Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/sp46214.2022.9833740

2022-01-01

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. To the best of our knowledge, this paper presents WIGHT, the first wired attack that creates ghost touches on capacitive touchscreens via charging cables, and can manipulate the victim devices with undesired consequences, e.g., allowing malicious Bluetooth connections, accepting files with viruses, etc. Our study calls for attention to a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various power adapters and even USB data blockers. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affect the touch measurement mechanism, and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks: injection attacks that create ghost touches without users touching the screen, alteration attacks that change the detected legitimate touch position, and Denial-of-Service attacks that prevent the device from identifying legitimate touches. Our evaluation on 6 smartphones, 1 tablet, 2 standalone touchscreen panels, 6 power adapters, and 13 charging cables demonstrates the feasibility of all three type attacks.

Kai Wang,Richard Mitev,Chen Yan,Xiaoyu Ji,Ahmad-Reza Sadeghi,Wenyuan Xu

2022-01-01

Abstract:Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets. In this paper, we present GhostTouch, the first active contactless attack against capacitive touchscreens. Ghost Touch uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the Ghost Touch attacks on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the Ghost Touch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password. Finally, we discuss potential hardware and software countermeasures to mitigate the attack.

Xiaoyu Ji,Juchuan Zhang,Shui Jiang,Jishen Li,Wenyuan Xu

DOI: https://doi.org/10.1145/3460120.3485389

2021-01-01

Abstract:Voice assistants can be manipulated by various malicious voice commands, yet existing attacks require a nearby speaker to play the attack commands. In this paper, we show that even when no speakers are available, we can play malicious commands by utilizing the capacitors inside electronic devices, i.e., we convert capacitors into speakers and call it CapSpeaker. Essentially, capacitors can emit acoustic noises due to the inverse piezoelectric effect, i.e., varying the voltage across a capacitor can make it vibrate and thus emit acoustic noises. Forcing capacitors to play malicious voice commands is challenging because (1) the frequency responses of capacitors as speakers have poor performance in the range of audible voices, and (2) we have no direct control over the voltage across capacitors to manipulate their emitting sounds. To overcome the challenges, we use a PWM-based modulation scheme to embed the malicious audio onto a high-frequency carrier, e.g., above 20 kHz, and we create malware that can induce the right voltage across the capacitors such that CapSpeaker plays the chosen malicious commands. We conducted extensive experiments with 2 LED lamps (a modified one and a commercial one) and 5 victim devices (iPhone 4s, iPad mini 5, Huawei Nova 5i, etc.). Evaluation results demonstrate that CapSpeaker is feasible at a distance up to 10.5 cm, triggering a smartphone to receive voice commands, e.g., "open the door''.

Yan Jiang,Xiaoyu Ji,Juchuan Zhang,Yancheng Jiang,Shui Jiang,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2023.3326184

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recent studies have exposed that voice assistants can be manipulated by various voice commands without being noticed, however, existing attacks require a nearby speaker to play the attack commands. In this paper, we demonstrate that even without a speaker, we can use capacitors inside electronic devices to produce malicious voice commands, i.e., we convert capacitors into speakers and call it CapSpeaker . The underlying principle of CapSpeaker is the inverse piezoelectric effect, i.e., varying the voltage across a capacitor to make it vibrate and thus emit acoustic noises. Forcing capacitors to emit target voice commands is challenging because (1) capacitors' response frequency is out of the range of audible voices. (2) We can not directly control the voltage across capacitors to manipulate their emit sounds. To overcome these challenges, we propose a PWM-based modulation scheme to embed the malicious audio onto a high-frequency carrier, e.g., above 20 kHz, and we create malware to induce the designed voltage across the capacitors such that CapSpeaker plays the chosen malicious commands. Our evaluation of 7 commercial devices demonstrates that CapSpeaker is feasible to inject voice commands, e.g., ”open the door”, at a distance of up to 10.5 cm.

Qinhong Jiang,Yanze Ren,Yan Long,Chen Yan,Yumai Sun,Xiaoyu Ji,Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.14722/ndss.2024.23015

2024-01-01

Abstract:Keyboards are the primary peripheral input devices for various critical computer application scenarios.This paper performs a security analysis of the keyboard sensing mechanisms and uncovers a new class of vulnerabilities that can be exploited to induce phantom keys-fake keystrokes injected into keyboards' analog circuits in a contactless way using electromagnetic interference (EMI).Besides regular keystrokes, such phantom keys also include keystrokes that human operators cannot achieve, such as rapidly injecting over 10,000 keys per minute and injecting hidden keys that do not exist on the physical keyboard.The underlying principles of phantom key injections consist in inducing false voltages on keyboard sensing GPIO pins through EMI coupled onto matrix circuits.We investigate the voltage and timing requirements of injection signals both theoretically and empirically to establish the theory of phantom key injection.To validate the threat of keyboard sensing vulnerabilities, we design GhostType that can cause denial-of-service of the keyboard and inject random keystrokes as well as certain targeted keystrokes of the adversary's choice.We have validated GhostType on 48 of 50 off-the-shelf keyboards/keypads from 20 brands, including both membrane/mechanical structures and USB/Bluetooth protocols.Some example consequences of GhostType include completely blocking keyboard operations, crashing and turning off downstream computers, and deleting computer files.Finally, we glean lessons from our investigations and propose countermeasures, including shielding keyboards with metal materials and enhancing the keystroke sensing mechanism.

Kai Wang,Richard Mitev,Chen Yan,Xiaoyu Ji,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2024.3352593

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets. In this paper, we present GhostTouch, the first active contactless attack against capacitive touchscreens. GhostTouch uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the requirement to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the GhostTouch attacks on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as $14.6 \times 19.2$ pixels from the target area, and a distance of up to $40mm$. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including pressing the button, answering an eavesdropping phone call, and swiping up to unlock. Finally, we propose touchscreen reinforcement and attack detection mechanisms to mitigate the threat of GhostTouch attack.

computer science, information systems, software engineering, hardware & architecture

Ming Gao,Fu Xiao,Weiran Liu,Wentao Guo,Yangtao Huang,Yajie Liu,Jinsong Han

DOI: https://doi.org/10.1109/INFOCOM53939.2023.10228859

2023-01-01

Abstract:Human-machine interactions (HMIs), e.g., touchscreens, are essential for users to interact with mobile devices. They are also beneficial in resisting emerging active attacks, which aim at maliciously controlling mobile devices, e.g., smartphones and tablets. With touchscreen-like HMIs, users can notice and interrupt malicious actions conducted by the attackers timely and perform necessary countermeasures, e.g., tapping the ‘Quit’ button on the touchscreen. However, the effect of HMI-oriented active attacks has not been investigated yet. In this paper, we present a practical attack towards touch-based devices, namely Expelliarmus. It reveals a new attack surface of active attacks for hijacking users’ operations and thus taking full control over victim devices. Expelliarmus neutralizes users’ touch commands by producing a reverse current via electromagnetic interference (EMI). Since the reverse current offsets the current change caused by a touch, the touchscreen detects no current change and thus ignores users’ commands. Besides this basic denial-of-service attack, we also realize a target cancellation attack, which can neutralize target commands, e.g., ‘Quit’ without interference in irrelevant operations. Thus, the active attack can be completely performed without interruption from users, even if they are alerted by the abnormal events. Extensive evaluations demonstrate the effectiveness of Expelliarmus on 29 off-the-shelf devices.

Ming Gao,Fu Xiao,Wentao Guo,Zixin Lin,Weiran Liu,Jinsong Han

DOI: https://doi.org/10.1109/tdsc.2023.3303503

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Human-machine interactions (HMIs), e.g., touchscreens, are essential for users to interact with mobile devices. They are also beneficial in resisting emerging active attacks, which aim at maliciously controlling mobile devices, e.g., smartphones and tablets. With touchscreen-like HMIs, users can notice and interrupt malicious actions conducted by the attackers timely and perform necessary countermeasures, e.g., tapping the ‘Quit’ button on the touchscreen. However, the effect of HMI-oriented active attacks has not been investigated yet. In this paper, we present a practical attack towards touch-based devices, namely Expelliarmus. It reveals a new attack surface of active attacks for hijacking users' operations and thus taking full control over victim devices. Expelliarmus neutralizes users' touch commands by producing a reverse current via electromagnetic interference (EMI). Since the reverse current offsets the current change caused by a touch, the touchscreen detects no current change and thus ignores users' commands. Besides this basic denial-of-service attack, we also realize a target cancellation attack, which can neutralize target commands, e.g., ‘Quit’ without interference in irrelevant operations. Thus, the active attack can be completely performed without interruption from users, even if they are alerted by the abnormal events. Extensive evaluations demonstrate the effectiveness of Expelliarmus on 29 off-the-shelf devices.

Wenfan Song,Jianwei Liu,Jinsong Han

DOI: https://doi.org/10.1145/3678570

2024-01-01

Abstract:Mouse is a ubiquitous input tool crucial for user-computer interaction in modern society. However, the inherent trust in the mouse may pose security risks. If the mouse is maliciously manipulated, the connected computer could be secretly controlled, endangering personal privacy and property. In this paper, we introduce PuppetMouse, the first intentional electromagnetic interference (IEMI) injection-based attack that can effectively manipulate mouse clicks and movements without physical contact. By adjusting the parameters of IEMI signals, PuppetMouse can precisely control the click side, as well as the movement direction and speed. We demonstrate PuppetMouse's effectiveness on 14 wired and wireless mice from popular brands. The short response delay (within 4 ms) affirms the real-time performance of PuppetMouse. Robustness analysis across different attack distances and material occlusions validate the stability and reliability of PuppetMouse. Two case studies on firewall disabling and malicious WiFi connection further prove the severe threats of PuppetMouse in the real world. We also propose an integrated set of hardware and software-based defensive mechanisms to mitigate the risks posed by PuppetMouse.

Riccardo Spolaor,Laila Abudahi,Veelasha Moonsamy,Mauro Conti,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1609.02750

2016-09-09

Abstract:More and more people are regularly using mobile and battery-powered handsets, such as smartphones and tablets. At the same time, thanks to the technological innovation and to the high user demands, those devices are integrating extensive functionalities and developers are writing battery-draining apps, which results in a surge of energy consumption of these devices. This scenario leads many people to often look for opportunities to charge their devices at public charging stations: the presence of such stations is already prominent around public areas such as hotels, shopping malls, airports, gyms and museums, and is expected to significantly grow in the future. While most of the time the power comes for free, there is no guarantee that the charging station is not maliciously controlled by an adversary, with the intention to exfiltrate data from the devices that are connected to it. In this paper, we illustrate for the first time how an adversary could leverage a maliciously controlled charging station to exfiltrate data from the smartphone via a USB charging cable (i.e., without using the data transfer functionality), controlling a simple app running on the device, and without requiring any permission to be granted by the user to send data out of the device. We show the feasibility of the proposed attack through a prototype implementation in Android, which is able to send out potentially sensitive information, such as IMEI, contacts' phone number, and pictures.

Cryptography and Security

Haoqi Shan,Boyi Zhang,Zihao Zhan,Dean Sullivan,Shuo Wang,Yier Jin

DOI: https://doi.org/10.1109/SP46214.2022.9833718

2024-02-04

Abstract:Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices have been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this paper, for the first time, we show that touchscreen-based electronic devices are vulnerable to intentional electromagnetic interference (IEMI) attacks in a systematic way and how to conduct this attack in a practical way. Our contribution lies in not just demonstrating the attack, but also analyzing and quantifying the underlying mechanism allowing the novel IEMI attack on touchscreens in detail. We show how to calculate both the minimum amount of electric field and signal frequency required to induce touchscreen ghost touches. We further analyze our IEMI attack on real touchscreens with different magnitudes, frequencies, duration, and multitouch patterns. The mechanism of controlling the touchscreen-enabled electronic devices with IEMI signals is also elaborated. We design and evaluate an out-of-sight touchscreen locator and touch injection feedback mechanism to assist a practical IEMI attack. Our attack works directly on the touchscreen circuit regardless of the touchscreen scanning mechanism or operating system. Our attack can inject short-tap, long-press, and omni-directional gestures on touchscreens from a distance larger than the average thickness of common tabletops. Compared with the state-of-the-art touchscreen attack, ours can accurately inject different types of touch events without the need for sensing signal synchronization, which makes our attack more robust and practical. In addition, rather than showing a simple proof-of-concept attack, we present and demonstrate the first ready-to-use IEMI based touchscreen attack vector with end-to-end attack scenarios.

Cryptography and Security

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Zhixin Xie,Chen Yan,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1145/3607199.3607249

2023-01-01

Abstract:Wired serial communication protocols such as UART are widely used in today’s IoT systems for their simple connection and good industry ecology. However, due to the simplicity of these protocols, they are vulnerable to attacks that falsify the communication. In this work, we propose the BitDance attack that can arbitrarily flip the bits of serial communication without any physical contact utilizing intentional electromagnetic interference (IEMI). We describe the physical process of how electromagnetic interference influences the voltage, build up a model to demonstrate the bit-level control principle of our work, and implement the attack on 6 different sensors with UART, a widely used serial communication protocol. The result shows we can inject bit-level information and disable legitimate communication from the system with a maximum success rate of 45.4 and 100. Finally, we propose countermeasures to mitigate the impact of this attack.

Sebastian Köhler,Richard Baker,Martin Strohmeier,Ivan Martinovic

DOI: https://doi.org/10.14722/ndss.2023.23251

2024-03-26

Abstract:We present a novel attack against the Combined Charging System, one of the most widely used DC rapid charging technologies for electric vehicles (EVs). Our attack, Brokenwire, interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack requires only temporary physical proximity and can be conducted wirelessly from a distance, allowing individual vehicles or entire fleets to be disrupted stealthily and simultaneously. In addition, it can be mounted with off-the-shelf radio hardware and minimal technical knowledge. By exploiting CSMA/CA behavior, only a very weak signal needs to be induced into the victim to disrupt communication - exceeding the effectiveness of broadband noise jamming by three orders of magnitude. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it. We first study the attack in a controlled testbed and then demonstrate it against eight vehicles and 20 chargers in real deployments. We find the attack to be successful in the real world, at ranges up to 47 m, for a power budget of less than 1 W. We further show that the attack can work between the floors of a building (e.g., multi-story parking), through perimeter fences, and from `drive-by' attacks. We present a heuristic model to estimate the number of vehicles that can be attacked simultaneously for a given output power. Brokenwire has immediate implications for a substantial proportion of the around 12 million battery EVs on the roads worldwide - and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and crucial public services, as well as electric buses, trucks and small ships. As such, we conducted a disclosure to the industry and discussed a range of mitigation techniques that could be deployed to limit the impact.

Cryptography and Security

Longbiao Chen,Gang Pan,Shijian Li

DOI: https://doi.org/10.1109/percomw.2012.6197548

2012-01-01

Abstract:With the advent of smart home technologies, convenient and intuitive cyber-physical interaction methods are in great need. We demonstrate a touch-driven interaction system with home appliances via an NFC-enabled smartphone. By touching the phone to NFC tagged devices, we can establish connection and exchange information, control devices from phone, and share media between them. We also demonstrate three applications, Touch&Connect, Touch&Listen, and Touch&Watch, to demonstrate touch-driven interaction in a smart home environment.

Jiachun Li,Yan Meng,Yuxia Zhan,Le Zhang,Haojin Zhu

DOI: https://doi.org/10.1109/tifs.2024.3465026

2024-01-01

Abstract:Virtual reality (VR), offering 3D visuals and stereophonic sounds, significantly enhances users’ immersive experiences and has become a milestone in the era of the metaverse. However, due to the limited battery capacity of VR devices, it is common for users to rely on charging cables, which serve the dual purpose of power supply and audio output, to recharge their VR devices while in use. In this study, we propose an inconspicuous and stealthy side channel attack, coined as LineTalker, which can unveil visual-related and audio-related activities from VR devices during the charging process. The insight behind LineTalker is rooted in the observation that visual-related activities (e.g., 3D image rendering) are power-intensive and result in fluctuations in the current strength of the cable’s power supply line, which can be leveraged as side channel information. Similarly, audio-related activities (e.g., playing music) leave traces on the cable’s audio output line. Rather than providing a user with a compromised charging cable (i.e., embedding a current sensor) to measure the current strength, to make the attack less conspicuous, LineTalker employs the Hall effect to indirectly access side channel information. This is achieved by capturing magnetic signals using a Hall sensor placed near the target cable in a contactless manner. Experimental results demonstrate that LineTalker achieves an overall accuracy of 94.60% and 64.38% in inferring user activities in VR devices with intrusive and non-intrusive attack manners, respectively.

Omer Shwartz,Amir Cohen,Asaf Shabtai,Yossi Oren

DOI: https://doi.org/10.48550/arXiv.1805.04850

2018-05-13

Abstract:Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor's source code. In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor. In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin. We analyze the operation of a commonly used touchscreen controller. We construct two standalone attacks, based on malicious touchscreen hardware, that function as building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations. Combining the two building blocks, we present and evaluate a series of end-to-end attacks that can severely compromise a stock Android phone with standard firmware. Our results make the case for a hardware-based physical countermeasure.

Cryptography and Security

Ilia Shumailov,Laurent Simon,Jeff Yan,Ross Anderson

DOI: https://doi.org/10.48550/arXiv.1903.11137

2019-03-26

Cryptography and Security

Abstract:We present the first acoustic side-channel attack that recovers what users type on the virtual keyboard of their touch-screen smartphone or tablet. When a user taps the screen with a finger, the tap generates a sound wave that propagates on the screen surface and in the air. We found the device's microphone(s) can recover this wave and "hear" the finger's touch, and the wave's distortions are characteristic of the tap's location on the screen. Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device. We evaluate the effectiveness of the attack with 45 participants in a real-world environment on an Android tablet and an Android smartphone. For the tablet, we recover 61% of 200 4-digit PIN-codes within 20 attempts, even if the model is not trained with the victim's data. For the smartphone, we recover 9 words of size 7--13 letters with 50 attempts in a common side-channel attack benchmark. Our results suggest that it not always sufficient to rely on isolation mechanisms such as TrustZone to protect user input. We propose and discuss hardware, operating-system and application-level mechanisms to block this attack more effectively. Mobile devices may need a richer capability model, a more user-friendly notification system for sensor usage and a more thorough evaluation of the information leaked by the underlying hardware.

Ce Zhou,Qiben Yan,Zhiyuan Yu,Eshan Dixit,Ning Zhang,Huacheng Zeng,Alireza Safdari Ghanhdari

DOI: https://doi.org/10.48550/arXiv.2305.08037

2023-05-14

Cryptography and Security

Abstract:Electric Vehicle (EV) has become one of the promising solutions to the ever-evolving environmental and energy crisis. The key to the wide adoption of EVs is a pervasive charging infrastructure, composed of both private/home chargers and public/commercial charging stations. The security of EV charging, however, has not been thoroughly investigated. This paper investigates the communication mechanisms between the chargers and EVs, and exposes the lack of protection on the authenticity in the SAE J1772 charging control protocol. To showcase our discoveries, we propose a new class of attacks, ChargeX, which aims to manipulate the charging states or charging rates of EV chargers with the goal of disrupting the charging schedules, causing a denial of service (DoS), or degrading the battery performance. ChargeX inserts a hardware attack circuit to strategically modify the charging control signals. We design and implement multiple attack systems, and evaluate the attacks on a public charging station and two home chargers using a simulated vehicle load in the lab environment. Extensive experiments on different types of chargers demonstrate the effectiveness and generalization of ChargeX. Specifically, we demonstrate that ChargeX can force the switching of an EV's charging state from ``stand by" to ``charging", even when the vehicle is not in the charging state. We further validate the attacks on a Tesla Model 3 vehicle to demonstrate the disruptive impacts of ChargeX. If deployed, ChargeX may significantly demolish people's trust in the EV charging infrastructure.

Alexander S. La Cour,Khurram K. Afridi,G. Edward Suh

DOI: https://doi.org/10.1145/3460120.3484733

2021-05-27

Abstract:This paper shows that today's wireless charging interface is vulnerable to power side-channel attacks; a smartphone charging wirelessly leaks private information about its activity to the wireless charger (charging transmitter). We present a website fingerprinting attack through the wireless charging side-channel for both iOS and Android devices. The attack monitors the current drawn by the wireless charging transmitter while 20 webpages from the Alexa top sites list are loaded on a charging smartphone. We implement a classifier that correctly identifies unlabeled current traces with an accuracy of 87% on average for an iPhone 11 and 95% on average for a Google Pixel 4. This represents a considerable security threat because wireless charging does not require any user permission if the phone is within the range of a charging transmitter. To the best of our knowledge, this work represents the first to introduce and demonstrate a power side-channel attack through wireless charging. Additionally, this study compares the wireless charging side-channel with the wired USB charging power side-channel, showing that they are comparable. We find that the performance of the attack deteriorates as the contents of websites change over time. Furthermore, we discover that the amount of information leakage through both wireless and wired charging interfaces heavily depends on the battery level; minimal information is leaked at low battery levels.

Cryptography and Security