Researcher Wows Black Hat With NFC-based Smartphone Hacking Demo

alphadogg writes "At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones. NFC is still new but it's starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it's possible to set up NFC-based radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even in certain circumstances read files on the phone and more."

eavesdropping

[Anonymous Coward]

Ironic. The technical tools to solve all these problems exist, but if they were used properly, even the gov't. couldn't break in.

So which do you want? An inherently weak system that allows civil monitoring, or something so secure it'd be as anonymous as cash. After all, this is *cash* we are talking about replacing here.

The gov't. has a "thing" about encrypting wireless communications ...

Re:Hmm

[socceroos]

I cannot believe..........no wait....I cannot understand why these things aren't being made with security at the forefront. Surely anyone with half a brain realises that every point of communication with a phone is a potential point of exploitation. LOCK IT DOWN PEOPLE - FOR BLINKY'S SAKE, THIS HAS BEEN GOING ON TOO LONG.

Out-of-band comm + PKE = enough security

[davidwr]

One, both sides of the conversation should know "something" about who they are talking to before engaging or continuing a transaction.

"Enough" may be nothing more than making sure a man-in-the-middle hasn't taken over the conversation.

Second, any conversation has to begin at a minimum trust level - basically "I don't trust you, you don't trust me, here's my name-of-the-day, what should I call you today?" level.

Some people have suggested public key cryptography. While this is cool, it may be simpler to use "out of band" communication to verify identities. Since phones have cameras and screens, these can provide the necessary out of band communications.

Scenario:

Say I'm at the Burger Bar and I want to buy something using my phone. My phone doesn't trust the radio signal pretending to be Burger Bar's, and Burger Bar doesn't trust that my phone isn't someone else's phone nearby.

So I use my phone to take a picture of a display at the Burger Bar order counter. This picture has a QR code for Burger Bar's public key or web site that has the public key, as well as a second, changing QR code that is my transaction ID plus some randomness. I encrypt all of this plus my made-up-on-the-spot public key plus a made-up QR code using Burger Bar's public key. I display this QR code on my phone and put it in range of the small camera at the register. Burger Bar's computer checks the QR code against what I just transmitted to verify it's my phone it's talking to.

Now we can talk to each other securely and, thanks to the ordinary security cameras that show me holding my phone close to the order counter, in a difficult-to-repudiate way.

I didn't have to give Burger Bar my phone's serial number. I didn't have to give it any identification beyond what our banks need to transact business, just as if I were using a traditional credit card or debit card payment. If we are using bit-coin or something similar, I didn't even have to give them that much - true anonymity.

Now I go enjoy my meal. Oh wait, this is Burger Bar we are talking about. Now I go ingest my mass quantities.

Burger Bar really doesn't have to use its own public key. Like me, it can make up one for this transaction. It's the taking-a-picture of the public key and transaction code that make this secure against a radio-only intercept. If there is a risk that the transaction code picture or my phone's on-screen QR code will be intercepted, it's easy enough to let the two devices look at each other in a way that's very difficult to "peek into."

NFC is too Functional

[Jah-Wren Ryel]

I've long thought that NFC was a disaster waiting to happen - or really a never-ending series of disasters, just as each one is patched-over a new one will appear.

The problem is that NFC's functionallity is all out of proportion to the problem it is intended to solve. It's kind of like adding a video display when all you need is an LED indicator light. NFC is supposed to handle short and fast communications between devices that are in very close proximity. Stuff like exchanging v-cards, electronic payments at the register, kickstarting ad-hoc wifi connections, etc.

None of that stuff requires radio communications and even though NFC is designed for broadcast ranges of a couple of centimeters, that never stops the bad guy from using high-powered transmitters and ultra-sensitive antennas to do their dirty work from a more comfortable and non-obvious location.

I believe that almost everything that NFC is likely to ever be useful for could also be done with no extra hardware. Just use the camera already built into every smart-phone to take a picture of a 2d-barcode displayed by the other device. That gets you physical access controls limited by line of site and a window of opportunity limited to the second or so that the user explicitly presses the camera button.

NFC for authentication

[jbeaupre]

The discussion about single point login got me thinking. Rather than having some server out there become a single point of failure, how about a device you carry with you that stores the multitude of logins and passwords? Smart phones seem capable of just that.

Has anyone come across using NFC on a phone as a login/password authentication method? Store all of your login and passwords on the phone. Then when prompted for login info (website, laptop login, etc), you use your phone.

Yeah, a whole new security nightmare. But the idea still appeals to me.