Researchers have created a novel proof-of-concept (PoC) attack named Tap ‘n Ghost, which targets Near Field Communication (NFC)-enabled Android smartphones. This allows an attacker to take control of a target phone simply by tricking the victim into placing their handset on a specially crafted surface, such as a table in a public space that has been maliciously wired.
Researchers at Tokyo-based Waseda University revealed the PoC attack in May at the 2019 IEEE Symposium on Security and Privacy. The attack couples the malicious use of NFC technology and RX electrodes, which are used in capacitive smartphone touchscreens. The result is the ability for a close-proximity attacker to gain control over the targeted device via a Bluetooth link or malicious Wi-Fi access point.
“After the connection is established, the attacker can remotely take control of the smartphone,” wrote researchers Seita Maruyama, Satohiro Wakabayashi and Tatsuya Mori ,who authored an 18-page proof-of-concept attack description (PDF).
the researchers named the PoC attack Tap ‘n Ghost after the two attack techniques that make up the attack: Tag-based Adaptive Ploy (TAP) and Ghost Touch Generator.
“Using a NFC card emulator embedded in a common object such as table, a TAP system performs tailored attacks on the victim’s smartphone by employing device fingerprinting; e.g., popping up a customized dialogue box asking whether or not to connect to an attacker’s Bluetooth mouse. Further, Ghost Touch Generator forces the victim to connect to the mouse even if she or he aimed to cancel the dialogue by touching the ‘cancel’ button,” the researchers wrote.
Vulnerable are not just NFC Android devices, but also potentially a host of NFC-capable capacitive touchscreens, such as those used in voting machines, ATMs and kiosk.
First Stage: Tag-based Adaptive Ploy
Stage one of the attack takes advantage of a NFC feature that can trigger an Android device to visit a specific URL without user interaction. The attacker accomplishes this goal by using a NFC tag emulator embedded within an ordinary object, such as a table or charging station.
When this occurs, the attacker can “fingerprint” the type of device being targeted via the specially crafted JavaScript and website.
“Device fingerprinting is useful to infer the language used for the device; the information can be used to display a dialog box with a misleading message to the victim,” according to the paper. “The fingerprint information can also be used for displaying a dialog box with a suitable message, which needs to be adaptive to the vendor-specific customization.”
With this information, the attacker can now trigger a “high-risk action” via a specially crafted NFC tag and connect the targeted device to an attacker-controlled Wi-Fi access point, or to a rogue Bluetooth session.
“Upon receiving a pop-up dialog box, the victim will try to cancel the action by tapping the cancel button. The Malicious Table will start the Ghost Touch Generator attack to alter the selection of the buttons,” they said.
Second Stage: Ghost Touch Generator
The Ghost Touch Generator stage of the attack aims to “scatter touch events around the original touch area [of the display].” Under these conditions, when a victim thinks they are touching a “Cancel” button they are actually clicking the button to permit the action instead. That allowed researchers to trick users into granting Bluetooth access to a phone or allowing the device to connect to a malicious Wi-Fi access point.
Using RX electrodes to disrupt the smartphone’s touchscreen, the attack causes a malfunction in the display via injecting intentional noise signals.
“We found that we can intentionally cause the malfunction by generating an electric field near the capacitive touchscreen controller, using an electric circuit that can produce large alternating voltage,” the researchers wrote. They were able to granularly manipulate where “touch events” were registered by altering the variables of frequencies, volts and the spatial distribution of both. The technique meant tapping on one portion of a display would actually register as a tap somewhere else on the display. In that way, a tap on “Cancel” in a dialogue box might be manipulated to actually register as tapping on the “Connect” option.
One downside to this type of touchscreen manipulation was that some Android handsets experienced touchscreen controller failures related to the strong electric fields bombarding them.
On the upside, mitigating against such attacks is relatively simple. Google could add provisions into the way NFC worked, requiring user permissions before performing actions such as visiting a website. Researchers also recommend that vendors add better signal and noise protection to prevent intentional disruptions.