Researchers are attacking touchscreens of mobile devices via charging cables and power adapters and manipulating smartphones and tablets.
This was discovered by researchers at the System Security Lab of TU Darmstadt together with a Chinese research team from Zhejiang University in Hangzhou. They carried out attacks on capacitive touch screens via charging cables and power adapters, uncovering a new way to attack mobile devices. The researchers were able to create false touches – ghost touches – on multiple touchscreens and manipulate the device via them.
Attack works on charging cable without data channel
The international research team had to overcome two challenges. First, affecting the capacitive touch screens via a charging-only cable without damaging the hardware. Electronic devices are usually equipped with resistive filters in the circuits to ensure a stable power supply. It was necessary to design an attack that would work even if users in public spaces used a charging-only cable without a data channel for privacy and security reasons. Second, the touch points had to be specifically controlled in order to manipulate the device. This was necessary so that, for example, compromised Bluetooth connections could be established, users could be tapped by a phone call, or malware could be received.
Manipulated USB charging socket
In the test setup, a compromised public charging station was assumed to be the starting point of the attack. A manipulated USB charging socket was used, whose power supply can be controlled remotely. Such publicly accessible charging stations are often found in cafés, in hospitals, hotels or at airports and train stations. Anyone who charges their smartphone or tablet at this charging station initiates the attack, which is initially disguised as a normal charging signal. The attacker measures the sampling frequency of the touchscreen via the charging connection in order to adapt the attack signal. Beyond that, no data connection is necessary.
A sophisticated attack signal is injected into the GND line, i.e. the ground line, via the charging line. The attack signal, which is injected via the USB interface, affects the power supply and is converted into a noise signal due to the lack of filtering. With the help of these noise signals, three different attack effects can be achieved, which are related to the typical setup of capacitive screens.
Targeted ghost touches
The main component of a touchscreen is a matrix of rows and columns of conductive electrodes (TX) and sensing electrodes (RX), whose crossing points are called mutual capacitance. If one now touches the screen, the finger forms an additional capacitance with the electrodes and changes the equivalent capacitance, creating a touch event and allowing the smartphone to be controlled. The researchers were able to create targeted ghost touches along both the TX electrodes and the RX electrodes without physical contact. Furthermore, the screen has been manipulated in such a way that it no longer responds to real touches.