In an international research project, researchers at the System Security Lab of the TU Darmstadt and the Zhejiang University in Hangzhou have for the first time succeeded in carrying out targeted attacks on capacitive touchscreens. With the so-called “GhostTouch” they were able to imitate touches on the display through electromagnetic interference (EMI) and thus control the smartphone remotely.
Nine out of twelve tested smartphone models could be manipulated in three different attack scenarios.
To implement the attack, the research team had to overcome two key technical challenges: first, the difficulty of affecting the touchscreen with electromagnetic interference in the first place, and second, creating predictable and controllable touches. “In our attacks, we varied the power of the EMI transmitting antenna, the signal frequency and the distance to the cellphone display in order to trigger touches such as tapping or swiping with the appropriate signal strength,” explains Richard Mitev, a doctoral student at the System Security Lab.
In order to achieve simultaneously controllable touches, the scientists thoroughly examined the screens of the tested smartphone models in advance. Each device model is based on certain movement patterns for actions such as unlocking, selecting or scrolling. By precisely tuning the parameters of the electromagnetic signal, these movement patterns could be imitated with specifically positioned touches.
With the help of the “GhostTouch” and the alleged touches that are made with it, various threats, such as the infiltration of malware, could be implemented in practical attack scenarios. For example, if attackers know the victim’s phone number, they can send a message containing a malicious link. If the phone then displays a notification for the incoming message, the notifications can be opened via “GhostTouch” and the link can be clicked to download the malware contained in the link, for example.
In addition, attackers can establish an insidious connection via WiFi or Bluetooth. For example, the mobile phone can be controlled with a Bluetooth mouse or a man-in-the-middle attack can be carried out, with which the communication can be intercepted, for example. Calls can also be received via “GhostTouch”, so that an eavesdropping attack can be started and the victim can be overheard.
Although the modern screens are subjected to thorough electromagnetic tests and have a shielding anti-interference design, targeted, contactless touches could be generated on nine of the twelve tested smartphone models and attacks could thus be carried out. This shows that the functionality of even the most modern touchscreens can be manipulated under certain conditions and with the right equipment and cannot be trusted blindly.
GhostTouch research results will be presented at this year’s USENIX Security Conference, taking place August 10-12 in Boston.
Link to the paper