This post is also available in: heעברית (Hebrew)

If you think your smartphone is safe as long as no one touches it, you are wrong. While yes, many attacks on smartphones require physical access to the device and interactions with the touchscreen, but according to research it is possible to reach your phone’s mobile touchscreen without touching it using electromagnetic interference. Meet GhostTouch, a type of attack that can execute taps and swipes on the phone’s screen from a distance of up to 40 millimeters.

According to the researchers’ findings, an attacker can use GhostTouch to carry out several types of malicious actions, including initiating calls and downloading malware. Most of the touchscreens used today by smartphone and tablet companies are sensitive and vulnerable to the environmental impact of electromagnetic interference, or EMI as it is commonly shortened to. 

Portswigger.net reports that previous studies have shown that EMI can disrupt the user experience of touchscreens and possibly cause random and harmful behavior. In one case, a phone that was placed on a charger booked a highly expensive hotel room because of EMI signals.

Researchers created the GhostTouch software in order to see if they could use EMI to create controllable touch events and trigger arbitrary behavior on touchscreens. The core idea behind GhostTouch is to interfere with the capacitance measurement of touchscreens using electromagnetic signals injected into the receiving electrodes integrated into the touchscreen.

GhostTouch is a targeted attack. The adversary must know the model and make use of the victim’s phone in order to tune the equipment. The attacker might also need extra information about the phone, such as the passcode, which they must acquire through social engineering or ‘shoulder surfing’. These types of attacks usually occur in public locations such as cafes, open offices, libraries, etc. Places where people are not necessarily careful of how they place their smart devices. By embedding appropriate equipment under a specific table, the hacker will be able to launch attacks remotely. 

The researchers tested GhostTouch on 11 widely used phone models and were able to utilize the attack with varying degrees of success on nine models, showcasing that EMI attacks are a real threat to today’s personal devices.

Prepared to dive into the world of futuristic technology? Attend INNOTECH 2022, the international convention and exhibition for cyber, HLS and innovation at Expo, Tel Aviv, on November 2nd – 3rd

Interested in sponsoring / a display booth at the 2022 INNOTECH exhibition? Click here for details!