In the never-ending struggle to keep our personal data safe from those with malevolent intent, researchers have discovered a new vulnerability: your smartphone’s touchscreen. By tracking how you tap and stroke your device’s screen, a hacker can break in and steal everything from passwords to credit-card information.
The good news: The same research points to a way to stop touchscreen hacking.
“Our research objective was to use machine learning to determine the amount of high-level context information an attacker can derive by observing and predicting the user’s touchscreen interactions,” says Yossi Oren, a researcher in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev (BGU).
“If an attacker can understand the context of certain events, he can use the information to create a more effective customized attack.”
Oren and his team recorded 160 touch interaction sessions from users running a number of different smartphone applications. They sent emails, conducted financial transactions and played games. Using machine learning, the researchers were able to determine stroke velocity, duration and stroke intervals on specially modified LG Nexus Android phones.
The results demonstrated an accuracy rate of 92 percent and validated the researcher’s fears that hackers can “obtain high-level context information based on touch events alone,” Oren says.
As a result, the researchers surmise that “touch injection attacks” that impersonate a user on a compromised touch screen “are a more significant potential threat” than first thought.
How can a hacker gain access to your touchscreen? Oren says the biggest concern is if your touchscreen breaks and is replaced with a screen produced by a third-party manufacturer. If so, it could have malicious code embedded into its circuitry.
Oren says software developers could use his analysis defensively in order to “stop attacks by identifying anomalies in a user’s typical phone use and to deter unauthorized or malicious phone use.”
Oren presented his findings, published in the journal Lecture Notes on Computer Science, at the Second International Symposium on Cybersecurity, Cryptography and Machine Learning in Beersheva in June. Also involved in the study were BGU undergraduate students Moran Azaran, Niv Ben-Shabat and Tal Shkonik.