Yesterday I discussed the potential risks of NFC technology and how an attacker could ‘eavesdrop’ on NFC signals. If an attacker steals data by intercepting signals it could be crushing, but what if he could actively send signals and command the NFC enabled phone to do as he pleases? This is exactly what Charlie Miller demonstrated at the Black Hat hacking conference in Las Vegas yesterday.
Miller spent 5 years working for the NSA as a ‘global network exploit analyst’. His job was to break into foreign computer systems so he definitely knows what he’s talking about. His subject of ire? The NFC feature on Android phones and certain Meego running Nokia phones. His talk was aptly named “Don’t stand so close to me: An analysis of the NFC attack surface” and in it he explained how easy it is for an attacker to target an NFC enabled smartphone.
The persistent threat
The NFC feature is switched on by default on all the devices that support it. The NFC reader scans an NFC tag and performs the function that the tag is programmed for. Alarmingly, when the device receives a request it DOES NOT ask for the user’s permission to proceed, a fact that exposes the device to a lot of threats.
Miller demonstrated how he could control someone’s Android phone simply by standing close to them and making their device read the NFC tag in his pocket. This tag is about the size of a postage stamp and can be inconspicuously placed anywhere, like a movie poster or a payment terminal. He made the victims phone visit a malicious website. He also made the device download a malware that exploited a bug in the browser. With the help of this malware he viewed the cookies and the browsing history of the victim.
Using a Meego based Nokia N9 he showed how a malicious device can pair with the phone via Bluetooth and the NFC reader even when the Bluetooth was switched off. This feature is used to pair the device with NFC enabled speakers but the risks are obvious. Once paired, the attacker’s device can command the device to perform several malicious tasks. A bug in the document reader can also be successfully exploited.
In spite of these threats, there are some consolations for users.
- The NFC reader and the tag need to be in close proximity with each other.
- Devices are protected when the screen is switched off or the phone is locked.
- Android Gingerbread is the most vulnerable to such threats.
- Meego is an OS that is not widely used.
- Mobile scanning software can detect when malicious components enter the system or when the device visits a malicious website.
Nevertheless, device makers should ensure that phones do not automatically carry out any request that is specified. They should ask for user permission first. We also recommend that people use their NFC reader sparingly and cautiously.