The prevalence of NFC payments at this summer’s Olympics in London may draw the attention of thieves using “fuzz” attacks on mobile devices, according to McAfee.
London will serve as a major test ground this summer for NFC payments. Samsung and Visa are piloting the technology with Olympic athletes using Galaxy SIII phones, and it has been reported that Google will use the event for the UK launch of Google Wallet. While Google’s PIN hack scare earlier this year has been taken care of, that still leaves another trick that thieves could use to access information on mobile phones: “fuzzing.”
According McAfee, a fuzz attack targets the mobile device’s OS and its NFC-handling libraries. Fuzzing involves feeding corrupt or damaged data to an app on a mobile device to discover vulnerabilities. According to McAfee, this can be accomplished in several ways, including text messages and now NFC tags.
The latter route has been pioneered by researcher Collin Mulliner, who has updated his NFC fuzzing software for Android devices, enabling him to feed crafted or damaged NFC tags to an Android phone’s library and then capture any crashes or code-execution opportunities, according to McAfee.
Theoretically, a thief could get his hands on a Samsung Galaxy SIII when it hits stores later this week and use Mulliner’s technology to find vulnerabilities on the phone that would enable them to steal credit card information from other Galaxy SIII’s, should he find any exploitable weaknesses, according to McAfee.
Read more here.