EMI signal and an antenna that transmits it to the phone’s touchscreen. A phone locator module determines the exact location of the phone’s screen and calibrates the signals to specific locations.
GhostTouch is a targeted attack. To tune the equipment, the adversary must know the model and make of the victim’s phone. The attacker may also require additional information about the phone, such as the passcode, which they must obtain through social engineering or shoulder surfing.
The primary attack scenario is in public places such as cafes, libraries, or conference lobbies, where people may place their smartphones face-down on a table. The attacker will have hidden attack equipment beneath the table in order to launch attacks remotely.
The researchers used GhostTouch to test a variety of actions, including answering the phone, pressing a button, swiping up to unlock, and entering a password. For example, if the victim’s phone is set to silent mode, an attacker could call the victim, use GhostTouch to answer the call without alarming the victim, and then listen in on a private conversation.
In another case, the attacker could send a malicious link to the victim’s phone and then use GhostTouch to tap on it and download it.