A Genetic Algorithm-based framework that can automatically generate wired ghost touch attacks
given security objectives (e.g., types and locations of desired ghost touches).
For more details, please refer to our ICCAD'22 paper: PowerTouch: A Security Objective-Guided Automation Framework for Generating Wired Ghost Touch Attacks on Touchscreens.
-
Standard packages:
ctypes
,numpy
,re
,datetime
,pandas
,warnings
,matplotlib
,statistics
,time
-
Python Genetic Algorithm Library: PyGAD
pip install pygad
-
Android Debug Bridge (ADB): Android SDK Platform Tools.
Currently, the framework only supports Android devices. We will add support for iOS devices in the future.
-
Clone this repository
git clone https://github.com/xz-group/PowerTouch.git
-
All-in-one USB instrument
: Analog Discovery 2 with BNC Adapter board.- Five instruments are implemented in Analog Discovery 2 for this framework:
oscilloscope
: to capture the TX excitation signal of the touchscreen and monitor the generated noise signal.waveform generator
: to generate the noise signal.pattern generator
: to generate digital control signals for the relays on the customized noise injection PCB.logic analyzer
: to monitor the above digital control signals.power supply
: to power the customized noise injection PCB.
- Five instruments are implemented in Analog Discovery 2 for this framework:
-
High-voltage amplifier module
: we use MX200 Piezo Driver for this project. But any high-voltage amplifier module that can generate minimum 60Vpp signal with 500kHz bandwidth should work.The bandwidth of MX200 is 200KHz also. We extend the bandwidth to around 500KHz by calibrating the gain of the amplifier. See here for details.
-
Our
customized noise injection PCB
: source design files are available in hardware folder.- The board is powered by 5V through
5V
andGND
pins. - It contains four RF relay (9814-500 relay) channels: CH1, CH2, CH3, and CH4.
CH1
is used to capture the TX excitation signal of the touchscreen. It is connected to theSHIELD
of USB connector.CH2
is used to inject high-voltage noise signal to the touchscreen. It is connected to theSHIELD
of USB connector.CH3
andCH4
are used to charge the smartphone when conducting the experiments. They are connected to theVBUS
andVGND
of USB connector, respectively.
- The relays are controlled through
EN_CH1
,EN_CH2
,EN_CH3
,EN_CH4
pins, respectively. High enables (>=3.3V) the relays, and low disables the relays. CH1
andCH2
are connected outside the PCB throughBNC
connectors. TheSMA
connectors.SHIELD
is connected outside the PCB throughBNC
connectors.
- The board is powered by 5V through
-
Power supply
: this is used to power the high-voltage amplifier module and charge the smartphone (if enable charging the phone feature). We use Keithley 2231A-30-3 Triple-channel DC Power Supply. -
Metal sheet
: to be connected to theEARTH
of the wall outlet. This is used to build the true ground plane for converting the noise from differential mode to common mode. We use this one for this project.
Please refer to the example usage code in PowerTouch/example_usage_code
folder for details.
If you use this framework for your research, please cite our ICCAD'22 paper:
@inproceedings{zhu2022powertouch,
title={PowerTouch: A Security Objective-Guided Automation Framework for Generating Wired Ghost Touch Attacks on Touchscreens},
author={Zhu, Huifeng and Yu, Zhiyuan and Cao, Weidong and Zhang, Ning and Zhang, Xuan},
booktitle={Proceedings of the 41st IEEE/ACM International Conference on Computer-Aided Design},
pages={1--9},
year={2022}
}
If you have any questions regarding using this framework, please feel free to contact us at zhuhuifeng@wustl.edu.
- To be updated
- 0.1
- Initial Release
This framework is licensed under the GNU3
License - see the LICENSE.md file for details