NFC hacks revealed at Black Hat
26 July, 2012
category: NFC
As promised, computer security researcher Charlie Miller exposed several vulnerabilities of NFC technology today at the Black Hat USA 2012 security conference in Las Vegas.
According to Ars Technica, Miller was able to hack NFC phones from Nokia and Samsung using another NFC chip to beam a code when in close proximity to the target. The code opens malicious files or Web pages that attack known vulnerabilities in a document reader, browser or in the operating system, reports AT.
Miller also demonstrated a hack on the Nexus S running Android Gingerbread 2.3 using nothing more than a specially designed NFC tag. According to AT, Miller’s method takes control of the application “daemon” that governs the handset’s NFC functions, allowing hackers to execute malicious code on the device. It is worth noting, however, that Gingerbread is an outdated OS, and many of these vulnerabilities in the code may have been addressed in 4.0 Ice Cream Sandwich.
Nonetheless, Miller was able to exploit new Android 4.0 feature “Android Beam” as well, again using an NFC tag to force the a handset’s browser to open any website he choose.
“What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,” explained Miller. “So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.”
On the Nokia N9, Miller was able to establish a Bluetooth connection from his MacBook to a targeted handset via NFC. Once connected, Miller could force the handset to make phone calls, send text messages, and upload and download contact lists and other files. According to AT, the Nokia N9 enables users to reject unauthorized Bluetooth connection requests, but only after reconfiguring the phone’s default settings.
Nokia officials responded to Miler’s hack with the following statement: “Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities.”
Miller admitted that putting together these attacks wasn’t easy. “It’s a big, elaborate mess that eventually worked,” commented Miller, who spent six months “fuzzing” NFC phones to uncover their vulnerabilities.
Read more here.