Black Hat - Don't stand so close to me: An analysis of the NFC attack surface

Filed Under: Android, Data loss, Featured, Mobile, Privacy, Vulnerability

Charlie Miller's Twitter pictureI always enjoy Charlie Miller's talks and this one did not disappoint. Charlie is best known for being the first researcher to break the security model of both the Android and iOS platforms.

Near field communications (NFC) technology is becoming increasingly common in our daily lives. Most of us have used a contactless credit card (PayPass, PayWave), Oyster card (public transit) or other NFC driven technology.

With the latest phone handsets from Google and Samsung shipping with NFC built-in and rumors that Apple and Microsoft will be adding NFC to their devices later this year, Charlie decided to look into the attack surface of NFC.

He began by probing the drivers, hardware and program stack on both a Nokia Meego and Google Android phone. While he was able to find some flaws using classic fuzzing techniques, nothing major was discovered.

Although Charlie did find a vulnerability in Android that affects all "Gingerbread" devices and "Ice Cream Sandwich" devices lower than version 4.0.1, the most interesting findings were at the application layer.

There can be many programs loaded onto a phone that will accept instructions or input from NFC. This is where the real bugs are found.

Consider the ability for Android phones with the Android Beam app to simply touch another NFC enabled Android and have it automatically load a webpage of the "toucher's" choosing.

This widens the attack surface from just the NFC driver and kernel stack to include HTML, JavaScript, PNG, JPG, GIF, mp3, mp4 and just about any other thing that can be loaded into a browser. Creating a malicious webpage is far easier than trying to find device specific bugs.

Meego NFC settingsThe Nokia N9 with Meego suffers from the same type of trouble. The Nokia Content Sharing app will allow a user to compel another persons phone to load a web page without any user interaction. This despite an option on the phone called "Confirm sharing and connecting" being enabled.

Even worse the Nokia device is configured to automatically pair with Bluetooth devices when tapping NFC tags. Even if your Bluetooth is disabled it will turn it on and pair without your permission (unless Confirm sharing and connecting is enabled).

This creates an even richer attack environment as I don't even need to find a vulnerability in your device. I can simply configure my phone to tell your Nokia to pair with me over Bluetooth providing me with access to the entire file system on your phone.

For now it is a good idea to enable all NFC related security features on your phones and keep them up to date with patches from the vendor. Many Android devices will only accept NFC communications when they are unlocked or awake.

The onus is on Google, Nokia and other operating system manufacturers to build in better security controls and to never allow an action to occur without the ability to prompt the recipient that they wish to proceed.

While it might be convenient to tap a speaker with my phone and have my music start playing, I'm OK with a prompt on my handset that says "Bluetooth pair for Logitech BlueBlast speakers?".

Please, just give us a fair chance to defend ourselves.

Photo of Charlie from his Twitter avatar.

, , , , , , ,

You might like

8 Responses to Black Hat - Don't stand so close to me: An analysis of the NFC attack surface

  1. JMJ · 1126 days ago

    "Please, just give us a fair chance to defend ourselves."

    Well said and Amen! In addition to the de rigueur confirmation, it would also be helpful if our NFC-enabled devices chirped, buzzed or vibrated every time that feature is accessed.

  2. Mark G · 1126 days ago

    I couldn't agree more because 99% of the public are just ignorant to any or even what security implications or vulnerabilities lie in a device.

    The problem with phone manufacturers is that they want these devices out in the field and worry about updates later or when something is discovered or if something is found out because it has been revealed in the past that devices have been let out in to the wild with known issues and companies like Android, Microsoft and Apple all have been guilty of this crime.

    Now if manufacturers were left in the position that they were liable for any or all losses an individual could suffer from a lax security policy then I am sure that they all would ensure that these devices were safe and secure but they don't, they are only interested in your money and in some cases, your data as well as I am finding out with Android and it sync policy for your contacts lists.

    These days you don't even need to be black hat to take advantage of people, you just wait for the app to appear on or what ever site it appears on and looking at some hack sites, punks (aka kids) are the biggest perpetrators of stealing a persons data, that is what I discovered, no such thing as an ethical hacker on those sites, even duping other hackers out of money for information on how to break a device or hack in to plant a virus is talked about openly on some of these hack sites.

  3. VFAC · 1126 days ago

    "Please, just give us a fair chance to defend ourselves."


    At least the opportunity to choose the level of convenience we will sacrifice to reduce risk.

    A menu option somewhere that allows us the choice on a scale from

    "Lock it up tighter than Mr. Burns' wallet"
    "Do what you want, just leave me alone"

  4. Tom K · 1125 days ago

    "The Nokia Content Sharing app will allow a user to compel another persons phone to load a web page without any user interaction."

    I'd say picking up the phone and get it close enough to the attacker's phone is a "user interaction"

    If an attacker already gained physical access to your phone, NFC is probably the last thing you have to worry about.

    • andrewmbaines · 1125 days ago

      Try taking a trip on the London Underground at rush hour - plenty close enough for NFC without physical access.

    • Jason · 1125 days ago

      And what if the attacker were on a crowded subway car next to you and "brushed into" your phone on your waist/pocket? You've never lost physical control of your phone but you've been pwned.

  5. xristopher · 1125 days ago

    @Tom K

    You are correct, if you have lost physical control over a phone, it's game over... but the thing about this is that you do not have to lose it in order for this to work.

    I'm willing to bet that your mobile phone (should you have one) spends more than a little time either in your right front pocket, or hanging visibly from your belt.

    It is trivial for an attacker to get a phone or antenna within the 4-10cm needed to trigger the NFC response. No user interaction required beyond the target being in a public place.

  6. @faisal_asif · 1124 days ago

    You should also try new BlackBerry devices that come with NFC.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at