Seven security researchers, five from the Zhejiang University, China and two from the Technical University of Darmstadt, Germany, have successfully demonstrated how to remotely hack and swipe smartphone touchscreens without actually touching them.
The attack methodology, which has been named WIGHT (WIred GHost Touch), is claimed to be the first wired attack on touchscreens using ghost touches by way of charging cables.
A brand new type of smartphone ‘ghost touch’ remote attack
In a newly published paper titled ‘WIGHT: Wired Ghost Touch Attack on Capacitive Touchscreens‘ the researchers say they had success when tested on a Samsung Galaxy S20 FE and Apple iPhone SE (2020) as well as devices from Huawei, LG, and Xiaomi. The connection is that this is an attack methodology requiring a capacitive touchscreen, as used by most smartphones today. The actual hack, though, has another connection. Quite literally in fact: the charging cable connected to the device.
The attack requires the phone to be connected to what the researchers call a “malicious charging port” and works via Lightning, USB-A, USB-CF and Micro charging cables. The hack works, they say, across multiple power adapters and isn’t stopped by USB data blockers.
“Despite the fact that smartphones employ abundant noise reduction and voltage management techniques,” the researchers said, “we manage to inject carefully crafted signals that can induce ‘ghost touches’ within a chosen range.”
Essentially, what they are doing is injecting noise through the charging cable so as not to be filtered while still enabling the capacitive touchscreen measurement mechanism to be impacted. By syncing this ‘malicious noise’ with the touchscreen scanning cycle, the researchers found they were able to achieve three different types of remote attacks.
The three different remote WIGHT smartphone attack modes
An injection attack that creates a ghost touch without a user physically touching the screen at all.
An alteration attack that can change the actual position of a physical touch to another determined by the hacker.
A denial-of-service attack that totally prevents the targeted smartphone from being able to detect any legitimate, physical, touch.
The WIGHT threat model
Let’s look at the threat model, as described by the researchers themselves, first. This doesn’t require data access permission from the USB cable or actual contact with the screen, which distinguishes it from previous work involving ghost touch methods. They mainly relied upon electromagnetic radiation. Instead, WIGHT sends a malicious signal right down the charging cable. This, the research paper stated, works by injecting a “common-mode (CM) signal by applying signals to the ground (GND) line” of the cable. This CM signal “cannot be filtered completely and can result in a differential-mode (DM) signal due to the asymmetric circuits,” it continued, “the DM signal can interfere with the measurement of the touchscreen capacitance such that it emulates the scenarios as if a user is touching the screen.” Also, on the plus side of the threat model is that it doesn’t require hardware under the table on which the target phone is placed, and that phone to be surface side down.
No need to panic, although WIGHT does sound shocking – literally!
Although the attack methodology is interesting, and the resulting hack sounds pretty scary, as with most such lab-based research the real-world risk of falling victim to this is low, to say the least. Even if you have the hardware access by way of that malicious charging port, the precision of the touchscreen control is very poor. In most cases, the researchers admit, the ghost touches may “appear randomly on a vertical or horizontal line of the screen.” The success rate of tapping a specific button is at best 50/50. Of course, that doesn’t rule out granularity improvements in the future. Perhaps of more concern to the attacker would be the likelihood of causing harm to the phone user. “The attack signal is an alternating current with a high voltage,” the paper states, adding that the hack should only be carried out under the supervision of safety professionals in a lab equipped with electrical protective devices.
So, I wouldn’t worry too much about this particular threat right now, but I would still recommend the use of USB data blockers when using charging stations you don’t know to be safe. WIGHT is not the only threat, after all.