Remotely Controlling Touchscreens

Researchers have demonstrated controlling touchscreens at a distance, at least in a laboratory setting:

The core idea is to take advantage of the electromagnetic signals to execute basic touch events such as taps and swipes into targeted locations of the touchscreen with the goal of taking over remote control and manipulating the underlying device.

The attack, which works from a distance of up to 40mm, hinges on the fact that capacitive touchscreens are sensitive to EMI, leveraging it to inject electromagnetic signals into transparent electrodes that are built into the touchscreen so as to register them as touch events.

The experimental setup involves an electrostatic gun to generate a strong pulse signal that’s then sent to an antenna to transmit an electromagnetic field to the phone’s touchscreen, thereby causing the electrodes ­ which act as antennas themselves ­ to pick up the EMI.

Paper: “GhostTouch: Targeted Attacks on Touchscreens without Physical Touch“:

Abstract: Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets. In this paper, we present GhostTouch, the first active contactless attack against capacitive touchscreens. GhostTouch uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the GhostTouch attacks on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password. Finally, we discuss potential hardware and software countermeasures to mitigate the attack.

Tags: , ,

Posted on June 2, 2022 at 3:59 PM15 Comments

Comments

TimH June 2, 2022 4:39 PM

40mm… so you have to brush up to someone whose phone’s front is facing out and not moving for 0.5s.

Let me not get paranoid quite yet.

JonKnowsNothing June 2, 2022 4:51 PM

@All

Might be useful tech for those with limited hand mobility or stability. The stylus isn’t very good. Not having to actually punch the screen could be helpful. Maybe add a laser trail so you can find where you are punching.

Even if the laser device were accurate the touch zones on the phone aren’t. So you might need a secondary preview window to pop up to show if you are poking a T or a Y. (1)

===

1) some of this is available but afaik you still have to poke, press, slide and roll.

SpaceLifeForm June 2, 2022 4:56 PM

Real keyboard please

If you have a “Smart phone”, I am sure you have encountered this behaviour.

You do not touch, but yet it acts as though you touched a link (just because you have a digit close), so it wastes your time following a link that you did not want to chase.

grumbles June 2, 2022 5:27 PM

Man, they missed an opportunity by failing to call this the “Invisible Hand” attack.

SpaceLifeForm June 2, 2022 7:41 PM

@ grumbles

… of the Marketplace

Imagine the invisible clicks on ads.

Ted June 2, 2022 9:32 PM

It’s interesting that the paper offers potential countermeasures. These include: reinforcement of the touchscreen, a detection algorithm, and/or identity verification.

Of all these measures, the detection algorithm seems like the easiest to implement.

At least this approach doesn’t require changes to the hardware or require users to interact with the device for “high-risk actions” like connecting to a Bluetooth device.

I guess the touch interval would be a give-away:

For example, the GhostTouch attack can be detected utilizing the touch interval between pressing and lifting the finger.

LOL June 2, 2022 10:13 PM

I think this would work esp. well with my Apple TV remote’s touch pad. It already practically reacts to hovering my finger above it.

40 mm is not “remote” (except maybe to people who do not know what a tiny distance a millimeter is).

Clive Robinson June 3, 2022 2:27 AM

@ LOL,

Re : 40 mm is not “remote”

To the touch screen, but what about the hand that normally holds the phone?

An example the authors use is that the phone user puts their phone down on a table, thereby bringing the phone within range of their ESD device hidden under the table.

When at home, or in the office, or other space they trust, many users put their phones down on a table so the phone is “within easy reach”. Of those users quite a few “wander off” to “do things” from time to time such as get a glass of water from the cooler, and don’t pick their phone up… When they get back to their eye nothing will have moved/changed so they are unlikely to get suspicious.

The attacker can make an “under table ESD device” that uses a radio link fairly easily so could be as far away as the speed of light alows them a reasonable response time.

So “remote” depends on what part of the attack you look at.

Hans June 3, 2022 2:29 AM

40 mm is not much yet. But the proof of concept is done. Now work can be done to improve this attack.
Or find actually useful applications for it.

Emoya June 3, 2022 7:47 AM

In a reality where we are forced to acknowledge risks across great distances, 40mm seems relatively minuscule, practically zero, and is easy to dismiss. However, as Clive pointed out, this may bridge the last gap in a more complex attack, that one final, seemingly inconsequential, straw that broke the camel’s back.

Any manipulation not explicitly intended by the designer/engineer is…

From a security perspective: a vulnerability
Identify > Assess > Mitigate

From a business perspective: an application
Identify > Evaluate > Capitalize

The key lies in the many differences between Assessment and Evaluation, one of which is the required effort, and, by extension, time. Evaluations will always outpace Assessments. Because such a short distance drastically reduces the perception of risk, concerns are placated, and business will find a way to stuff its pockets.

I expect we may see products that exploit this attack long before it is taken seriously enough to be addressed. If we are lucky, someone with malicious intent will leverage it and be discovered, opening everyone’s eyes, before “legitimate” products gain a foothold in the market. Once significant capital gains have been realized, the door will likely never be fully shut.

Clive Robinson June 3, 2022 9:09 AM

@ Emoya, ALL,

Once significant capital gains have been realized, the door will likely never be fully shut.

It’s not just the capital invested to be lost, or the jobs created to be lost, or much else in the commercial and civilian world that woyld be argued as lost.

They could be compensated for in some way, if a government chose to do so.

The problem is that the citizens and society nolonger have a place, influence or control of “their” Governments any longer.

However as politicians have found out, they have no privacy from agencies they thought they had control over. Some realise they infact have no control at all, they are in fact just pupets of those agencies in some way.

Who actually controls those agencies is an unknown even to most in those agencies. I’m not talking about some conspiracy, just the reality of the way they are setup and funded, and the fact they have control by restricting information to others so that they can help or hinder as they see fit.

One of the greatest risks we face is that some attitudes in political view points such as “small government” require not just the outsourcing of activities but the outsourcing of the actual control of those activities and direct control over those carrying them out.

As has been seen with Palantir the aim is to stop the jobs being taken back by Government, be it Federal, State, Regional or local. We can see that their aim with law enforcment is to get rid of the investigative positions that are the equivalent of “inteligence analysts”. That is Law Enforcment “detectives”, but also other agency investigators and the likes of civilian “investigative journalists”.

The idea is simple, control the flow of the raw resource “information” at first by supply being cheaper and faster. Produce not just reports but basic analysis… But how do they analyze? Simple they provide the information by database, this has two primary advantages,

1, Human investigators type in searches they know are helpfull.
2, Law enforcment type in information into their local database.

In both cases Palantir gets them, effectively for free and thus can use them for other “customers” for profit.

As the systems improve Palantir raises the price in one way or another. As we know resources are finite, so if Palantir’s slice of the pie gets larger another slice of the pie has to get smaller. Almost always in public bodies this falls on the most exoerienced and longest serving members. Who get encoraged to retire early, or eventually be made redundant. But when they go they are not replaced, that is an equall number of people are not moved up. The work is simply pushed down onto the less experienced, who get “supported” by Palantir systems untill it is time for them in turn to be replaced by less personnel who are less experienced, less costly, and more dependent than ever on Palantir’s systems.

At some point a threshold is reached, or if you prefere a tipping point where the agencies can not go back, like an adolescent junky they are not just hooked but owned by Palantir. Who like all drug dealers will just jack up the price endlessly as they have not just the power by way of near total control of the information, they have control of the agency by how they make the information available.

Call it “dinning with the Devil” or “signing with the devil” the price is not just high, it demands and gets the very essence or soul of the entities foolish enough to sup or sign.

At some point that will not be enough, other business models will be developed, each more invasory, each more lucrative, and each more anti-society. Eventually a line will be crossed where the product sold will be “control”.

There is little doubt about this as it’s already happened. Go back and look at “Cambridge Analytica” and how they operated. Set up by a US Hedge Fund manager who wanted ultimate longterm political control. They claimed to “sell election results” and much else besides including influence obtained by criminal activities through Russia.

His daughter has taken on his role as influance peddler to US Politicians and has resources at her control that most others can only dream of, but some are aspiring to gain.

These are the people who would be the neo-king-makers, and neo-barons, and they look on us in the same way the Kings, Bishops, and Barons of old did, not as expensive slaves, but inexpensive serfs. To be used, abused, discarded and disposed of by their whim, with no recourse.

Quantry June 3, 2022 11:44 AM

Makes a case for using a faraday bag, regardless of how the perturbations are emitted. Although I suppose holographic charging with bessel beams might be used for charging the vapor inside the bag. Geez.

Oh wait, might be yet another case for not owning a smart phone. Dang, almost slipped my mind.

mark June 3, 2022 11:46 AM

Where can I get one, given my just-bought-last-year Samsung Tab A refuses to recognize my finger on the screen half the time, and is just as bad with a generic stylus?

Dave June 3, 2022 12:46 PM

Something very similar was demonstrated at Kiwicon in New Zealand a few years ago, they used EMI to activate a building door touch sensor, the kind that opens the door to let you out if you’re inside, from the outside to get them into the building.

Connor June 4, 2022 1:54 PM

As interesting as stories like these are, I always feel that it’s more valuable as a plot device in a Hollywood film than a real threat to society. Unless you’re a high target person, like a spy, world leader, corporate CEO, etc. it’s not really something to worry about.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.