Near Field Chaos

A popular feature that is increasingly added to smartphones is Near Field Communication (NFC), which allows data to be exchanged when compatible devices are placed very closely together.  Most commonly, this is used for payments via smartphone.  Just wave your phone at the store’s NFC reader, and you can pay your bill with the account information you have stored in your phone.  Very handy, plus it almost feels like we’re living in the future.

Now when dealing with financial information, people tend to design their securiuty measures pretty well.  (The fact that they can face massive fines for a breach helps push the priority of secure design).  However, there are lots of other nifty things people are figuring out how to do with NFC.

And not all of those things are secured as well as paying for your lunch is.

Security rock-star Charlie Miller demonstrates.

Android phones with NFC have the Android Beam feature, which facilitates data exchange between two Android phones.  The problem is that:

when NFC and Android Beam are enabled—as they are by default—devices will automatically download any file or Web link sent through the service. There’s no way for end users to selectively approve or reject a specific transfer initiated by another handset.

In the demonstrated exploit, Mr. Miller had the victim phone open a specially crafted website that would then utilize a browser exploit to take over the whole phone.

Android Beam only works when the phone’s screen is on and unlocked, so someone couldn’t go around waving their phone by everyone’s pockets and create a botnet on the fly, but this type of hole could still be theoretically abused.  Especially when combined with social engineering.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s