Tap ‘N Ghost: A Novel Attack Against Smartphone Touchscreens

Researchers have demonstrated a new vulnerability in NFC, a feature built-in to many smartphones sold today. The vulnerability allows the attacker to to generate ‘ghost taps’ against a device, effectively allowing an attacker to tap your phone without you looking.

The 18-page paper released by a team of three researchers based out of Waseda University in Japan consists of two techniques: an attack against NFC-enabled smartphones and an attack against capacitive touchscreens. It should be noted that nearly all phones have NFC, and nearly every phone released in the last decade has a capacitive touchscreen. Vunlnerable devices include, but are not limited to the Xperia Z4, the Galaxy S6 Edge, the Galaxy S4, Aquos Zeta SH-04F, Nexus 9, and Nexus 7.

The experimental setup consists of a signal generator, high-speed bipolar amplifier, a small transformer (taken from a toy plasma ball), a copper sheet, oscilloscope with high-voltage probe, and an NFC card emulator. No other special equipment is required. When the victim places their smartphone on a table top, the phone is fingerprinted, giving the attacker the make and model of phone. A dialog box then pops up and the phone connects to a network.

This attack can be replicated by anyone, and the tools required are simple and readily available. The mitigation is to disable NFC on your phone.

13 thoughts on “Tap ‘N Ghost: A Novel Attack Against Smartphone Touchscreens

  1. Nfc is turned off when the screen is off or lock screen is on which makes the attack less lickely.

    Also i would pick up my phone if i see a popup (bad eyes). So another mitigation would be not wearing glasses.

  2. This attack combined with payload injections through wifi/4G/5G vulnerabilities is dangerous – it can completely bypass user interaction and even simulate valid biometric authentication – leading to empty bank accounts, stolen personal data such as photos or ambient sound/video transmission. With some careful work this can be achieved from remote by using microwaves instead of high voltage charged plates embedded in a table or inside a purse.

    1. You could place a few of these setups in spots that someone would normally set their phone if they had a laptop out or a plate of food. The electronics involved can easily be condensed into a main board with multiple in/outs for driving daughter cards to increase attack area. If you were targeting a specific person, you would just need to watch their habits (which cafe they go to, which table they like sitting at, where they place their phone on the table, etc) and knowing their phone model makes the attack even quicker and more inconspicuous (no javascript popups to detect model). It’s a very specific kind of attack that would probably be too time intensive to use on random people.

      This is just a clever use of various exploits to show what things can be improved in phones to prevent something like this from easily being used. Just improving the “connect to network ?” question can make things less vague about what you are actually doing when answering that question. “Connect to network again?” sounds like a much different question compared to “SSID: ‘again’ Connect to this network?” Also maybe improving NFC permissions, don’t let the phone respond to any NFC requests unless you have the NFC window open on your phone. I could imagine pop up ad NFC tags being embedded into cafe tables. You set your phone down and suddenly you have ads bombarding your screen. I don’t think there is ever really an appropriate use for unsolicited NFC.

  3. The paper is behind a paywall, and the rest is video content. Why can’t we _read_ stuff any more? Maybe once in 20 times will I click a video after the break and when I do I nearly always want to strangle whoever made it because if they’d just typed in whatever they said in the video it’d take a fraction of the time (and mobile data and precious battery life) to convey the information.

    I feel like on balance YouTube has made the web less useful, less searchable, and less informative. If human nature is really to blame then I am ashamed to be human.

    1. Making bad video is easy. Just point your phone. So – with smartphones it became accessible.
      Making good video, is actually hard – you need equipment, planning,. and at least organised ‘studio’ space.

      Writing good text is harder – it must be proofed (so it is readable and understandable). Illustrations should be made, preferrably, again, good ones. It all takes dedication and spare time. Which many lack.

      And humanity as a whole takes the path of less resistance.

  4. “The experimental setup consists of a signal generator, high-speed bipolar amplifier, a small transformer (taken from a toy plasma ball), a copper sheet, oscilloscope with high-voltage probe, and an NFC card emulator. No other special equipment is required.”

    Said tongue in cheek. *handwave* These are not the electronics you’re looking for.

  5. Seems alot for the hacker to do, To set all that up and hacker has to be near you. I’m think my phone is safe. I thought they meant hacker can hack my phone from my own home to take over my touch screen

    1. Agreed. “A device within a couple inches of your phone can produce touch events if the screen is on” is not surprising. Anyone with the skills of a spy, pick-pocket, or magician could use their fingers to produce the same effect much more flexibly and reliably. Seems like a lot of work for a pretty small attack surface. Glad I’m not storing state secrets on my phone, I’d have to install physical security in my house long before I’d worry about a targetted attack from the bottom side of a cafe table.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.