Black Hat – Don’t stand so close to me: An analysis of the NFC attack surface

Charlie Miller's Twitter pictureI always enjoy Charlie Miller’s talks and this one did not disappoint. Charlie is best known for being the first researcher to break the security model of both the Android and iOS platforms.

Near field communications (NFC) technology is becoming increasingly common in our daily lives. Most of us have used a contactless credit card (PayPass, PayWave), Oyster card (public transit) or other NFC driven technology.

With the latest phone handsets from Google and Samsung shipping with NFC built-in and rumors that Apple and Microsoft will be adding NFC to their devices later this year, Charlie decided to look into the attack surface of NFC.

He began by probing the drivers, hardware and program stack on both a Nokia Meego and Google Android phone. While he was able to find some flaws using classic fuzzing techniques, nothing major was discovered.

Although Charlie did find a vulnerability in Android that affects all “Gingerbread” devices and “Ice Cream Sandwich” devices lower than version 4.0.1, the most interesting findings were at the application layer.

There can be many programs loaded onto a phone that will accept instructions or input from NFC. This is where the real bugs are found.

Consider the ability for Android phones with the Android Beam app to simply touch another NFC enabled Android and have it automatically load a webpage of the “toucher’s” choosing.

This widens the attack surface from just the NFC driver and kernel stack to include HTML, JavaScript, PNG, JPG, GIF, mp3, mp4 and just about any other thing that can be loaded into a browser. Creating a malicious webpage is far easier than trying to find device specific bugs.

Meego NFC settingsThe Nokia N9 with Meego suffers from the same type of trouble. The Nokia Content Sharing app will allow a user to compel another persons phone to load a web page without any user interaction. This despite an option on the phone called “Confirm sharing and connecting” being enabled.

Even worse the Nokia device is configured to automatically pair with Bluetooth devices when tapping NFC tags. Even if your Bluetooth is disabled it will turn it on and pair without your permission (unless Confirm sharing and connecting is enabled).

This creates an even richer attack environment as I don’t even need to find a vulnerability in your device. I can simply configure my phone to tell your Nokia to pair with me over Bluetooth providing me with access to the entire file system on your phone.

For now it is a good idea to enable all NFC related security features on your phones and keep them up to date with patches from the vendor. Many Android devices will only accept NFC communications when they are unlocked or awake.

The onus is on Google, Nokia and other operating system manufacturers to build in better security controls and to never allow an action to occur without the ability to prompt the recipient that they wish to proceed.

While it might be convenient to tap a speaker with my phone and have my music start playing, I’m OK with a prompt on my handset that says “Bluetooth pair for Logitech BlueBlast speakers?”.

Please, just give us a fair chance to defend ourselves.

Photo of Charlie from his Twitter avatar.