Cybercriminals can unlock certain smartphones from a distance, without needing to install any particular malware (opens in new tab) on the target endpoint, reports have claimed.
Researchers from NordVPN have outlined the method, which includes sending electromagnetic signals to the device and using them to simulate different gestures, such as swiping, tapping, and similar.
The scheme, called GhostTouch, was discovered by academics from Zhejiang University (China) and the Technical University of Darmstadt (Germany).
With GhostTouch, criminals would be able to unlock the phone and use it to access sensitive data, such as passwords, or banking apps. They could also install malware, the researchers said. However, the attackers’ hardware would need to be relatively close to the victim in order to pull the attack off. The researchers think this isn’t much of a problem, given how people usually behave in the public:
“Unfortunately, the most common places for touchscreen hacking are public places like libraries, cafes, or conference lobbies, where people place their smartphones face-down on the table. The attackers prepare the equipment under the table in advance and launch the attack remotely. The user may not even notice that their gadget has been hacked,” says Adrianus Warmenhoven, a cybersecurity expert at NordVPN.
NordVPN says the attack works from a distance of “up to 40 mm”. The attackers would be able to place the necessary hardware under the table, and use it to access the device. If the connection is established, the distance between the hackers and the target smartphone is irrelevant. So far, nine smartphone models were confirmed to be vulnerable to the flaw, including iPhone SE (2020), Samsung Galaxy S20 FE 5G, Redmi 8, and Nokia 7.2.
The hack is not exactly subtle, though, as users would see the phone operating on its own. Apparently, it’s not that uncommon, with NordVPN saying more than 209 million results emerge when trying to search the phrase “phone unlocks itself” on Google. While not all of these should be attributed to GhostTouch, some definitely could.
The best way to protect against GhostTouch is to make sure your smartphone has a security mechanism, either a PIN code, a swipe pattern, or biometrics.