A. Capacitive Touchscreens

There are two types of capacitive touchscreens which are widely used [13], self-capacitance touchscreens and mutual capacitance touchscreens, shown in Fig. 2a and Fig. 2b respectively. The $\Delta C$ represents the capacitance change in the presence of a human finger. When $\Delta C$ is sensed, a touch event is recognized [14].

The self-capacitance touchscreen has a disadvantage because it cannot recognize diagonal touches. In consumer electronics, the ability to sense multi-touch events is beneficial. In contrast, the mutual capacitance touchscreen can sense several simultaneous touches [13]. Therefore, the mutual capacitance touchscreen is more popular in consumer electronics [15]. In this paper, we mainly discuss the mutual capacitance touchscreen although our attack method can also be applied to the self-capacitance touchscreen without loss of generality.

Fig. 2:

Electrode sensors in capacitance touchscreens: (a) self-capacitance screen; (b) mutual capacitance screen.

Show All

B. Mutual Capacitance Touchscreen

Fig. 3:

A typical structure of a mutual capacitance touchscreen sensing system.

Show All

A typical structure of a mutual capacitance touch screen system is shown in Fig. 3. The system consists of transmitter (Tx) and receiver (Rx) electrodes as well as a capacitance to digital converter (CDC) chip. In the CDC chip, the capacitance between the electrodes is measured with a charge transfer (QT) sensor. The circuit topology of a QT sensor with an integrator is shown in Fig. 4. The QT sensor converts the measured capacitance to an analog voltage signal that is then converted to a digital signal by an analog to digital converter (ADC). A microprocessor will read in and process the converted digital signal.

Fig. 4:

Typical charge transfer circuit topology.

Show All

During normal operation, the microprocessor controls three switches, S₁, S₂, and S₃ (see Fig. 4). Fig. 5 gives an example of how the control signals are switched periodically. When the switch S₁ is closed, S₃ resets C_s and the excitation signal V_in charges the mutual capacitance C_M. During this charging period, the switches S₂ and S₃ are open and the voltage V_c across C_M is calculated as follows.

View Source\begin{equation*}V_{c}=V_{in}\cdot\left(1-e^{-\frac{1}{R_{in}C_{M}}t}\right) \tag{1}\end{equation*}

After C_M is charged, S₁ is opened and S₂ is closed. The charge stored in C_M will be transferred to C_s. Assuming an ideal op-amp, the current flow through C_M and C_s are equal. The current can be calculated in (2) or (3).

View Source\begin{equation*}I_{c}=-C_{M}\displaystyle \frac{dV_{c}}{dt} \tag{2}\end{equation*}

View Source\begin{equation*}I_{c}=-C_{s}\displaystyle \frac{dV_{o}}{dt} \tag{3}\end{equation*}

By solving and integrating (2) and (3) simultaneously over the time with initial conditions, the output voltage V_o is derived in (4).

View Source\begin{equation*}V_{o}=-\displaystyle \frac{C_{M}}{C_{s}}V_{c} \tag{4}\end{equation*}

Based on (4), the mutual capacitance C_M can be calculated from V_o. When the sensing period is completed, at the beginning of the next period, C_s is discharged by closing S₃.

When a touch event occurs, C_M is changed by $\triangle C$ due to the presence of a human finger. This change can be either positive or negative [16] depending on human impedance variations [17]. The output voltage can be calculated as follows when the touch event occurs.

View Source\begin{equation*}V_{oT}=-\displaystyle \frac{(C_{M}\pm\triangle C)}{C_{s}}V_{C}=V_{O}+V_{T} \tag{5}\end{equation*}

where V_T is the output voltage variation and is calculated as follows.

View Source\begin{equation*}V_{T}=\displaystyle \pm\frac{\triangle C}{C_{s}}V_{c} \tag{6}\end{equation*}

A touch event is recognized if the following criterion is met.

View Source\begin{equation*}|V_{T}|\geq V_{th} \tag{7}\end{equation*}

where V_th is the threshold voltage.

The sensing strategy in Fig. 5 senses and compares the output voltage to every cycle’s threshold voltage. In many applications, a multi-cycle sensing strategy is usually used to get a more accurate result for each touch event by measuring V_o and V_T multiple times. In a multi-cycle sensing strategy, C_s is reset every N cycles. In this way, V_o and V_T are the sum of the voltages in N cycles. The touch recognition criterion in (7) in this case is as follows.

View Source\begin{equation*}|\displaystyle \sum V_{T}|\geq V_{thN} \tag{8}\end{equation*}

where V_thN is the threshold voltage defined for the N cycle sensing strategy. If the voltage variations in these cycles are the same, then we have $\displaystyle \sum V_{T}=N\cdot V_{T}$.

Based on (1)–​(8), the $\triangle C$ between every pair of electrodes can be measured by QT sensors. The locations of the electrodes represent the touchable locations on the touchscreen.

Fig. 5:

Control signals of the switches S₁, S₂, and S₃.

Show All

A. IEMI Attack Intuition

From Section II, we learned that a touch event is sensed if the output voltage variation, V_T, is larger than the threshold voltage, V_th. Therefore, a ghost touch event can be induced when a radiated IEMI signal causes V_o to exceed the threshold voltage, which allows attackers to control the device without physically touching the screen.

B. Generating a Targeted Radiated IEMI Signal

There are multiple ways to generate the radiated IEMI signal. A simple and straightforward method is to generate an electric field using two electrode plates that are facing each other. It is also possible to generate the electric field with phased antenna arrays where the direction of the IEMI is controlled by the array factor. The third method is to leverage directional antennas, such as Log-periodic antennas or Yagi-Uda [18] antennas.

Based on our attacking principle analysis later in this paper, electrodes (near-field antenna) are more suitable for existing smart touchscreen enabled electronic devices, therefore, our work focuses on an electrode-based IEMI attack and we will show that only one electrode is enough to perform an attack. For convenience, we simply call an electrode (a near-field antenna) as an antenna in later analysis.

C. Effect of Radiated IEMI on a Touchscreen

Fig. 6 depicts the electric field (referred to as E field hereafter) interference due to an external E field on a touchscreen, and its effect on the equivalent QT sensor circuit. The presence of an external E field induces a displacement current that flows through and adds or removes charge from the mutual capacitance touchscreen electrodes. Note that V_o of the QT sensor depends on the total charge stored in the mutual capacitance C_M. Thus, the measured output voltage variation V_T is controlled by the targeted E field and can induce ghost touches.

Fig. 6:

Illustration of the E field interference: (a) E field on touchscreen electrodes and (b) equivalent circuit of QT Sensor.

Show All

D. Relationship of IEMI E Field Strength and Touchscreen Attack

To introduce a touch event with an IEMI attack, the E field strength needs to meet certain requirements. The E field interference on a touchscreen is shown in Fig. 6a. The critical E field that is required to cause a ghost touch is defined as E_crit and can be calculated as follows. The detailed derivation process can be found in Appendix C.

We assume V_Tn is the output voltage variation caused by the IEMI noise. To generate the ghost touch, we need to fulfill the following requirement, i.e.,

View Source\begin{equation*}|V_{Tn}|\displaystyle \geq|V_{T}|=\frac{\triangle C}{C_{s}}V_{c}=\frac{Q_{t}}{C_{s}} \tag{9}\end{equation*}

where $Q_{t}=\triangle C\cdot V_{c}$, representing the charge change caused by the real touch. Solving (C-13), (C-15) and (9) simultaneously,

View Source\begin{equation*}E_{crit}=\displaystyle \frac{Q_{t}}{\varepsilon_{0}\cdot\varepsilon_{r}\cdot A} \tag{10}\end{equation*}

Based on (10), if E_Z is larger than E_crit, a ghost touch is successfully generated.

Simulation Validation of Touchscreen Response to Radiated IEMI: Fig. 7a and 7b show the simulated V_o of a single QT sensor under a finger touch and IEMI attack based on the developed model, respectively. For this simulation, switches $S1- S3$ are controlled with 100kHz signals as shown in Fig. 5. All simulation parameters are listed in Table I. The touch event is simulated using a positive 0.5 pF capacitance change. The IEMI signal is simulated using a noise voltage source V_n at the input of the QT sensor. V_th is set to 2.75 V. To cause a ghost touch, V_n should meet the requirement in 11.

View Source\begin{equation*}V_{n}\displaystyle \geq V_{in}\cdot\frac{\triangle C}{C_{M}} \tag{11}\end{equation*}

Fig. 7:

Simulated output voltage of a QT sensor: (a) output voltage with a finger touch and (b) output voltage under IEMI with the critical E field strength.

Show All

As shown in Fig. 7a, V_o changes when there is a finger touch due to the change in capacitance. Once V_o exceeds V_th, a touch event is recognized. Under the simulated IEMI attack (shown in Fig. 7b), V_o exceeds V_th even when there is no touch. This validates our QT sensor model analysis, and motivates our subsequent experiments for generating ghost touch events in real scenarios.

Table I QT Sensor Simulation Parameters

E. Relationship of IEMI Frequencies and a Successful Attack

From Section IV-D, we know that the E field strength will, in part, decide the IEMI attack effectiveness. Nevertheless, as shown in previous work [19], the frequency of the interfering signal also plays a critical role. Therefore, we conduct the following analysis to first reveal the relationship of IEMI frequencies and a successful IEMI attack. Fig. 6b shows the voltage source V_n which is the input voltage of the QT sensor due to the IEMI attack. Based on the superposition theory, we can derive the equivalent circuit of a QT sensor under an IEMI attack where only the noise source V_n is considered (see Fig. 8a). R_s is ignored since it is much smaller than the impedance of C_M.

Fig. 8:

(a) Equivalent circuit of a QT sensor in a touchsreen controller and (b) S₂ control signal and I_n waveforms.

Show All

The mathematical calculation of the minimum IEMI interference that can cause a ghost touch event is thoroughly explained in Appendix B. The calculation gives us the lower boundary of IEMI attacks. In real attacks, we would like to maximize the IEMI interference. A similar calculation process also applies. The maximum interference can be achieved if one of the following two conditions is met.

• Condition 1: The phase angle is $\displaystyle \varphi_{0}=\frac{3\pi}{2}$ and the frequency of the IEMI signal satisfies (B-9) and (12) simultaneously.

  $$\begin{equation*}f_{E}=\frac{f_{sw}}{4D_{s}}+\frac{kf_{sw}}{D_{s}}\quad k=0,1,2,3,\ldots \tag{12}\end{equation*}$$ View Source\begin{equation*}f_{E}=\frac{f_{sw}}{4D_{s}}+\frac{kf_{sw}}{D_{s}}\quad k=0,1,2,3,\ldots \tag{12}\end{equation*}

• Condition 2: The phase angle is $\displaystyle \varphi_{0}=\frac{\pi}{2}$ and the frequency of the IEMI signal satisfies (B-9) and (13) simultaneously.

  $$\begin{equation*}f_{E}=\frac{3f_{sw}}{4D_{s}}+\frac{kf_{sw}}{D_{s}}\quad k=0,1,2,3,\ldots \tag{13}\end{equation*}$$ View Source\begin{equation*}f_{E}=\frac{3f_{sw}}{4D_{s}}+\frac{kf_{sw}}{D_{s}}\quad k=0,1,2,3,\ldots \tag{13}\end{equation*}

As we will show in Section V-D, by conducting several experiments with a Chromebook equipped with a touchscreen diagnostic data collection program, we confirm our developed theory by identifying various frequencies at which ghost touches are caused at the required minimum E field. The impact of $\varphi 0$ is minimized by finding the worst case in multiple measurements at each frequency.

A. Experimental Setup

As a proof-of-concept, we generate radiated IEMI using electrode plates placed on opposite sides of our target device. A signal generator (RIGOL DS 1052E) and an RF power amplifier (Amplifier Research 25A250A) are used to generate the desired voltage. The output of the RF amplifier is monitored by an oscilloscope (RIGOL MSO4054). The touchscreen of a Chromebook laptop is used as the target. This laptop is installed with Touch Firmware Tests [20] developed by the Chromium Project. This program records all of the touched positions recognized by the touchscreen controller during the test. The recorded data is collected by an external device over Wi-Fi. A test report is also generated that lists all touched locations during the testing period. During the test, the Chromebook is disconnected from the adapter and placed on a non-conductive surface 70 cm above the ground to avoid undesired EMI noise.

B. IEMI Generation

The E field parameters are selected based on our calculations in Section IV-E. Fig. 9 shows the placement of the two electrode plates. Plate 1 is an 8 mm x8 mm copper plate taped on the front of the touchscreen. Plate 2 is a 150 mm x150 mm copper plate taped on the back of the touchscreen. The distances d between each plate and the touchscreen are both 10 mm (see Fig. 9a). A non-conductive foam sheet is inserted between the plates and the touchscreen for mechanical support. The thickness t of the touchscreen itself is 5 mm. The dielectric constant of the foam sheet is in the range of 1.8 - 3 [21]. To simplify the calculation of E field strength, E_z, we use the following equation based on V_E, the voltage across the plates.

View Source\begin{equation*}E_{z}=\displaystyle \frac{V_{E}}{2d+t} \tag{14}\end{equation*}

Further, to validate the accuracy of (14), we compare our calculated results with simulation results using Ansys HFSS [22]. Note that the simulation reflects the real configuration by considering the foam sheet and the plate sizes. The HFSS uses finite element analysis to solve Maxwell’s equation, thereby providing accurate calculation results.

Fig. 9b shows the simulated E field on the touchscreen caused by the two plates when $V_{E}=15V$. We found that the magnitude of the simulated E field is approximately equal to the calculated results using (14), which indicates that the simplified (14) is a good estimate for the generated E field strength. Hereafter, we will rely on (14) to derive the V_E based on the required E_z.

Fig. 9:

Electric field simulation: (a) cross-sectional view and (b) simulated electric field on the surface of the touchscreen.

Show All

C. Evaluation of E Field Strength IEMI on Touchscreen Behavior to Validate Our Theory

To exclude possible interference from the electrode plates affecting the touchscreen functionality, we first do not apply voltage to the electrode plates and collect touchscreen diagnostic data by drawing a random pattern on the touchscreen with a finger. This confirms that the touchscreen functions normally.

Stationary IEMI attack: Once we confirm the electrodes themselves have no impact on the touchscreen, we calculate the required V_E for an IEMI attack. We collect parameters for a typical touchscreen from [13]. The minimum detectable capacitance change $\triangle C$ is 0.1 pF and the touchscreen controller excitation signal V_in is 5 V. We also incorporate the overlap area 8mm×8mm due to the electrode. From (10), we have $E_{crit}=883V/m$. Following (14), the corresponding V_E is calculated as 22 V.

Fig. 10:

Ghost touch under an IEMI attack with (a) 20 V, 140 kHz and (b) 25 V 140 kHz voltage excitation V_E.

Show All

We then set V_E on the signal generator to be a sinusoidal voltage source with a frequency of 140kHz. Instead of applying 22 V directly, the amplitude of V_E is gradually increased until a ghost touch is observed. The process is repeated three times to find the minimum voltage that causes the ghost touch. In our experiment, we do not detect ghost touches when V_E is lower than 20 V. When the voltage is higher than 20 V, however, ghost touches start to appear. As shown in Fig. 10a, a ghost touch is successfully generated at the center of plate 1 when V_E is 20 V. Note that the required minimum V_E for ghost touches is close to our theoretical calculation (i.e., 22 V), showing that our analysis is accurate. When we increase V_E above 20 V, multiple ghost touches are observed. This is because when the voltage is high compared to the minimum V_E, several locations under plate 1 (as opposed to just one) have sufficiently high E field strengths to induce ghost touches. Fig. 10b shows that two ghost touches are generated when V_E is 25 V.

Fig. 11:

Ghost touchpoints with plate 1 moves (a) from left to right and (b) from top to bottom.

Show All

Moving IEMI attack: We have demonstrated that the touchscreen is vulnerable to stationary IEMI sources. We further expand our experiment by moving our electrode plates around to verify if only certain locations on the touchscreen are vulnerable. To account for jitter caused by moving the electrode plates, we increase the applied V_E to 30V/140kHz(E field strength of 1200V/m) to ensure the E field is always higher than E_crit. As shown in Fig. 11a, many ghost touch points are evident when plate 1 moves from left to right. Fig. 11b shows the ghost touch points when plate 1 moves from top to bottom. The results show that all physical locations of the touchscreen are equally vulnerable to an IEMI attack.

D. Evaluation of IEMI Frequencies on Touchscreen Behavior to Validate Our Theory

As we mentioned in Section IV-E, the E field frequency also impacts the IEMI attack in addition to its strength. We therefore conduct several experiments to validate our analysis on calculating the required signal frequencies for a successful IEMI attack.

Sweeping IEMI Attack Frequencies to Validate Our Theory: From [17], [23], we know that the touchscreen system is sensitive to noise in the range of 100 kHz to 1 MHz due to integrated low pass filters in the touch sensing circuit. We sweep the frequency from 10 kHz to 10 MHz to cover the sensitive frequency range using steps of 10 kHz. With each chosen frequency, we tune the voltage applied on the two electrode plates until ghost touches are detected. If the generated E field exceeds 3000V/m and there is still no ghost touches detected, then we claim that the selected E field frequency cannot generate a ghost touch. We run each test for 5 seconds and after each measurement reboot the Chromebook to reset the touchscreen. The procedure is repeated three times for each frequency. All collected results are plotted in Fig. 12 which shows a complete view of the frequency dependency for successful IEMI attacks. As we can see in this figure, certain excitation frequencies out-perform other frequencies (requires smaller E field strength to trigger ghost touch), which validated our previous theory of IEMI frequencies, see equation (12) and (13).

Fig. 12:

Minimum E field that causes the ghost touch at different frequencies

Show All

Targeted IEMI Attack Frequencies to Validate Our Theory: In Section IV-E, we show that f_sw and D_s determine the minimum/maximum IEMI interference using an E field with frequency f_E. These parameters can be calculated from two adjacent frequencies with the maximum interference (local lowest E_crit). Using the results presented in Fig. 12, we select two adjacent frequency points and derive $f_{sw} =70kHz$ and $D_{s}=0.125$. Based on these calculations, we can then derive all E field frequencies that can cause minimum IEMI interference (denoted as $f_{E\min}$) or maximum IEMI interference (denoted as $f_{E\max}$) using (B-6), (12) and (13). In the frequency range of 100 kHz to 1 MHz$, f_{E\max}$ and $f_{E\min}$ are listed as follows.

View Source\begin{align*} f_{\operatorname{Emax}}=&140 \mathrm{kHz}, 420 \mathrm{kHz}, 700 \mathrm{kHz}, 980 \mathrm{kHz} \\ & f_{\operatorname{Emin}}=560 \mathrm{kHz}, 1120 \mathrm{kHz} \end{align*}

Note that these calculated frequencies match the experimental results shown in Fig. 12. For frequencies other than $f_{E\min}$ and $f_{E\max}$, we can still obverse ghost touches with larger than minimum E field strengths. It is worth noting that the IEMI signal cannot cause any interference at 700 kHz. This is likely caused by internal filters that are in place to avoid undesired interference from internal electronics components at those frequencies. For frequencies higher than 1 MHz, the impact of the sensor circuit’s internal low pass filter and parasitic parameters become more significant [23]. Since this is often proprietary information of touchscreen manufacturers, the experimental results become less consistent with our calculations. When we set the frequency larger than 3.4 MHz, no ghost touches are detected.

A. Experimental Setup

To evaluate how different factors can influence the generation of a ghost touch, we conduct experiments using a similar setup as presented in Section V, except we add a probe positioning system and single-end antenna, as shown in Fig. 14. We use standard SMA-to-SMA coaxial cables which are equipped with a shielding layer to connect the antenna to the RF amplifier to avoid undesired EM signal emission. It is worth mentioning that we use copper needles as antennas for our experiments on the iPad Pro and Surface Pro devices because they provide better resolution due to the more focused E field at the needle tip. As for the smaller devices tested, such as iPhone and Android smart phones, we still use the standard copper plates (4mm x 4mm) antenna setup because it provides a more controllable and small E field due to the presented ground terminal. We attach the copper plate/copper needle to standard SMA connectors as the antenna. A separate copper plate is also used to measure the touchscreen sampling signal for the phone detector which we will elaborate in Section VIII-B.

Fig. 14:

Copper needle antenna and device under test

Show All

B. Experiment Design

To evaluate the precision and success rate of our touchscreen attack across different victim devices (Android, iOS, Windows), we designed our own cross-platform touchscreen gesture collection application with flutter. The application collects tap, double tap, long press, and swiping gestures on the touchscreen. It then reports all detected gestures and their associated time and location to a remote server for subsequent analysis. The application draws a red dot at the center of the test device for target visualization purposes. The application also visualizes the detected gestures on the screen along with coordinates information.

C. Success Rate and Accuracy

With the reported touch event location and timing, we can perform evaluation against the collected data to show both the success rate and accuracy of our attack. During the experiment, we notice that our attack occasionally creates rare random touch events at distant positions due to the non-ideal E field spread and interference from nearby equipment. This is shown in Table III under the QD (X) and QD (Y) columns, where we choose Quartile Deviation (QD) to better evaluate how the generated touch events are focused in a small region. The QD (X) and QD (Y) columns represent how large the generated touch events are distributed along the X axis and Y axis of a test device with respect to pixels. Another benefit of using Quartile Deviation instead of Standard Deviation is that we find if the generated touch event is far away from its intended target, then it will not interfere with the attack chain by, for example, pressing an incorrect button that is adjacent to the correct button. As the result, we believe QD is an appropriate metric to quantify the “actual attack” accuracy. From Table III, we can tell that our attack performs accurately on the iOS device, especially on large touchscreen devices. However, we also noticed that our attack often creates scattered touch events vertically or horizontally. After further investigation, we believe that although our antenna and signal cable is specifically chosen to generate a small, focused interference signal, there are still undesired IEMI signals leaked and the Android test devices are sensitive enough to recognize them as touch events. Note that the ghost touch occurs every time we apply IEMI signal on these Android devices so the ghost touch success rate is 100% but the accuracy is lower than iOS devices.

D. Table Material

As we aforementioned in Section V, the dielectric constant of the table material impacts our attack. To evaluate the performance of our attack using different common table materials, we choose five typical table top samples (solid wood, acrylic, marble, medium density fiberboard/MDF, copper) as the insulation material between antenna and victim device and repeat our experiment. We conduct the experiment with acrylic sheet and our probe positioning system first and then swap the table top sample so that we can still calculate the statistical dispersion for non-transparent table material. The thickness of these table material samples are all 10mm. Table III shows that when non-metal table materials are used, our attack can achieve similar performance with respect to success rate and dispersion. However, the metal table material does not allow us to perform a valid attack due to its high conductivity.

E. Table Thickness

To understand the practicality of our attack, we also evaluate it with respect to success rate and accuracy using different thicknesses of table material. We set the signal generator to sweep mode and each sweep period is set to 1 second, such that the correct interference frequency will be generated every second. The total time of signal generator output lasts 30 seconds. We use our own application to record how many touch events are generated during the test period and where/when they are generated. Using an iPad Pro and acrylic sheets, we conduct the experiments when the thickness of the acrylic sheets is 10mm, 15mm, 20mm. As we can see in Fig. 15, the success rate of our attack is up to 100% when the table thickness is 10mm. The success rate decreases to 76% when the table thickness is 15mm. The success rate eventually drops to 40% when the table thickness is 20mm. In real life, the common table thickness is only 1/2 inch or 5/8 inch based on IKEA [24], Office Depot [25] and Wayfair [26]. Our effective attack distance, 20mm, is larger than the common tabletop thickness.

Table II Success Rate and Accuracy of Touchscreen Attack 270 1000 100% Google Pixel 2 230 1000 100% Oneplus 7 Pro android 11 295 800 100%

Table III Touchscreen Attack with Different Table Materials

Fig. 15:

Generated touch event on iPad Pro with different table thickness.

Show All

F. Interference Between Antennas

In our experiments, we design and use an antenna array to generate multiple touch events at different locations. However, if we need sequential touch events, only one antenna will be applied with an excitation signal at a certain time and other antennas should be kept as either grounded or floated. However, two antennas that are physically close with each other can easily couple with each other and create undesired touch events at random locations and times. To overcome this issue, we employed isolated and shielded signal cables and antennas. All the signal cables that are used to drive the antenna array are standard SMA-to-SMA shielded cables in order to avoid coupling between each other. Furthermore, copper tape is used to cover the antennas to insulate the generated EM field into a small region as shown in Figure 14.

A. Design of an IEMI Antenna

In previous sections, we show how to inject simple tap, long hold, and any direction sweep gestures on touchscreens with a single needle IEMI antenna. The injected touch gestures are located directly in the path of the IEMI antenna. Under a practical scenario, however, the touchscreen device can be randomly placed on the tabletop. A single needle IEMI antenna is therefore insufficient to inject a touch event if not placed directly in its path. We consider two solutions to address this issue. First, the attacker can implement a mechanical system to maneuver the single needle IEMI antenna into the desired location of the victim touchscreen device, then perform an IEMI attack. The attacker can then operate the IEMI antenna to perform complicated drawing gestures by continuously generating the interference signal to meet the attack requirement. While possible, we consider this a less-than-ideal solution due to both the size and noise of the mechanical infrastructure required to freely move a single needle IEMI antenna under a tabletop without being detected. This option would therefore require significant effort and cost to ensure a stealthy design. We therefore opt for implementing a static antenna array to reduce the associated engineering and practical issues mentioned above. A modular antenna array allows us to configure the way it is attached, so that we can increase the density of IEMI antennas for a smaller target device without changing the hardware design. In addition to the antenna array, we implement an IEMI channel controller that can independently control up to 64 IEMI antennas using programmable reed relays. The size of the designed IEMI channel controller and antenna array are smaller enough to squeeze into a shoe box. The needles of the antenna array are inserted into foam to support and protect the fragile hardware. The size of the array is 24cm x 17cm, and the distances between the antennas vary between 2cm and 7mm to meet the density requirements for different sizes of target touchscreen devices.

B. The Screen Locators

As we have mentioned in Section II-A, a touchscreen sensing system consists of a grid of TX and RX electrodes. The TX electrodes generate varied excitation signals on different lines while the intersecting RX electrodes sense the physical variations to determine the touch points. Our experiments found that antennas placed near the screen can easily pick up these TX signals. Such signals contain patterns that can tell us at which TX lines the antennas are pointing. Besides, when an antenna is placed perpendicular to the screen, only the pointed TX electrode produces the strongest signals, while nearby electrodes have little impact on the received signals. Hence, the signal received by an antenna can be used to identify the pointed-at location with high spatial resolution. For example, a significant signal strength degradation can be observed when two antennas are placed on both sides of a screen boundary. This feature allows us to accurately detect the screen boundary location with an error of less than 1 cm.

Various driving methods can be used to generate the TX signals. Among all examined devices, we observed two methods being used. The sequential driving method (SDM) is usually implemented to excite the electrodes in turn. As a result, the electrode location can be identified by checking when a TX signal appears. Fig. 16a shows EM traces collected on four different rows of a Google Pixel 2. We can observe the linear relationship between the rows and the appearing time of TX signals. The orientation and location for this kind of screen can be quickly recovered using a simple linear function. Besides the sequential driving method, we found the parallel driving method (PDM) to be a more frequently implemented technique on most of the latest devices, which uses orthogonal codes to drive all TX signals concurrently. Fig. 16b shows EM traces collected on four different columns of an iPhone 11 Pro. As we can see, instead of generating signals with the same patterns sequentially, different electrodes produce signals with varied patterns simultaneously. In this case, recovering the location information is more challenging because of the less straightforward correlations between signals and screen locations. However, we can still successfully recover the screen location information using these TX signals with the technique described below.

Fig. 16:

TX signals on screens with different driving methods

Show All

Our technique consists of three steps: feature extraction, classifier training, and location prediction. As shown in Fig. 16b, the boundaries between two code bits can be identified, which allows us to segment the signals corresponding to each code bit. For each segment, we can compute descriptive features for a code bit, which can be the phase, the magnitude, or the frequency, depending on the specific encoding schemes used by the screen. Then, we can derive a feature vector for each TX signal by concatenating these features. Afterward, we can train a classifier with enough feature vector and location pairs. This classifier can identify the screen location using the signal collected at an unknown location.

We can identify different TX electrodes in different lines using this technique, but we can not distinguish different locations on the same TX electrode. Expressed differently, for any antenna with a known antenna coordinate $(x_{\mathrm{a}\mathrm{n}\mathrm{C}\mathrm{e}\mathrm{n}\mathrm{n}\mathrm{a}},\ y_{\mathrm{a}\mathrm{n}\mathrm{C}\mathrm{e}\mathrm{n}\mathrm{n}\mathrm{a}})$, we can obtain a single dimension screen coordinate, which may be $x_{\mathrm{s}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{e}\mathrm{n}}$ or $y_{\mathrm{s}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{e}\mathrm{n}}$. To determine the other dimension, we also need to know at least one antenna coordinate mapped to the screen boundary to tell us the unknown dimension. As mentioned above, the screen boundary can be accurately located by looking for significant signal strength degradation between two adjacent antennas. With enough antenna coordinate and screen coordinate pairs, we can derive the mapping between them. The mapping between $(x_{\mathrm{s}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{e}\mathrm{n}},\ y_{\mathrm{s}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{e}\mathrm{n}})$ and $(x_{\mathrm{a}\mathrm{n}\mathrm{C}\mathrm{e}\mathrm{n}\mathrm{n}\mathrm{a}},\ y_{\mathrm{a}\mathrm{n}\mathrm{C}\mathrm{e}\mathrm{n}\mathrm{n}\mathrm{a}})$ can be seen as a rotation followed by a translation as described in Equation 15, where $\theta$ represents the rotation while x_t and y_t represent the translation. After solving this equation, we can use this transformation matrix to select the closest antenna to inject the error for any target screen location.

View Source\begin{equation*}\begin{bmatrix}x_{\text{screen}}\\y_{\text{screen}}\\1\end{bmatrix}=\begin{bmatrix}\cos(\theta)& -\sin(\theta)& x_{t}\\\sin(\theta)& \cos(\theta)& y_{t}\\0& 0& 1\end{bmatrix}\begin{bmatrix}x_{\text{antenna}}\\y_{\text{antenna}}\\1\end{bmatrix} \tag{15}\end{equation*}

To better demonstrate how the screen locator works, we use an iPad Pro as an example. From a TX signal on the iPad Pro, we can obtain a feature vector with 48 feature values using the magnitude of sinusoidal signals in each segment, which is correlated to the row number on screen. Signals are collected from the bottom row to the top row with a step of 1cm. On each row, signals are collected at 12 different columns. These signals are used to train a k-nearest neighbors (KNN) classifier. In the evaluations, we first use signals collected from 7 antennas in a small area to detect the location and orientation of the tested iPad Pro. Fig. 17a shows the detection results. The predicted location is pretty close to the actual location, with maximum prediction error being 0.8cm. Furthermore, if we use 5 more antennas to collect signals in a larger area, the prediction result matches perfectly with the actual location.

We tested our screen locator on 5 devices listed in Table IV. We list the driving methods used by these devices, the sample rate we use to collect the data, the average prediction error, and the average computation time. Note that for screens using SDM, the location is computed using the time stamp read from an oscilloscope.

Fig. 17:

Screen location detection results of iPad Pro

Show All

Table IV Screen Location Detection Results

C. The Touch Event Detectors

To perform an attack which requires several touch events to complete, it is important to know whether the current touch event injection is successful before proceeding to inject the next touch event at a different location. In certain cases injection of a successful touch event may take more time than expected. As introduced in Section XI, there are multiple techniques to detect the current screen content out of sight. However, these techniques can be difficult to use without significant effort. In our work, instead of detecting if we have altered the screen content as desired, we detect if our last touch event injection was successfully applied on the screen. The key behind such detection is the active scanning mechanism used by modern touchscreen controllers [27]. To achieve balance between the power efficiency and scanning accuracy, touchscreen controllers perform reduced scanning to preserve the power. Once a touch event is detected on the touchscreen, the controller changes the scanning mode from reduced scan to full scan to measure the touched location more accurately. If there are no more touch events detected, the controller switches back to reduced scan mode automatically. Although we do not have a datasheet for a commercial touchscreen controller, using our IEMI antenna we observed similar behavior on all tested touchscreen devices. More importantly, if the touch event is successfully injected on a target device and recognized by the operating system, the touchscreen controller takes a longer time to switch back to reduced scan mode. As shown in Figure 18a, the iPad Pro emits a sparse scanning signal with 120Hz frequency when no finger or IEMI signal is present. Figure 18b shows how the touchscreen switches from full scan mode back to reduced scan mode after we turn off our IEMI signal. We can also see the touchscreen recognizes our IEMI signal as a touch event but eliminates it due to the wrong interference frequency. In Figure 18c, we apply a correct IEMI signal and successfully trigger a touch event on screen. The time that the controller takes to switch back to reduced scan mode is discernibly longer compared to the previous experiment. Such phenomena is stable and is exhibited on all our tested devices. Using this technique, we examine the collected touchscreen emission signal right before we turn off the IEMI attack and detect if any touch event was injected in the previous attempt. Our experimental results show that this approach works every time on our three main test devices (iPad Pro, iPhone 11 Pro and Oneplus 7 Pro). The touch event detector is implemented as a dedicated IEMI antenna which connects to an oscilloscope.

Fig. 18:

Emission signal from iPad Pro (a) reduced scan. (b) failed IEMI attack. (c) successful IEMI attack.

Show All

A. The Attack Setup

With our antenna array, phone locator and touch event detector in place as shown in Figure 19, we are ready to conduct an actual attack that mimics practical scenarios. We tape our antenna array under the left-bottom corner of an experimental bench made of MDF with a table thickness of 15mm. A laptop is placed at the left side of the table outside of the detect/attack range of our antenna array. During the experiment, we ask “the victim”, who has no prior knowledge of the exact location of our antenna array, to sit in front of our experimental bench and put our unlocked test target device facing down. We then use our phone locator to infer the current position and orientation of our target device, perform the attack vectors and monitor the injected touch events. Note that we do not ask “the victim” to use their own devices as we may alter or leak private content of the target device during the experiments.

B. Attack Evaluation

To evaluate the setup in a practical scenario, we choose three different touchscreen devices as our target devices: 1) an iPad Pro 2020; 2) an iPhone 11 Pro; and 3) a Oneplus 7 Pro. These three devices are pre-installed with our touch event detection application and remotely mirror their current display onto another monitor. Note that this application is only installed to better illustrate the injected touch events during the experiment. Attackers can perform a similar attack without installing the application ahead-of-time. The test device is unlocked and randomly placed on our antenna array with different angles and orientations as described above. We first use the antenna array to capture and analyze the emitted signal from the target device to predict its current position and orientation. We have found in our experiments that our phone locator program typically needs 4 antennas at different locations to infer the phone location within 3 seconds with a sampling rate of 1M/s. Once we have the precise location of the target device, we switch the antenna array from monitor mode to attack mode by switching the corresponding relays. We choose the appropriate interference frequency and amplitudes based on the target phone model. We then use our attack setup to launch two different type of attacks against the touchscreen devices under test using either a precise touch event injection or sequence of touch events at different locations as needed.

Fig. 19:

Attack setup for precision evaluation

Show All

Fig. 20:

Attack setup with actual table (a) attack setup on the table (b) antenna array attached to the table.

Show All

Leveraging Siri on iOS devices Installing unauthorized applications on an iOS device can be difficult due to strict iOS application distribution. Instead, we leverage our touch event injection attack to abuse Apple’s accessory discovery mechanism to perform data exfiltration. An iOS device automatically finds nearby unpaired Apple accessories, such as Airpods headphones. Once these devices are found, a notification pops up and asks the user if the device should pair and connect. The notification issues a Connect request that prompts the user to grant access. To connect with the device the user only needs to tap the Connect button without further action. Once connected, the user can directly uses the Airpods to wake up and interact with Siri, the voice assistance on Apple devices. The Connect request notification is always displayed at a fixed location. In our experiments, we find the size of the Connect button is approximately 5.5 cm by 1 cm. The confirmation button occupies roughly 2/3 of the screen width on an iPhone Pro 11 which makes it easier to attack. On the contrary, the size of this button on an iPad Pro is much smaller compared to the size of the screen. However, our attack is still feasible on the iPad Pro due to its accuracy (see Section VII and Table II). We first conduct an experiment to validate the possibility of such an attack on a randomly placed iPhone 11 Pro and iPad Pro 2020 using unpaired Airpods. After successfully pairing with the Airpods we wake up Siri to read out the new messages of the victim devices. To further evaluate the success rate of our attack on iOS devices, we use our touch event application to draw a square space of the same size as the confirmation button. We randomly place the victim device on our antenna array and repeat the process of sensing/attack/detection and then evaluate if the injected touch events falls into the intended region. Our attack works 6 out of 10 times on iPad Pro with an no more than 12 seconds of attack time and works 9 out of 10 times on an iPhone 11 Pro with no more than 9 seconds of attack time. The random placement of test devices outside the range of our antenna array are not included in the metric calculation. During the experimentation, we find that the main point of failure for an attack on an iPad Pro is that the distance between our IEMI antennas is too large to have at least one IEMI antenna placed on top of the confirmation button. The current configuration of number of IEMI antennas and the distance between IEMI antennas is a tradeoff between antenna array coverage and antenna density that should be selected based on the target device screen size.

Installing malicious applications on Android devices To attack Android based touchscreen devices, we use our IEMI to inject multiple touch events at different screen locations. More specifically, we assume the attacker knows the phone number of the victim device and sends it a message which contains the link of a malicious application. To install the malicious application, we need to generate 5 distinct touch events in sequence at different locations, including a tap on the notification of new message (1 large clickable area), choose action for link (2 buttons in a row, open link/copy text), allow saving the APK file (2 adjacent buttons), install the APK file after downloading (1 button), and finally open the APK after installation (2 adjacent buttons). We use a Oneplus 7 Pro to evaluate this attack. We first measure the location and orientation of the victim device. We then initiate the attack by sending a message containing the download link of designated application. Once the message is sent, we use one IEMI antenna that points to the middle of the screen and two IEMI antennas at the bottom part of the screen to inject the five touch events in sequence. Each individual touch event is evaluated with our touch event detector before moving on to the next touch event. We conducted 10 experiments with different cellphone locations. We achieved three successful attacks with our setup. Using the mirrored display, we find that most of the failed attempts were due to incorrectly inducing a touch event on adjacent buttons. For example, the injected touch event incorrectly presses the CANCEL button and causes the entire attack to immediately fail. We believe a better designed IEMI antenna would allow us to focus the generated E field on a smaller attack area, thereby making our attack more robust.

Fig. 21:

Attack scenarios on different type of target devices (a) Apple headphone connection on iOS devices (b) malicious message on Android devices.

Show All

C. Attack Vectors with Human Operation

In the previous section, we presented the design of a static antenna array and how it can be use to perform security oriented attacks on multiple devices in several real scenarios. Although the antenna array is easy to build and use, more powerful attacks can be carried out if the attacker has both access and the ability to use a programmable mechanical system with our touch event injection techniques, such as a miniature 3D printer [28] or robotic arm [29] commonly used in side channel analysis research. In this case, our IEMI antenna more closely mimics the presence of a human finger and the mechanical system mimics a human arm. To illustrate the capabilities of our attack in this setting, we opt to manually maneuver our IEMI antennas to simulate the attack with the mechanical system. With the short-tap, press-and-hold and continuous omni-directional-swipe we achieve the following security oriented attack outcomes. We believe these attacks are feasible and practical to implement for a motivated attacker.

Send Message (Short-Tap) With the short tap, we can send a specific message to a recipient. In practice, such capabilities can be abused to reply with confirmation messages when banks request text verification for suspicious credit card transactions. In our experiment, we move our IEMI antenna to generate short-tap touch events on top of the letters “Y, E, S” and the enter position to send a confirmation message. The experiment is conducted on an iPhone 11 Pro and a successful operation takes less than 10 seconds.

Send Money (Press-and-Hold) A typical use case of press-and-hold on iOS is providing shortcuts for certain functionalities with minimum user interaction. For instance, Paypal allows iOS users to hold-and-press the application icon to activate and send money by showing the QR code without actually launching the application. We continuously apply our interference signal on an iPad pro and point the IEMI antenna toward the Paypal application to trigger this feature and evaluate the feasibility of such an attack. We then move the antenna down to press on the “Send Money” option and then turn off the interference signal to show the send money QR code. We successfully launched this attack 7 out of 10 times at an attack distance of 10mm. The completion time for every iteration of the attack was within 5 seconds. We found that human error, accidentally increasing the attack distance while holding the antenna, was the reason for failed attack attempts.

Unlock Gesture Lock Screen (Omni-Directional-Swipe) A significant achievement of our work compared to previous approaches is that we can inject omni-directional-swipes with a controllable duration. As we show in our video demonstration where we draw a Figure with our IEMI antenna, if the attacker can control the location of the IEMI antenna a gesture lock screen unlock attack can be performed. We evaluate the feasibility by trying to unlock a gesture lock protected application on an iPad Pro. The gesture lock we setup has the shape of “Z” which includes 7 points at three different rows and columns. This attack was successful 3 out of 5 times at an attack distance of 10mm. The completion time for every iteration of the attack was similarly within 5 seconds. The total travel distance of the IEMI antenna was 14 cm.

A. IEMI Attacks

IEMI attacks have been applied to different devices and systems, including medical devices [33], smart phones [34], [35], embedded systems [36], [37], [38], autonomous vehicles [39], [40], etc.

Among these attacks, Delsing et al. [38] examined the effects of an IEMI attack on sensor networks and revealed the susceptibility of sensor networks to high frequency (in GHz range) IEMI. Selvaraj et al. [36] further expanded this attack and demonstrated that small circuits (i.e., embedded systems) are vulnerable to low frequency IEMI with proper coupling. Kennedy et al. also studied how IEMI can be used to create interference on the analog voltage input port of an Analog to Digital Converter [37].

Kune et al. conducted comprehensive analysis of IEMI attacks against analog sensors and demonstrated IEMI attacks on cardiac medical devices by remotely injecting forged signals [33] that cause pacing inhibition and defibrillation. In this paper, the authors also demonstrated how to inject audio signals on microphones remotely and proposed digital mitigations to verify and clean the input signal. Kasmi and Esteves [34], [35] exploited the voice assistant on smart phones to perform remote inaudible command injection attacks against smartphone headphone cables using fine tuned EM signals.

B. Touchscreen Attacks

Various attacks targeting touchscreens have been presented in the past. These attacks are primarily focused on passive information exfiltration, e.g., displayed content, via different carriers including microphone [8], EM [7] or mmWave signal [9]. In addition, only two papers [11], [12] are published to perform active touchscreen attack using IEMI. Maruyama et al. [11] presented Tap’n Ghost, a new class of active attack against capacitive touchscreens, which leverages an injected noise signal and programmed NFC tag to force a victim mobile device to perform unintended operations. However, this attack can only be conducted along with user touches due to the skewed spatial distribution. On the contrary, our touchscreen IEMI attack can cause intentional ghost touches on a capacitive touchscreen without any user interaction. A recent touchscreen attack, Ghosttouch [12], similarly used EMFI to inject taps and row/column based swipe gestures. Although the attack is more advanced than Tap’n Ghost, it relies on detecting the correct driving signal from the touchscreen and synchronizing it with IEMI signal to induce accurate touch events. However, we find that the driving mechanism is significantly different on different smartphones, which makes the attack less feasible in a real attack scenario. As shown in Appendix Figure A-1, the measured driving signal from five different touchscreen devices are entirely different. The Nexus 5X smartphone used in Ghosttouch shows a clear synchronization pattern. On the other hand, other smartphones use a parallel driving mechanism which is difficult to synchronize with. Ghosttouch works well on sequential driving based touchscreens. Unfortunately this is no longer a popular option for the most recently released touchscreens. Furthermore, Ghosttouch is limited to either column or row based swipe gestures due to the synchronization. Our attack does not need to perform synchronization, nor rely on a specific type of driving mechanism to inject stable short-tap, long-press, and omni-directional-swipe touch events to realize practical attacks.

As we explained in Section VIII-B, there are two type of scanning mechanism mainly used by modern touchscreen, sequential driving method and parallel driving method. As shown in Ghosttouch [12], this most recent touchscreen attack relies on the synchronization of sequential driving signal to precisely inject touch events. However, such approach limits the attack to sequential scanning type touchscreen. As illustrated in Figure A-1, the scanning signal from the test devices we own are significantly different. We further find that latest touchscreen devices commonly use parallel driving method instead, which makes the synchronization based attack no longer feasible. Even with the sequential driving method, different type of touchscreen can show significantly different pattern. On the contrary, our attack does not reply on any particular scanning method of touchscreen to work.

We assume that the electric field generated by the radiated IEMI is sinusoidal. The noise current, In in Fig. 8a, is given as follows.

View Source\begin{equation*}I_{n}=2\pi f_{E}C_{M}V_{n}\cos(2\pi f_{E}\cdot t+\varphi_{0})\tag{B-1}\end{equation*}

where f_E is the E field frequency and $\varphi_{0}$ is the phase between I_n and S₂ control signal in Fig. 8b. The waveforms show the control signal of S₂ and the noise current caused by IEMI in one period. The output voltage variation V_Tn caused by the IEMI can then be calculated as follows.

View Source\begin{equation*}V_{Tn}=-\displaystyle \frac{2\pi f_{EC_{M}V_{n}}}{C_{s}}\int_{0}^{T_{\mathrm{S}}}\cdot\cos(2\pi f_{E}\cdot t+\varphi_{0})dt\tag{B-2}\end{equation*}

where T_s is the sensing time. Following (B-2), the V_Tn at the end of the sensing period can be calculated as follows.

View Source\begin{equation*}V_{Tn}=-\displaystyle \frac{C_{M}V_{n}}{C_{s}} (sin(2\pi f_{E}\cdot T_{s}+\varphi_{0})-sin\ (\varphi_{0}))\tag{B-3}\end{equation*}

During the IEMI injection period, V_Tn is compared to the threshold V_th. The control signal of the QT sensor is a periodical signal whose frequency depends on the system clock frequency. More specifically, the sensing time T_s depends on the QT sensor switching frequency f_sw and the duty cycle D_s.

View Source\begin{equation*}T_{s}=\displaystyle \frac{D_{s}}{f_{sw}}\tag{B-4}\end{equation*}

When we substitute (B-4) to (B-3), we have a more precise way to compute the V_Tn as shown in (B-5).

View Source\begin{equation*}V_{Tn}=-\displaystyle \frac{C_{M}V_{n}}{C_{s}}\left(sin\left(2\pi\cdot D_{s}\cdot\frac{f_{E}}{f_{sw}}+\varphi_{0}\right)-sin\ \left(\varphi_{0}\right)\right)\tag{B-5}\end{equation*}

From (B-5), it is clear that V_Tn depends on the ratio of the IEMI signal frequency over the QT sensor operating frequency. The higher $|V_{Tn}|$ is, the more significant the IEMI impact. Based on this observation, we can conclude that the minimum interference occurs at $f_{E\min}$, which can be calculated as follows.

View Source\begin{equation*}\mid f_{E\min}=\frac{kf_{sw}}{D_{s}}\quad k=0,1,2,3,\ldots\tag{B-6}\end{equation*}

where k is an integer. When $f_{E}=f_{E\min}, V_{Tn}$ in (B-5) is always zero, which indicates that there is no interference. The maximum interference, on the other hand, depends on the frequency of the IEMI signal as well as the phase shift $\varphi_{0}$. With the analysis in Section IV-D, we know that the output voltage of QT sensor is usually compared with the threshold voltage every few clock cycles. So combining (8) and (B-5), the sum of output voltage variation of M cycles, V_TnM, is given as follows.

View Source\begin{equation*}V_{TnM}=-\displaystyle \frac{C_{M}V_{n}}{C_{s}}\sum_{0}^{M}(sin(2\pi f_{E}\cdot T_{s}+\varphi_{M})-sin\ (\varphi_{M}))\tag{B-7}\end{equation*}

where $\varphi_{M}$ can be calculated in (B-8).

View Source\begin{equation*}\displaystyle \varphi_{M}=\varphi_{0}+2\pi M\cdot\frac{f_{E}}{f_{sw}}\tag{B-8}\end{equation*}

Based on (B-7) and (B-8), we can calculate f_E so that the initial phase shift between I_n and S₂ control signal remains constant in each sensing duty cycle (see Fig. 8 (b)). The calculation of f_E is shown below.

View Source\begin{equation*}f_{E}=nf_{sw}\quad n=0,1,2,3,\ldots\tag{B-9}\end{equation*}

A more detailed characterization of the E field interference is presented as follows. In Fig. 6a, E_Z is the z component of the external E field, which generates voltage V_n across the touch screen electrodes. V_n can be calculated in (C-10).

View Source\begin{equation*}V_{n}=\displaystyle \int E_{Z}\cdot dl=E_{Z}\cdot d\tag{C-10}\end{equation*}

where d is the distance between the electrodes. The charges $(Q_{n})$ caused by the external E field can be derived as follows.

View Source\begin{equation*}Q_{n}=V_{n}\cdot C_{M}\tag{C-11}\end{equation*}

where C_M represents the mutual capacitance between the electrodes. It can be computed in (C-12).

View Source\begin{equation*}C_{M}=\displaystyle \varepsilon_{0}\varepsilon_{r}\frac{A}{d}\tag{C-12}\end{equation*}

Fig. A-1:

Scanning signal of different touchscreen devices (a) iPad Pro 2020 (b) iPhone 11 Pro (c) Oneplus 7 Pro (d) Pixel 2 (e) Nexus 5X

Show All

where $\varepsilon_{0}$ is the permittivity of the free space and $\varepsilon_{r}$ is the relative permittivity of the adhesive layer. A is the overlap area of the electrodes. From (C-10)-​(C-12), we can derive E_Z, the z component of the external E field.

View Source\begin{equation*}E_{Z}=\displaystyle \frac{Q_{n}}{\varepsilon_{0}\cdot\varepsilon_{r}\cdot A}=\frac{V_{n}C_{M}}{\varepsilon_{0}\cdot\varepsilon_{r}\cdot A}\tag{C-13}\end{equation*}

Based on superposition theory, the voltage V_cN which is added to the input of the integrator in Fig. 6b can be computed as follows.

View Source\begin{equation*}V_{cN}=V_{c}+V_{n}\tag{C-14}\end{equation*}

where V_c is the voltage of C_M due to V_in. The output voltage, V_oN, under the external E field’s interference is, therefore, as follows.

View Source\begin{equation*}V_{oN}=-\displaystyle \frac{C_{M}}{C_{s}}(V_{c}+V_{n})=V_{o}+V_{Tn}\tag{C-15}\end{equation*}