A team of cybersecurity researchers at Ben-Gurion University of the Negev (BGU) in Israel has demonstrated that valuable user information can be exfiltrated by tracking smartphone touch movements to impersonate a user on compromised, third-party touchscreens while sending emails, conducting financial transactions or even playing games.
Broken smartphone touchscreens are often replaced with aftermarket components produced by third-party manufacturers that have been found to have malicious code embedded in circuitry.
The BGU team’s research objective was to use machine learning to determine the amount of high-level context information the attacker can derive by observing and predicting the user’s touchscreen interactions. BGU researcher Dr. Yossi Oren said that if an attacker can understand the context of certain events, he can use the information to create a more effective customized attack.
A hacker could, for example, learn when to steal user information or how to hijack the phone by inserting malicious touches.
“Now that we have validated the ability to obtain high level context information based on touch events alone, we recognize that touch injection attacks are a more significant potential threat,” Oren said. “Using this analysis defensively, we can also stop attacks by identifying anomalies in a user’s typical phone use and deter unauthorized or malicious phone use.”
The researchers recorded 160 touch interaction sessions from users running many different applications to quantify the amount of high-level context information. Using a series of questions and games, the researchers employed machine learning to determine stroke velocity, duration and stroke intervals on specially modified LG Nexus Android phones. According to the researchers, the machine learning results demonstrated an accuracy rate of 92 percent.
Other touchscreen hardware is also at risk. In 2017, Kaspersky Lab analyzed touchscreen payment kiosks, infotainment terminals in taxis, infotainment terminals at airports and railways, and road infrastructure components, such as traffic routers and speed cameras.
Most of these kiosks are PCs equipped with touchscreens, the main difference being an interactive graphical shell to block the user from gaining access to the regular operating system, providing a limited set of features to perform the terminal’s functions. The Kaspersky Lab report found that most terminals do not have reliable protection to prevent the user from exiting the kiosk mode to gain access to the operating system.