Black Hat: NFC exploit could overtake mobile device through a simple graze

Share this article:

A vulnerability discovered in near field communication (NFC) could have end-users' smartphones compromised by attackers who simply bump into them, said a security expert at this year's Black Hat conference in Las Vegas.

NFC, a wireless technology that establishes communication between phones through physical contact, is mostly used in smartphones on the Android platform, but is expected to be found on a majority of the upcoming mobile devices released.

Well-known Apple hacker and Accuvant researcher Charlie Miller wowed the crowed at Caesar's Palace through a demo that involved infiltrating an Android phone by simply grazing it with a tag embedded with an NFC chip.

Once the phone was tagged, the browser opened to a phony web page that gave Miller full access to the data on the device.

Outside of the Android vulnerability he used to conduct the exploit, which has already been patched by Google, Miller discovered a similar bug in another device tested, a Nokia N9 which runs on the MeeGo platform.

Miller told SCMagazine.com on Thursday that he decided to focus his latest research on NFC because it's a new technology, exploiting it does not require user interaction, and there has been little analysis done on it.

"I'm always looking for something to pick on," he said.

Although there have been no in-the-wild cases of malicious NFC activity, Miller believes it may be because the technology still isn't prevalent.

"If you imagine a time when you're always paying with your phon, these [attacks] would be everywhere," he said. "Replacing NFC tags with malicious ones are totally realistic. It's the equivalent of ATM skimming."

There is a way to make the technology more secure, such as prompting a user to opt in to each exchange they make, but the solution would affect the convenience of NFC, Miller said.

"You would have to give up some of that convenience to make it more secure," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

EPIC files complaint with FTC against Maricopa

The nonprofit organization alleges that the Maricopa County Community College District violated the FTC's "Safeguards Rule."

RSA fraud report examines August phishing trends

Phishing is down 22 percent from July to August, but U.S. banks experienced an increase in phishing volume.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.