Framing Attacks on Smart Phones and Dumb Routers: Tap-Jacking and Geo-Localization Attacks

While many popular web sites on the Internet use frame busting to defend against clickjacking, very few mobile sites use frame busting. Similarly, few embedded web sites such as those used on home routers use frame busting. In this paper the authors show that framing attacks on mobile sites and home routers can have devastating effects. They develop a new attack called tap-jacking that uses features of mobile browsers to implement a strong clickjacking attack on phones. Tap-jacking on a phone is more powerful than traditional clickjacking attacks on desktop browsers. For home routers they show that framing attacks can result in theft of the wifi WPA secret key and a precise geolocalization of the wifi network.