It’s now possible for an attacker to interact with your phone’s touch screen – tap, swipe, hold – without actually being anywhere near it. That’s according to some bleeding-edge research from researchers at Zhejiang University, China and the Technical University of Darmstadt, Germany.
From time to time, researchers find not just a new vulnerability in a mobile phone, but a whole new class of vulnerabilities. When that happens, it’s always of huge interest to cyber security experts because it opens a door to development of potentially enormous numbers of exploits.
This week is one of those times. The new vulnerability has been given the moniker WIGHT (for Wired Ghost Touch) and is completely cross-platform. This is different from the usual, because most times attacks are crafted against iOS or Android specifically. WIGHT, however, exploits a vulnerability in the capacitive touch screens common to almost all mobile phones and tablets.
The exact technical details are complex, but the gist is that screen touches can be simulated by carefully crafting signals (voltage spikes, essentially) down a USB charging cable. It doesn’t seem to matter what kind of connector the phone has, having been tested against phones with USB-C, Micro USB and Lightning amongst others.
Android and IOS
This also means that the attack isn’t reliant on a USB data connection. Both Android and iOS phones require a user’s confirmation if data is to be transmitted down a USB connection, but WIGHT doesn’t require you to say yes.
The way this vulnerability works means that attackers would need to convince a victim into plugging their device into a maliciously modified charging port. However, researchers have previously shown this to be a relatively straightforward thing to do, by attacking public charging ports in airports, hotels or trains for example.
Should you worry about this? Not really, certainly not right now. The researchers have themselves said that the accuracy of the simulated touches is pretty poor, so there’s little damage they could reliably do to your phone at the moment. But the interesting thing is that this is a brand new technology, fledgling at the moment, so it’s going to be fascinating to see where new research directions take it.
The European Union
This month, the EU voted to require all phone manufacturers to support USB-C connections. This is a brilliant move, done to reduce e-waste by ensuring that upgrading your phone doesn’t mean having to bin a charger. It also has the positive effect that all phones will now support a common charger, meaning that if you need to borrow a friend’s charger, there’s no worry it won’t be the right one for you. It is sad, therefore, that this entirely beneficial law won’t be reaching us in Britain.
In truth, the industry has almost entirely standardised on USB-C already, which is also a de facto standard outside of the mobile phone world. Only one company has created their own proprietary connector for their phones, and that is Apple.
Predictably, therefore, Apple has many reasons to be against this law. The reality, though, is of course that they are being driven by commercial reasons: the lightning connector is protected and Apple charges a licence fee for anyone to use it. That means that Apple has been paid for each and every lightning connector you see, whether manufactured by Apple or not. It’s a hefty fee too; one of our customers at Apptaura was forced to support only Android because the Lightning connector made a significant impact on their product’s commercials.
Another benefit of this law, therefore, is that phone peripherals should therefore be less expensive to manufacture, also allowing smaller (perhaps more local) manufacturers to take a greater profit.