Kai Wang,Richard Mitev,Chen Yan,Xiaoyu Ji,Ahmad-Reza Sadeghi,Wenyuan Xu

2022-01-01

Abstract:Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets. In this paper, we present GhostTouch, the first active contactless attack against capacitive touchscreens. Ghost Touch uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the Ghost Touch attacks on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the Ghost Touch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password. Finally, we discuss potential hardware and software countermeasures to mitigate the attack.

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/sp46214.2022.9833740

2022-01-01

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. To the best of our knowledge, this paper presents WIGHT, the first wired attack that creates ghost touches on capacitive touchscreens via charging cables, and can manipulate the victim devices with undesired consequences, e.g., allowing malicious Bluetooth connections, accepting files with viruses, etc. Our study calls for attention to a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various power adapters and even USB data blockers. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affect the touch measurement mechanism, and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks: injection attacks that create ghost touches without users touching the screen, alteration attacks that change the detected legitimate touch position, and Denial-of-Service attacks that prevent the device from identifying legitimate touches. Our evaluation on 6 smartphones, 1 tablet, 2 standalone touchscreen panels, 6 power adapters, and 13 charging cables demonstrates the feasibility of all three type attacks.

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2023.3326181

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. This paper presents Marionette , the first wired attack that creates ghost touches on capacitive touchscreens via charging cables and can manipulate the victim's devices with undesired consequences, e.g., establishing malicious Bluetooth connections. Our study provides a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various USB data blockers and power adapters. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affecting the touch measurement mechanism and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks, i.e., injection, alteration, and Denial-of-Service, and the evaluation of 12 commercial electronics, 6 power adapters, and 13 charging cables demonstrate the feasibility of Marionette .

Haoqi Shan,Boyi Zhang,Zihao Zhan,Dean Sullivan,Shuo Wang,Yier Jin

DOI: https://doi.org/10.1109/SP46214.2022.9833718

2024-02-04

Abstract:Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices have been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this paper, for the first time, we show that touchscreen-based electronic devices are vulnerable to intentional electromagnetic interference (IEMI) attacks in a systematic way and how to conduct this attack in a practical way. Our contribution lies in not just demonstrating the attack, but also analyzing and quantifying the underlying mechanism allowing the novel IEMI attack on touchscreens in detail. We show how to calculate both the minimum amount of electric field and signal frequency required to induce touchscreen ghost touches. We further analyze our IEMI attack on real touchscreens with different magnitudes, frequencies, duration, and multitouch patterns. The mechanism of controlling the touchscreen-enabled electronic devices with IEMI signals is also elaborated. We design and evaluate an out-of-sight touchscreen locator and touch injection feedback mechanism to assist a practical IEMI attack. Our attack works directly on the touchscreen circuit regardless of the touchscreen scanning mechanism or operating system. Our attack can inject short-tap, long-press, and omni-directional gestures on touchscreens from a distance larger than the average thickness of common tabletops. Compared with the state-of-the-art touchscreen attack, ours can accurately inject different types of touch events without the need for sensing signal synchronization, which makes our attack more robust and practical. In addition, rather than showing a simple proof-of-concept attack, we present and demonstrate the first ready-to-use IEMI based touchscreen attack vector with end-to-end attack scenarios.

Cryptography and Security

Qinhong Jiang,Yanze Ren,Yan Long,Chen Yan,Yumai Sun,Xiaoyu Ji,Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.14722/ndss.2024.23015

2024-01-01

Abstract:Keyboards are the primary peripheral input devices for various critical computer application scenarios.This paper performs a security analysis of the keyboard sensing mechanisms and uncovers a new class of vulnerabilities that can be exploited to induce phantom keys-fake keystrokes injected into keyboards' analog circuits in a contactless way using electromagnetic interference (EMI).Besides regular keystrokes, such phantom keys also include keystrokes that human operators cannot achieve, such as rapidly injecting over 10,000 keys per minute and injecting hidden keys that do not exist on the physical keyboard.The underlying principles of phantom key injections consist in inducing false voltages on keyboard sensing GPIO pins through EMI coupled onto matrix circuits.We investigate the voltage and timing requirements of injection signals both theoretically and empirically to establish the theory of phantom key injection.To validate the threat of keyboard sensing vulnerabilities, we design GhostType that can cause denial-of-service of the keyboard and inject random keystrokes as well as certain targeted keystrokes of the adversary's choice.We have validated GhostType on 48 of 50 off-the-shelf keyboards/keypads from 20 brands, including both membrane/mechanical structures and USB/Bluetooth protocols.Some example consequences of GhostType include completely blocking keyboard operations, crashing and turning off downstream computers, and deleting computer files.Finally, we glean lessons from our investigations and propose countermeasures, including shielding keyboards with metal materials and enhancing the keystroke sensing mechanism.

Ming Gao,Fu Xiao,Weiran Liu,Wentao Guo,Yangtao Huang,Yajie Liu,Jinsong Han

DOI: https://doi.org/10.1109/INFOCOM53939.2023.10228859

2023-01-01

Abstract:Human-machine interactions (HMIs), e.g., touchscreens, are essential for users to interact with mobile devices. They are also beneficial in resisting emerging active attacks, which aim at maliciously controlling mobile devices, e.g., smartphones and tablets. With touchscreen-like HMIs, users can notice and interrupt malicious actions conducted by the attackers timely and perform necessary countermeasures, e.g., tapping the ‘Quit’ button on the touchscreen. However, the effect of HMI-oriented active attacks has not been investigated yet. In this paper, we present a practical attack towards touch-based devices, namely Expelliarmus. It reveals a new attack surface of active attacks for hijacking users’ operations and thus taking full control over victim devices. Expelliarmus neutralizes users’ touch commands by producing a reverse current via electromagnetic interference (EMI). Since the reverse current offsets the current change caused by a touch, the touchscreen detects no current change and thus ignores users’ commands. Besides this basic denial-of-service attack, we also realize a target cancellation attack, which can neutralize target commands, e.g., ‘Quit’ without interference in irrelevant operations. Thus, the active attack can be completely performed without interruption from users, even if they are alerted by the abnormal events. Extensive evaluations demonstrate the effectiveness of Expelliarmus on 29 off-the-shelf devices.

Ming Gao,Fu Xiao,Wentao Guo,Zixin Lin,Weiran Liu,Jinsong Han

DOI: https://doi.org/10.1109/tdsc.2023.3303503

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Human-machine interactions (HMIs), e.g., touchscreens, are essential for users to interact with mobile devices. They are also beneficial in resisting emerging active attacks, which aim at maliciously controlling mobile devices, e.g., smartphones and tablets. With touchscreen-like HMIs, users can notice and interrupt malicious actions conducted by the attackers timely and perform necessary countermeasures, e.g., tapping the ‘Quit’ button on the touchscreen. However, the effect of HMI-oriented active attacks has not been investigated yet. In this paper, we present a practical attack towards touch-based devices, namely Expelliarmus. It reveals a new attack surface of active attacks for hijacking users' operations and thus taking full control over victim devices. Expelliarmus neutralizes users' touch commands by producing a reverse current via electromagnetic interference (EMI). Since the reverse current offsets the current change caused by a touch, the touchscreen detects no current change and thus ignores users' commands. Besides this basic denial-of-service attack, we also realize a target cancellation attack, which can neutralize target commands, e.g., ‘Quit’ without interference in irrelevant operations. Thus, the active attack can be completely performed without interruption from users, even if they are alerted by the abnormal events. Extensive evaluations demonstrate the effectiveness of Expelliarmus on 29 off-the-shelf devices.

Li Lu,Jiadi Yu,Yingying Chen,Yanmin Zhu,Xiangyu Xu,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/infocom.2019.8737591

2019-01-01

Abstract:This paper demonstrates the feasibility of a side-channel attack to infer keystrokes on touch screen leveraging an off-the-shelf smartphone. Although there exist some studies on keystroke eavesdropping attacks on touch screen, they are mainly direct eavesdropping attacks, i.e., require the device of victims compromised to provide side-channel information for the adversary, which are hardly launched in practical scenarios. In this work, we show the practicability of an indirect eavesdropping attack, KeyListener, which infers keystrokes on QWERTY keyboards of touch screen leveraging audio devices on a smartphone. We investigate the attenuation of acoustic signals, and find that a user’s keystroke fingers can be localized through the attenuation of acoustic signals received by the microphones in the smartphone. We then utilize the attenuation of acoustic signals to localize each keystroke, and further analyze errors induced by ambient noises. To improve the accuracy of keystroke localization, KeyListener further tracks finger movements during inputs through phase change and Doppler effect to reduce errors of acoustic signal attenuation-based keystroke localization. In addition, a binary tree-based search approach is employed to infer keystrokes in a context-aware manner. The proposed keystroke eavesdropping attack is robust to various environments without the assistance of additional infrastructures. Extensive experiments demonstrate that the accuracy of keystroke inference in top-5 candidates can approach 90% with a top-5 error rate of around 6%, which is a strong indication of the possible user privacy leakage of inputs on QWERTY keyboard.

Yushi Cheng,Xiaoyu Ji,Wenyuan Xu,Hao Pan,Zhuangdi Zhu,Chuang-Wen You,Yi-Chao Chen,Lili Qiu

DOI: https://doi.org/10.1145/3321705.3329817

2019-01-01

Abstract:Mobile devices have emerged as the most popular platforms to access information. However, they have also become a major concern of privacy violation and previous researches have demonstrated various approaches to infer user privacy based on mobile devices. In this paper, we study a new side channel of a laptop that could be harvested by a commercial-off-the-shelf (COTS) mobile device, eg, a smartphone. We propose MagAttack, which exploits the electromagnetic (EM) side channel of a laptop to infer user activities, i.e., application launching and application operation. The key insight of MagAttack is that applications are discrepant in essence due to the different compositions of instructions, which can be reflected on the CPU power consumption, and thus the corresponding EM emissions. MagAttack is challenging since that EM signals are noisy due to the dynamics of applications and the limited sampling rate of the built-in magnetometers in COTS mobile devices. We overcome these challenges and convert noisy coarse-grained EM signals to robust fine-grained features. We implement MagAttack on both an iOS and an Android smartphone without any hardware modification, and evaluate its performance with 13 popular applications and 50 top websites in China. The results demonstrate that MagAttack can recognize aforementioned 13 applications with an average accuracy of 98.6%, and figure out the visiting operation among 50 websites with an average accuracy of 84.7%.

Qinggang Yue,Zhen Ling,Xinwen Fu,Benyuan Liu,Kui Ren,Wei Zhao

DOI: https://doi.org/10.1145/2660267.2660288

2014-01-01

Abstract:In this paper, we introduce a novel computer vision based attack that automatically discloses inputs on a touch-enabled device while the attacker cannot see any text or popup in a video of the victim tapping on the touch screen. We carefully analyze the shadow formation around the fingertip, apply the optical flow, deformable part-based model (DPM), k-means clustering and other computer vision techniques to automatically locate the touched points. Planar homography is then applied to map the estimated touched points to a reference image of software keyboard keys. Recognition of passwords is extremely challenging given that no language model can be applied to correct estimated touched keys. Our threat model is that a webcam, smartphone or Google Glass is used for stealthy attack in scenarios such as conferences and similar gathering places. We address both cases of tapping with one finger and tapping with multiple fingers and two hands. Extensive experiments were performed to demonstrate the impact of this attack. The per-character (or per-digit) success rate is over 97% while the success rate of recognizing 4-character passcodes is more than 90%. Our work is the first to automatically and blindly recognize random passwords (or passcodes) typed on the touch screen of mobile devices with a very high success rate.

Sanorita Dey,Nirupam Roy,Wenyuan Xu,Romit Roy Choudhury,Srihari Nelakuditi

DOI: https://doi.org/10.14722/ndss.2014.23059

2014-01-01

Abstract:As mobile begins to overtake the fixed Internet access, ad networks have aggressively sought methods to track users on their mobile devices. While existing countermeasures and regulation focus on thwarting cookies and various device IDs, this paper submits a hypothesis that smartphone/tablet accelerometers possess unique fingerprints, which can be exploited for tracking users. We believe that the fingerprints arise from hardware imperfections during the sensor manufacturing process, causing every sensor chip to respond differently to the same motion stimulus. The differences in responses are subtle enough that they do not affect most of the higher level functions computed on them. Nonetheless, upon close inspection, these fingerprints emerge with consistency, and can even be somewhat independent of the stimulus that generates them. Measurements and classification on 80 standalone accelerometer chips, 25 Android phones, and 2 tablets, show precision and recall upward of 96%, along with good robustness to realworld conditions. Utilizing accelerometer fingerprints, a crowdsourcing application running in the cloud could segregate sensor data for each device, making it easy to track a user over space and time. Such attacks are almost trivial to launch, while simple solutions may not be adequate to counteract them.

Ilia Shumailov,Laurent Simon,Jeff Yan,Ross Anderson

DOI: https://doi.org/10.48550/arXiv.1903.11137

2019-03-26

Cryptography and Security

Abstract:We present the first acoustic side-channel attack that recovers what users type on the virtual keyboard of their touch-screen smartphone or tablet. When a user taps the screen with a finger, the tap generates a sound wave that propagates on the screen surface and in the air. We found the device's microphone(s) can recover this wave and "hear" the finger's touch, and the wave's distortions are characteristic of the tap's location on the screen. Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device. We evaluate the effectiveness of the attack with 45 participants in a real-world environment on an Android tablet and an Android smartphone. For the tablet, we recover 61% of 200 4-digit PIN-codes within 20 attempts, even if the model is not trained with the victim's data. For the smartphone, we recover 9 words of size 7--13 letters with 50 attempts in a common side-channel attack benchmark. Our results suggest that it not always sufficient to rely on isolation mechanisms such as TrustZone to protect user input. We propose and discuss hardware, operating-system and application-level mechanisms to block this attack more effectively. Mobile devices may need a richer capability model, a more user-friendly notification system for sensor usage and a more thorough evaluation of the information leaked by the underlying hardware.

Qinggang Yue,Zhen Ling,Benyuan Liu,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.48550/arXiv.1403.4829

2014-03-19

Abstract:In this paper, we introduce a novel computer vision based attack that discloses inputs on a touch enabled device, while the attacker cannot see any text or popups from a video of the victim tapping on the touch screen. In the attack, we use the optical flow algorithm to identify touching frames where the finger touches the screen surface. We innovatively use intersections of detected edges of the touch screen to derive the homography matrix mapping the touch screen surface in video frames to a reference image of the virtual keyboard. We analyze the shadow formation around the fingertip and use the k-means clustering algorithm to identify touched points. Homography can then map these touched points to keys of the virtual keyboard. Our work is substantially different from existing work. We target password input and are able to achieve a high success rate. We target scenarios like classrooms, conferences and similar gathering places and use a webcam or smartphone camera. In these scenes, single-lens reflex (SLR) cameras and high-end camcorders used in related work will appear suspicious. To defeat such computer vision based attacks, we design, implement and evaluate the Privacy Enhancing Keyboard (PEK) where a randomized virtual keyboard is used to input sensitive information.

Cryptography and Security

Omer Shwartz,Amir Cohen,Asaf Shabtai,Yossi Oren

DOI: https://doi.org/10.48550/arXiv.1805.04850

2018-05-13

Abstract:Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor's source code. In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor. In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin. We analyze the operation of a commonly used touchscreen controller. We construct two standalone attacks, based on malicious touchscreen hardware, that function as building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations. Combining the two building blocks, we present and evaluate a series of end-to-end attacks that can severely compromise a stock Android phone with standard firmware. Our results make the case for a hardware-based physical countermeasure.

Cryptography and Security

Wenbin Huang,Wenjuan Tang,Kuan Zhang,Haojin Zhu,Yaoxue Zhang

DOI: https://doi.org/10.1109/infocom48880.2022.9796653

2022-01-01

Abstract:Enormous mobile applications (apps) now support voice functionality for convenient user-device interaction. However, these voice-enabled apps may spitefully invoke microphone to realize voice eavesdropping with arousing security risks and privacy concerns. To explore the issue of voice eavesdropping, in this work, we first design eavesdropping apps through native development and injection development to conduct eavesdropping attacks on a series of smart devices. The results demonstrate that eavesdropping could be carried out freely without any hint. To thwart voice eavesdropping, we propose a valid eavesdropping detection (EarDet) scheme based on the discovery that the activation of voice function in most apps requires authorization from the user by touching a specific voice icon. In the scheme, we construct a request-response time model using the Unix time stamps of touching the voice icon and microphone invoked. Through numerical analysis and hypothesis testing to effectively verify the pattern of the app's normal access under user authorization to the microphone, we could detect eavesdropping attacks by sensing whether there is a touch operation. Finally, we apply the scheme to different smart devices and test several apps. The experimental results show that the proposed EarDet scheme can achieve a high detection accuracy.

Jinxiao Wu,Xiangyang Ji,Yongqiang Lyu,Xuanshu Luo,Yan Meng,Eric Morales,Dongsheng Wang,Xiaomin Luo

DOI: https://doi.org/10.1109/tmc.2022.3214846

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Biometrics are widely used for user identification/authentication, but the fact has rarely been noticed that general capacitive touchscreens can reveal user identities by touch signals. This paper proposes a new biometric method with inherent liveness detection for reliable user recognition based on the cardiac signal captured by the capacitive touchscreen, namely Capacitive Plethysmogram (CPG). And a systematic framework is designed for CPG collection, processing, and exploitation to identify users. Specifically, since the finger usually forms capacitors with multiple sensing electrodes during touching, we can extract several CPG signals simultaneously from the screen output. Then we propose a series of preprocessing algorithms to filter CPG for signal quality enhancement. Finally, to further leverage filtered CPG signals and extract efficient features for identifying users, we build an encoder based on 3D attention CNN and metric learning. Experimental results demonstrate that the proposed method can achieve an average accuracy of 96.73%, FAR of 3.03%, and FRR of 7.35% in the laboratory environment, which reveals the potential of CPG for user privacy protection and data security on various devices laced with capacitive touchscreens.

Haoyu Li,Di Ma,Nitesh Saxena,Babins Shrestha,Yan Zhu

DOI: https://doi.org/10.48550/arXiv.1302.4010

2013-02-17

Abstract:In this paper, we introduce a lightweight permission enforcement approach - Tap-Wave-Rub (TWR) - for smartphone malware prevention. TWR is based on simple human gestures that are very quick and intuitive but less likely to be exhibited in users' daily activities. Presence or absence of such gestures, prior to accessing an application, can effectively inform the OS whether the access request is benign or malicious. Specifically, we present the design of two mechanisms: (1) accelerometer based phone tapping detection; and (2) proximity sensor based finger tapping, rubbing or hand waving detection. The first mechanism is geared for NFC applications, which usually require the user to tap her phone with another device. The second mechanism involves very simple gestures, i.e., tapping or rubbing a finger near the top of phone's screen or waving a hand close to the phone, and broadly appeals to many applications (e.g., SMS). In addition, we present the TWR-enhanced Android permission model, the prototypes implementing the underlying gesture recognition mechanisms, and a variety of novel experiments to evaluate these mechanisms. Our results suggest the proposed approach could be very effective for malware detection and prevention, with quite low false positives and false negatives, while imposing little to no additional burden on the users.

Cryptography and Security

Longbiao Chen,Gang Pan,Shijian Li

DOI: https://doi.org/10.1109/percomw.2012.6197548

2012-01-01

Abstract:With the advent of smart home technologies, convenient and intuitive cyber-physical interaction methods are in great need. We demonstrate a touch-driven interaction system with home appliances via an NFC-enabled smartphone. By touching the phone to NFC tagged devices, we can establish connection and exchange information, control devices from phone, and share media between them. We also demonstrate three applications, Touch&Connect, Touch&Listen, and Touch&Watch, to demonstrate touch-driven interaction in a smart home environment.

Maryam Mehrnezhad,Ehsan Toreini,Siamak F. Shahandashti,Feng Hao

DOI: https://doi.org/10.1016/j.jisa.2015.11.007

2016-02-13

Abstract:Conforming to W3C specifications, mobile web browsers allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user security and privacy are however not considered in W3C specifications. In this work, for the first time, we show how user security can be compromised using these sensor data via browser, despite that the data rate is 3 to 5 times slower than what is available in app. We examine multiple popular browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose TouchSignatures which implements an attack where malicious JavaScript code on an attack tab listens to such sensor data measurements. Based on these streams, TouchSignatures is able to distinguish the user's touch actions (i.e., tap, scroll, hold, and zoom) and her PINs, allowing a remote website to learn the client-side user activities. We demonstrate the practicality of this attack by collecting data from real users and reporting high success rates using our proof-of-concept implementations. We also present a set of potential solutions to address the vulnerabilities. The W3C community and major mobile browser vendors including Mozilla, Google, Apple and Opera have acknowledge our work and are implementing some of our proposed countermeasures.

Cryptography and Security

Wenfan Song,Jianwei Liu,Jinsong Han

DOI: https://doi.org/10.1145/3678570

2024-01-01

Abstract:Mouse is a ubiquitous input tool crucial for user-computer interaction in modern society. However, the inherent trust in the mouse may pose security risks. If the mouse is maliciously manipulated, the connected computer could be secretly controlled, endangering personal privacy and property. In this paper, we introduce PuppetMouse, the first intentional electromagnetic interference (IEMI) injection-based attack that can effectively manipulate mouse clicks and movements without physical contact. By adjusting the parameters of IEMI signals, PuppetMouse can precisely control the click side, as well as the movement direction and speed. We demonstrate PuppetMouse's effectiveness on 14 wired and wireless mice from popular brands. The short response delay (within 4 ms) affirms the real-time performance of PuppetMouse. Robustness analysis across different attack distances and material occlusions validate the stability and reliability of PuppetMouse. Two case studies on firewall disabling and malicious WiFi connection further prove the severe threats of PuppetMouse in the real world. We also propose an integrated set of hardware and software-based defensive mechanisms to mitigate the risks posed by PuppetMouse.