‘Invisible finger’ demo hacks the touchscreen

Be careful putting your phone facedown on a table—at least around the labs at the University of Florida.

A UF research team, along with colleagues at the University of New Hampshire, has developed an “invisible finger” that makes screen-clicks through a table. The touchscreen hack, presented at Black Hat 2022 this month, showed how an attacker with an antenna can generate touch events on a phone and potentially sign-in, send messages, or install malicious code.

The proof-of-concept pierces a fixed mindset on device security, say the researchers, and represents the beginning of compromise possibilities for a hardware component that has rarely been hacked with.

The hack. The right amount of  intentional electromagnetic interference (IEMI) from an antenna, when placed about 3 centimeters away from a phone, generates a phantom click on a capacitive touchscreen.

What’s needed:

• A signal generator
• An 100-watt (orso) amplifier to boost the signal
• A copper antenna array covering a desired surface of the table
• A Raspberry Pi computer to control which antenna to activate

“Our attack assumption is, more or less, [that] you have some kind of a meeting or conference appointment with some malicious user…where they are capable of modifying the setup of the meeting room,” PhD student and UF researcher Haoqi Shan told IT Brew.

How it works. The excitation signals from a touchscreen “leak” information that antennas can find. When a phone is placed face-down on a table, the array senses the phone’s orientation.

“Using 12 antennas together, we can fully recover where the phone is located,” said Shan during his presentation at Black Hat.

Introducing interference from the correct antenna in the array-grid creates the phantom touch. A successful touch event can even be confirmed by its unique signal.

Practical attacktical? Only a few research experiments have shown the vulnerabilities of the touchscreen. A “Tap ’n Ghost” hack, demo’d in 2019, embeds a table with touchscreen disrupters. A 2022 attack made ghost clicks via a malicious charging port, and the same researchers showcased a “GhostTouch” at Usenix Security Symposium in July.

While Shan’s group has demonstrated click-based attacks—installing malware, sending phishing messages, and unlocking a phone—a lot has to go just right for them to succeed. The phone has to be face down, for example, and the antenna must be close to the target device. And the phone needs to be still—a tough ask in a conference room.

“Those things are not inanimate objects. They’re constantly moving,” Brian Haugli, a former cybersecurity consultant for the Pentagon and current CEO of the cybersecurity firm SideChannel, told IT Brew. To conduct successful attacks, the team must also assume that specific operations will appear in their usual fixed screen positions.

But the invisible finger demo is only the beginning, according to Shan, and rejects the common assumption that you can only break through a touchscreen by touching it. “A lot of people, even academic researchers, didn’t really take this kind of attack surface seriously,” said Shan.

While Haugli says that cell phone manufacturers need to acknowledge the hack and build protections, the CEO does not consider the hack to be “a today problem.”

“Let’s talk about enabling multi-factor authentication and patching your applications before they go to production,” said Haugli.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.