GhostTouch Offers Spooky Touchscreen Action at a Distance as an Attack Against Smartphones and More

Researchers at Zhejiang University and the Technical University of Darmstadt have come up with a way to activate a touchscreen without actually touching it — opening the door for "GhostTouch" attacks against smartphones, tablets, and more.

"Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets," the team explains. "In this paper, we present GhostTouch, the first active contactless attack against capacitive touchscreens. GhostTouch uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it."

Using a tuned signal and adjusting an antenna, the GhostTouch system allows for tap and swipe interactions without anyone ever physically touching the device — and its successful experimentation across nine off-the-shelf smartphone models suggest it's applicable to almost any touchscreen system that uses capacitive sensing.

"To achieve our attack we had to overcome two technical challenges," the researchers write. "It is difficult to affect a touchscreen by EMI [Electromagnetic Interference], since modern touchscreens and devices go through thorough electromagnetic compatibility (EMC) tests and utilize anti-interference design such as shielding and layout optimization to avoid the influence of environmental interference. To address this challenge, we carefully design the transmitting antenna, signal frequency, and attack distance to improve the electromagnetic signal propagation gain, therefore achieving an effective touch injection."

"Even if we can inject touches," the researchers continue, "it is still difficult to create predictable touch events with the touchscreen specifics undisclosed and varying from device to device. We probe the screen to disclose the touchscreen specifics and adjust the parameters of the attack signal accordingly to inject predictable touch events, such as a tap, a swipe-up, or a swipe-down in targeted locations."

To demonstrate the danger of GhostTouch, the team showcase three "practical attack scenarios:" Answering a phone call so an attacker can eavesdrop on a conversation; automatically establishing a connection to a malicious Wi-Fi network or Bluetooth device; and implanting malware by automatically answering a message and following a link to download the payload.

In mitigation, the team suggest a series of potential countermeasures including the use of reinforced electromagnetic shielding to protect the screen from interference, the use of a detection algorithm running on-device capable of distinguishing between real and likely-fake touch events, and the use of identity verification prompts before potentially harmful actions are taken.

A preprint version of the team's paper is available as part of the proceedings of the 31st Usenix Security Symposium.