Imagine this scenario. You walk into the conference room, place your phone on the table and take a seat. Mysteriously, the phone wakes up and an invisible finger unlocks it and installs malware. Call Ghostbusters? Better yet, call the research team whose “invisible finger” presentation wowed attendees at the Black Hat conference in Las Vegas.
This team, called “Security in Silicon Lab”, brings together professors, doctoral students and other academics from the University of Florida and the University of New Hampshire, all of whom have extensive expertise in electronic hardware and in mathematics and physical. that make modern technology possible.
Haoqi Shan, a UF PhD candidate, presented the Black Hat presentation of the group’s findings and started with the short version. “This is a remote precise touch injection attack against capacitive touchscreens using an IEMI (intentional electromagnetic interference) signal,” he said. “Our attack has an effective range of three to four centimeters. We can induce a short press, a long press or a sweep in any direction.
Shan called the move “a relatively new type of attack, even for professional researchers, [though] once you get the knowledge here you should be able to replicate what we are doing now. Maybe you’ll come up with a stronger or much cooler attack.
This is a big maybe, as further research would obviously require high-powered equipment as well as extensive knowledge and expertise.
Shan launched into a detailed description of how a capacitive touchscreen works to control your tables and phones. Skipping the physics involved, it just goes like this. An electronic system transforms capacitance events that occur when you touch the screen into a voltage that can be measured. The team’s attack works by using electromagnetic fields to manipulate this voltage.
“In theory it might work, but we don’t know at this point,” Shan said. “We set up an environment that allows us to generate a field using a copper plate so that we can learn to control the touch event.”
The team went through many iterations, learning the best field strength and frequency to use. “We need our electronic field to be really focused,” Shan said. “We used two methods. The spring-loaded copper needle is more accurate, but the copper plate gives a stronger signal.
From theory to practice
Either way, a robotic arm is used to precisely position the antenna.
“For a real attack, you can’t use a robotic arm,” Shan said. “We used a sparse antenna array to determine the location of the phone and another array to perform the test. Our attack works on iPad, OnePlus, Google Pixel, Nexus, and Surface. It’s more universal. It acts like if your finger did the job. We can even generate an omnidirectional swipe on iPad and Surface. We could totally use it to open a gesture-based lock.
The team designed a complete attack vector. An antenna array under the table picks up the precise location of the phone or tablet. Another antenna array sends signals that trigger touch events. And by measuring emissions from the touchscreen, the attack system can verify that each touch is successful. A brief video shows the final attack in action.
What attacks are possible? What Defenses?
As for a real attack scenario, “we managed to install a malicious app on Android,” Shan said. “We could send money by tap and hold on PayPal. We did an attack on Siri that works nine times out of 10.” He noted that other attacks have proven less consistently effective, in one case because the Yes and No buttons on Android are very close together. ‘other.
Touchscreen manufacturers could thwart this attack by including simple pressure or force sensing. Your finger exerts a little pressure; the invisible finger attack does not. “As far as consumers are concerned,” Shan said, “you can use a Faraday bag, but that renders your phone inoperable. We found good protection tests in a case with a cover and Faraday fabric.
The group’s website also notes that laying your phone down with the screen up is enough to protect it from the attack in progress.
“We are still actively working on this offense to make it more perfect,” Shan concluded. He also noted that the group is actively recruiting PhD students working in cybersecurity. Is that you? You can contact the group on their Invisible Finger website, which also features FAQs and videos about the project, as well as the scientific paper this presentation is based on.