A group of researchers has devised a new proof-of-concept attack that targets the touchscreen of Near-Field Communication (NFC)-enabled mobile devices such as smartphones and allows remote control of the devices.
Dubbed Tap ’n Ghost, the attack is comprised of two attack techniques, namely Tag-based Adaptive Ploy (TAP), which relies on device fingerprinting for a tailored attack on the victim device, and Ghost Touch Generator, which can alter the selection of a button on a touchscreen.
Thus, by using an NFC card emulator, an attacker could use the TAP system to prompt the victim to accept on their smartphone a connection to a Bluetooth-enabled mouse, and could make sure the connection is accepted even if the victim touches the “Cancel” button.
“After the connection is established, the attacker can remotely take control of the smartphone, with the knowledge about the layout of the screen derived from the device fingerprinting,” researchers from the Waseda University, Japan, explain in a whitepaper.
TAP, which consists of a processor, a communication interface, such as Wi-Fi, and an NFC-tag emulator, can induce a victim device to perform low-risk actions, such as following a link.
To perform high-risk actions, such as the pairing with another device, the researchers developed a technique they refer to as Ghost Touch Generator, which can trick the device into sensing “ghost touch events” by injecting intentional noise signals externally, through producing large alternating voltages at a specific frequency.
Exploiting the NFC implementation of the Android OS version 4.1 or later, the attack targets the mutual capacitive controllers in smartphones, which consist of a grid of transmitter and receiver electrodes and which detect touches by measuring electric current changes between transmitters and receivers.
The research model assumes that an actor has embedded elements used in the attack in a common object such as a table, that they can trigger a specific action from the smartphone when reading an NFC tag, and that they can deceive the user by displaying a notification containing a misleading message.
Thus, the attacker can place the malicious table in a specific location, and the TAP device begins the attack as soon as the victim’s smartphone is within range. Once the pop-up is displayed on the screen and the victim attempts to cancel the action, the Ghost Touch Generator attack is triggered to alter the election of the buttons.
“After succeeding the compilation of attacks described above, an attacker can employ the further attacks. For instance, the victim’s smartphone will be forced to pair with the Blue-tooth mouse emulated by the Malicious Table. The attacker can fully take control of the smartphone; for instance, the attacker can install any apps remotely, using a paired Bluetooth mouse,” the researchers say.
The researchers, who also published videos to demonstrate how the attack works, say that they also performed a user study and an online survey, which allowed them to conclude that the threat caused by the attack is realistic.