Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets. We present GhostTouchAttack, the first active contactless attack against capacitive touchscreens. GhostTouchAttack uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the GhostTouchAttack on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 $\times$ 19.2 pixels from the target area, delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouchAttack in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.

A capacitive touchscreen is an input device normally layered on top of the display that detects human touches based on the capacitance variation. When a finger touches the screen, the capacitance at the touch point changes significantly as the charge stored in the screen gets drawn to the finger. By monitoring the capacitance variation at each point of the screen, a touchscreen can detect touch points and report touch events, e.g., tap, swipe, based on the timing and the locations of the detected touch points.

The touch sensor consists of a grid of transmitting (TX) and receiving (RX) electrodes made of transparent conductive materials, e.g., indium-tin-oxide (ITO). The scan driving method is designed to locate the touch points on the screen by exciting all TX electrodes in turn. As only one TX is excited at a time, the touchscreen can locate a touch to a specific position by the row and column of the active TX-RX pair and can also support multi-touch detection.

The GhostTouch system consists of two parts, a touch injector and a phone locator. The touch injector can inject touch events, e.g., a tap, a swipe, or multi-touch, into the touchscreen, and it includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The on/off switch is used to select the correct antennas to emit the EMI signals such that it can inject touch events into the targeted RX lines. The phone locator can identify the position of the touchscreen. It consists of a sensing antenna array, a data acquisition device, and a location calculator.

The following figure illustrates a comparison of the similarity between the taps from 30 volunteers and the ones injected by the attacker. Compared with real touch events, the taps injected by the attacker are distributed in a smaller range on the x-axis, and distributed in a larger range on the y-axis.

We evaluate the GhostTouchAttack on 11 phone models. We set the attack distance to 6mm for all phones for comparison. Broadly distributed touch points can be injected into 9 of these smartphones. According to the results, we can inject touch points at chosen positions for 6 out of 11 phone models with GhostTouchAttack. For Galaxy S20 FE 5G and iPhone SE (2020), our approach can inject touch points successfully and perform malicious operations, but not always with high precision. Such a vulnerability is still dangerous, to illustrate, we managed to establish a malicious Bluetooth connection on iPhone SE (2020), with an average delay of 7.1 seconds.

The phone locator consists of sensing antennas and a NI MyDAQ. In practice we can place a matrix of sensing antennas to locate the phone positions with the following observation: a sensing antenna over the touchscreen can detect the radiated signals (e.g., the leaked signals of the TX excitation signal of the touchscreen at a frequency of 120Hz), while the ones away from the touchscreen will detect a weaker signal or none at all due to attenuation. Thus, the sensing antennas are used to receive the leaked signals, which are processed by the NI MyDAQ to deduce the phone location and orientation, with respect to the sensing antennas. After obtaining the phone position, we can infer the positions of the buttons based on the operating system and target application, e.g., Bluetooth connection accept dialog.

Here are video demos showing the real-world impact of the GhostTouchAttack.

• Answer the phone call

• Connect the malicious Bluetooth

Wang, Kai, et al. "{GhostTouch}: Targeted Attacks on Touchscreens without Physical Touch." 31st USENIX Security Symposium (USENIX Security 22). 2022.

• Prof. Wenyuan Xu (wyxu@zju.edu.cn)
• Prof. Xiaoyu Ji (xji@zju.edu.cn)

Ubiquitous System Security Laboratory (USSLab)		Zhejiang University