Researcher Wows Black Hat With NFC-based Smartphone Hacking Demo

alphadogg writes "At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones. NFC is still new but it's starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it's possible to set up NFC-based radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even in certain circumstances read files on the phone and more."

Hmm

[masternerdguy]

Workaround: Blacklist the kernel module used for NFC?

Re:Hmm

[sexconker]

Solution: Don't buy a phones with NFC gimmickry, NFC gimmickry goes away.

Re:Hmm

[socceroos]

I'm under no illusion that a large code base is hard to secure, but I'm still baffled^H^H^H^H^H^H^Hannoyed that when a new point of access to a device is born that it isn't done with utmost security in mind. We live in an age where the devices we own hold the keys to our lives, why aren't they as secure as they possibly can be short of not existing??

Re:Hmm

[jader3rd]

why aren't they as secure as they possibly can be short of not existing?

Because first to market wins.

Re:Out-of-band comm + PKE = enough security

[vux984]

Well, yes, that's all great...

But the problem you need to solve is "paying for a burger with less effort than using a debit / credit card" while not being less secure.

Your solution passes on being more secure, but fails dismally at being easier.

Re:Hmm

[socceroos]

That's what people said about RFID tags until people started skimming them at distances beyond a kilometre.

Re:Hmm

[Opportunist]

Because security does not sell. It's that simple.

Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security. Not even at any point in that whole list of things they might mention.

Security is a non-issue for pretty much every phone user out there save a few "computer people" who know what you just said: Any channel, if not properly secured, can and will be abused to compromise the confidentiality of the device using it.

Problem is, I guess for at least 80% of the phone users out there reading half of the last sentence is enough to make their eyes glaze over. Doesn't take pictures, doesn't play MP3s, doesn't let me tell everyone I'm on the can on Facebook, so why'd I need it?

Making code secure costs money and is no selling point. Well, it sure as hell would be with me and most likely you, but for every you or me, there's a thousand Bobs out there who prefer shiny.

Overrated...

[Anonymous Coward]

Unfortunately, like most web sites, slashdot brings this article way too sensational, omitting most of the facts that make this a lot less impressive and worrisome.

First, at least on Android devices, NFC is only enabled when the screen is on and unlocked. That means that nobody can just walk by you and communicate to your device over NFC. You need to be already working with your phone.

Second, there is the range. NFC typically only works one or two inches away, and the two devices interacting need to be aligned properly as well. Somebody literally needs to put a phone back to yours to make this work. Of course, range could be expanded a bit with some seriously large gear, but it is still extremely difficult to align to such a small antenna from a distance. And remember, your phone's screen needs to be and unlocked. You'll notice when someone comes that close to you or your phone.

Third, you can't just pull data from an Android device over NFC. You need to confirm that you want to push data. What Charlie did was to push a web link over NFC to a remote device. Because there was a bug in webkit on the remote device (only on 4.0.1), this allowed him to execute code. If he had entered the URL manually, or scanned a QR code, the same would have happened. It's true that Android does not ask for confirmation when *receiving* data over NFC. That said, most users would click *yes* anyway on such confirmations. And there are more effective ways to exploit webkit bugs (sending mass e-mails, just putting a link to the malicious URL on a popular website).

Re:Hmm

[chiguy]

Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security.

All true, security is not a selling point.

But the reason people don't list it for cell phones is that security is assumed. Similar to if you asked me what I look for in a bank, security is not something I would list. I assume all banks offer adequate security. At least to the level required by law.

What you're pointing out is the average user does not realize/understand how poor the security really is on their devices.