NFC Gets the Hacker Treatment

by Mercator Advisory Group 0

At last week’s DEF CON hacker conference, the short range communications technique called NFC (near field communications) is taking its turn in the hot seat. The attention is shining a bright light on this smartphone-based system, on weaknesses due to bug-ridden software as well as insecure default behavior. The news isn’t good.

The dominant smartphone operating system is Android. Android introduced Android Beam a year ago as a means to share web pages, business cards, URLs to videos, and more. The initial software release supporting NFC functions has a number of weaknesses as discovered by the hacker Charlie Miller whose research identified the concerns. While many of the bugs have been fixed in current releases of Android and Nokia phones, it can take many months for those updates to distributed to eligible smartphones.

Of more concern is the default behavior of Android Beam, NFC and how it interacts, by default, with other NFC devices, even $1 NFC tags that can be programmed to suborn the smartphone of the unwary and unwitting.

From an Arstechnica article:

But even if there are no exploitable bugs in the NFC code itself, a feature known as Android Beam, which Google developers added to Ice Cream Sandwich, allows Miller to force a handset browser to open and visit any website he chooses—without first getting permission of the end user.

“What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,” Miller said. “So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.”

Surprisingly, when NFC and Android Beam are enabled—as they are by default—devices will automatically download any file or Web link sent through the service. There’s no way for end users to selectively approve or reject a specific transfer initiated by another handset. “The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal,” Miller said in a noted understatement.

Identifying software and hardware security vulnerabilities is one of the huge benefits of conferences like DEF CON. For general purpose technologies like NFC, in particular, exposure to real world examination is essential to improving the overall security profile of the system. Finding flaws does not mean an approach is irremediably broken. It’s only broken if the flaws aren’t fixed.

Click here to read more from Arstechnica.