tap n ghost
play

Tap n Ghost A Compilation of Novel Attack Techniques against - PowerPoint PPT Presentation

May 12, 2023 •206 likes •508 views

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita Maruyama 1 , Satohiro Wakabayashi 1 , Tatsuya Mori 1, 2 1 Waseda University, Japan 2 RIKEN AIP, Japan Tap n Ghost An attack against smartphones

  1. Tap ’n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita Maruyama 1 , Satohiro Wakabayashi 1 , Tatsuya Mori 1, 2 1 Waseda University, Japan 2 RIKEN AIP, Japan

  2. Tap ’n Ghost ➤ An attack against smartphones ➤ The attack connects a Bluetooth device or a Wi-Fi access point to the victim's smartphone. ➤ It consists of two techniques: ▶ Attack against NFC-enabled smartphones ▶ Attack against Capacitive Touchscreens 2

  3. How Our Attack Works Victim’s Smartphone Table NFC Card External Emulator Metal Sheet 3

  4. How Our Attack Works 4

  5. Demo: Overview 5

  6. Demo: Overview Connected to [ … ] 6

  7. Two Attack Techniques Tag-based Adaptive Ploy: Attack technique against NFC-enabled smartphones Ghost Touch Generator: Attack technique against Capacitive Touchscreens 7

  8. Two Attack Techniques Tag-based Adaptive Ploy: Attack technique against NFC-enabled smartphones Ghost Touch Generator: Attack technique against Capacitive Touchscreens 8

  9. How Touchscreens Work ➤ Capacitive touchscreens are widely used in smartphones. TX electrodes (driving) Finger RX electrodes Smartphone (sensing) 9

  10. How Touchscreens Work ➤ Bringing a finger close to the intersection will decrease electrical current flowing into the RX electrode. C f TX RX C 0 10

  11. Ghost Touch Generator ➤ The attacker can cause false touch events by injecting intentional noise from an external source. C f TX RX C 0 C ex External Metal Sheet 11

  12. Demo: Ghost Touch Generator 12

  13. Ghost Touch Generator ➤ It causes “false touches” on the 5/7 models. ➤ The characteristic frequencies vary by model. Device Manufacture Success Frequency false touches [kHz] Nexus 7 ASUS � 128.2 ARROWS NX F-05F FUJITSU — � Nexus 9 HTC 280.9 Galaxy S6 edge SAMSUNG — Galaxy S4 SAMSUNG � 384.5 AQUOS ZETA SH-04F SHARP � 202.0 Xperia Z4 SONY � 218.0 13

  14. Summary of Ghost Touch Generator 1. This attack technique scatters false touches on touchscreens. 2. The attacker needs to identify the smartphone model in advance. 14

  15. Two Attack Techniques Tag-based Adaptive Ploy: Attack technique against NFC-enabled smartphones Ghost Touch Generator: Attack technique against Capacitive Touchscreens 15

  16. NFC ➤ NFC is a short-range (~10 cm) wireless communication technology Smartphones Credit Card Smart Posters 16 pocketnow, https://pocketnow.com/android-nfc-app-reveals-contactless-credit-card-details-should-you-be-worried androidcentral, https://www.androidcentral.com/samsung-pay-uk-everything-you-need-know nfc Direct, https://nfcdirect.co.uk/44-social-media-nfc-smart-posters

  17. NFC and Android ➤ Android smartphones always look for nearby NFC tags and read it. ➤ The following operations are launched depending on the NFC tag record: Opening a website ▶ Connecting a Wi-Fi access point (with confirmation) ▶ Pairing a Bluetooth device (with confirmation) 17 ▶

  18. Tag-based Adaptive Ploy ➤ NFC emulation enables to emulate an NFC tag, and dynamically change its content. 1. Request to open an attacker’s website & identify the smartphone model 2. Request to pair an attacker’s Bluetooth device 18

  19. Summary of Two Attack Techniques Tag-based Adaptive Ploy: Attack technique against NFC-enabled smartphones Gets info & Shows dialog box Ghost Touch Generator: Attack technique against Capacitive Touchscreens Generates false touches 19

  20. Feasibility of the Threat ➤ The attack succeeds only if the victim uses their smartphone within the NFC communication range. ( NFC communication range < Ghost Touch Generator attack range ) ➤ We conducted a deceptive study to investigate how often the victim’s smartphone came within the attack range of the Malicious Table. ➡ 15 out of the 16 participants were attackable. 20

  21. User Study 21

  22. Overall Attack Success Rate Overall attack success rate is 71%, ➤ if 30 people take a seat at the Table and the attacker can retry attack 3 times for each person. # of people who take a seat at the table # of attack trials 22 Attack Success Probability

  23. Countermeasures ➤ Add the user approval processes before Android OS launches every operations recorded in a NFC tag (cf. iPhone XS, XS Max, and XR) ➤ Detect the malfunction on touchscreens ▶ Add idle time to TX electrodes, and check noise on RX electrodes ▶ Identify the characteristic patterns of false touches 23

  24. Responsible Disclosure ➤ With the aid of JPCERT/CC, we have contacted several smartphone manufacturers. ➤ We demonstrated the attack to them and confirmed that the attack is applicable their latest model. 24

  25. Conclusion ➤ We presented the new attack “Tap ’n Ghost,” which exploits the NFC and the touchscreen of the victim’s smartphone. ➤ We demonstrated the attack is feasible. ➤ We provide possible countermeasures. 25

  26. Appendix

  27. Tag-based Adaptive Ploy (TAP) embedded device 1 Emulates a URL NFC tag NFC emulator 6 2 7 Emulates a tag suited for Reads the emulated tag attacking the model single-board computer 3 Visits the attacker’s website 5 Sends the model information 4 Device fingerprinting web server 27

  28. User Study 28

  29. Attack Conditions Success rate of a single attack: 3% ➤ Following Conditions must be satisfied: ➤ a smartphone comes with Android OS. ▶ a smartphone is equipped with NFC. ▶ a victim has enabled the NFC functionality. ▶ a smartphone’s touchscreen controller is attackable with Ghost Touch Generator. ▶ a victim has unlocked the smartphone ▶ when s/he brings it close to the Malicious Table. Ghost Touch Generator attack has succeeded. ▶ 29

  30. Overall Attack Success Rate Overall attack success rate is 71%, ➤ if 30 people take a seat at the Table and the attacker can retry attack 3 times for each person. # of people who take a seat at the table # of attack trials 30 Attack Success Probability

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for their own enjoyment. The story of the ghost then became more prominent as I developed my storyboards. The ghost was looking for a place to haunt

336 views • 10 slides
The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

1 The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM with implants 4 ECG reconstruction &amp; classification 5 Robotic limbs 6 PANDAS 7 Ghost in the Shell 8 Ghost in the Machine 9

419 views • 17 slides
A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

REDRAIN &amp; MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

818 views • 52 slides
Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line Manager Outline of Topics What is a ghost peak? How to identify ghost peaks and their source How to correct various sources of

561 views • 43 slides
Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH Outline MDHHS HCV Surveillance Basics of HCV GHOST Example of GHOST in Action Implications for Public Health Surveillance MDHHS HCV

455 views • 34 slides
Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R. Drury State of the Watershed Report Formal process by Alberta Government Followed Handbook for State of the Watershed Reporting Used

470 views • 44 slides
Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF COMPLEX SYSTEMS Universit` a dellAquila - Italy Ghost effect by curvature p. 1/39 Joint project with : L. Arkeryd R. Marra A. Nouri

749 views • 39 slides
Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije

Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije

Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije Universiteit Brussel p-adics 2015 and Brankos fest Belgrade, September 11, 2015 Happy Birthday, Branko! Renormalizable ghost-free gravity Set-up

407 views • 23 slides
Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB

Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB

Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB Ghost River Watershed 2011 Ri par i an those green zones of water-loving vegetation along rivers, streams, lakes and wetlands

817 views • 47 slides
d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of

d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of

d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of gravity Anupam Mazumdar R F 5 ( ) R + Lancaster University R Warren Siegel, Tirthabir Biswas

970 views • 33 slides
The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing

The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing

The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing gear in seafood supply chains Ingrid Giskes Global Head of Campaign Chair of Global Ghost Gear Initiative A global problem In 2009, UNEP &amp; FAO

362 views • 35 slides
Agent for Ms. Pac-Man vs. Ghost Team Competition ,

Agent for Ms. Pac-Man vs. Ghost Team Competition ,

Agent for Ms. Pac-Man vs. Ghost Team Competition , 2012030142 513 - Target Try to maximize your score by eating as many pills/power pills/ghosts as you can

504 views • 9 slides
May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship (our ancient writings usher us into this ritual) Why do we praise

473 views • 28 slides
dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it

dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it

April 19, 2020 dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship Why do we praise Christ this

387 views • 35 slides
IST Today! Hw#5: Circuit design in Logisim A circuit for any function can be

IST Today! Hw#5: Circuit design in Logisim A circuit for any function can be

OK Recursing? Jotto Corner Faye / Garrett OKer than before? cs5 guess my guess alien: 1 diner: 2 diner: 0 savvy: 1 party: 0 savvy: 1 judge: 2 ghost: 0 ghost: 2 plumb: ? ????? : ? plumb: ? Submission Site vs. Sakai? Sakai can

1.29k views • 100 slides
April 26, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

April 26, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

April 26, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship Why do we praise Christ this morning? Ephesians 4:1-8 Walk in a

496 views • 36 slides
Medium-Fi Prototyping CS 147 Fall 2019 James R, Victor C, Leenah F, Tingyu Z Our Team Leenah Al

Medium-Fi Prototyping CS 147 Fall 2019 James R, Victor C, Leenah F, Tingyu Z Our Team Leenah Al

Medium-Fi Prototyping CS 147 Fall 2019 James R, Victor C, Leenah F, Tingyu Z Our Team Leenah Al Falih Tingyu Zheng Jimmy Rabe Victor Chen Problem It is difficult to find nearby mental health resources

401 views • 19 slides
Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu Problem Definition Verifying hyperproperties about the Keystone Security monitor Secure Remote Execution (SRE) : a 2-safety hyperproperty

446 views • 10 slides
The Hidden Cost of Free Higher Ed Tuition Policy &amp; Affordability Or Malatras is

The Hidden Cost of Free Higher Ed Tuition Policy &amp; Affordability Or Malatras is

The Hidden Cost of Free Higher Ed Tuition Policy &amp; Affordability Or Malatras is in for a long day. NY TAP Program Grants for income up to $100,000 $100,001-$125,000 $100,001-$125,000 $0-$50,000 $0-$50,000 $50,001-$100,000

548 views • 21 slides
Filtering Cubemaps Filtering Cubemaps Angular Extent Filtering and Edge Seam Fixup Methods

Filtering Cubemaps Filtering Cubemaps Angular Extent Filtering and Edge Seam Fixup Methods

Filtering Cubemaps Filtering Cubemaps Angular Extent Filtering and Edge Seam Fixup Methods Angular Extent Filtering and Edge Seam Fixup Methods John R. Isidoro 3D Application Research Group ATI Research Introduction Introduction Hardware

463 views • 25 slides
Data publication at PADC using TAP ObsTap for CTA, Gaia and EPN-TAP for Europlanet Pierre Le

Data publication at PADC using TAP ObsTap for CTA, Gaia and EPN-TAP for Europlanet Pierre Le

Data publication at PADC using TAP ObsTap for CTA, Gaia and EPN-TAP for Europlanet Pierre Le Sidaner on behalf of PADC 1 Why and How TAP ? - TAP was designed to publish data tables - TAP is for accessing tables inside relational

356 views • 16 slides
At the least, compute one Tap in a 2. Separate AGU from DALU for rich addressing modes Single

At the least, compute one Tap in a 2. Separate AGU from DALU for rich addressing modes Single

SCOPES 2003 Outline Tailoring Software Pipelining For 1. Low-power DSP 16000 and ZOLB Effective Exploitation Of Zero 2. Compiler Mission Overhead Loop Buffer 3. Conventional Approach 4. Alternatative approach 5. Intermediate

319 views • 6 slides
In Introduction to swit itchdev SR SR-IOV offloads Or r Ge Gerli litz, Had adar Hen-Zion,

In Introduction to swit itchdev SR SR-IOV offloads Or r Ge Gerli litz, Had adar Hen-Zion,

In Introduction to swit itchdev SR SR-IOV offloads Or r Ge Gerli litz, Had adar Hen-Zion, Amir Vad adai, i, Rony Efr fraim Netdev 1.2, Tokyo, October 2016 agenda background and needs SRIOV VF representors concept and

563 views • 19 slides
Components of a data platform BUILDIN G DATA EN GIN EERIN G P IP ELIN ES IN P YTH ON Oliver

Components of a data platform BUILDIN G DATA EN GIN EERIN G P IP ELIN ES IN P YTH ON Oliver

Components of a data platform BUILDIN G DATA EN GIN EERIN G P IP ELIN ES IN P YTH ON Oliver Willekens Data Engineer at Data Minded Course contents ingest data using Singer apply common data cleaning operations gain insights by combining

434 views • 25 slides

More recommend