Newly discovered Tap ‘n Ghost attack can be used to target Android devices
- The attack leverages Near Field Communication (NFC) to connect to Android smartphones.
- Apart from smartphones, the attack can also be launched on voting machines, ATMs, and kiosk.
Researchers have uncovered a unique and creative attack that can be used to target Android devices. Termed as Tap ‘n Ghost, the attack leverages Near Field Communication (NFC) to connect to Android smartphones.
How does it work?
Researchers at Tokyo-based Waseda University have demonstrated the Tap ‘n Ghost attack method in a PoC. The attack includes the malicious use of NFC technology and RX electrodes - that are used in capacitive smartphone touchscreens.
Once the connection to the targeted Android phone is established, it can allow attackers to remotely take control of the device. The connection to the devices is made through a Bluetooth link or a malicious Wi-Fi access point.
The name of the attack is derived from the two attack techniques that make up the attack:
- Tag-based Adaptive Ploy (TAP); and
- Ghost Touch Generator.
“Using an NFC card emulator embedded in a common object such as table, a TAP system performs tailored attacks on the victim’s smartphone by employing device fingerprinting; e.g., popping up a customized dialogue box asking whether or not to connect to an attacker’s Bluetooth mouse. Further, Ghost Touch Generator forces the victim to connect to the mouse even if she or he aimed to cancel the dialogue by touching the ‘cancel’ button,” the researchers wrote.
The attack can be successfully executed on phones that have vulnerable NFC. Apart from smartphones, the attack can also be launched on voting machines, ATMs, and kiosk.
About the attack techniques
Tag-based Adaptive Ploy attack technique takes advantage of an NFC feature that can trigger an Android device to visit a specific URL without user interaction. The attacker accomplishes it by using an NFC tag emulator embedded within a table or a charging station.
The Ghost Touch Generator attack works when an unknown victim touches a ‘Cancel’ button which actually works as a ‘Permit’ button. This tricks the victim into granting the Bluetooth access or connecting to a malicious Wi-Fi point.
The bottom line
Researchers note that there is a downside to this type of touchscreen manipulation as some Android handsets experienced touchscreen controlled failures related to the strong electric fields bombarding.
Such attacks can be mitigated if Google could add provisions into the way NFC worked such as requiring user permissions before performing actions such as visiting a website.