To NFC or not to NFC
By Gabey Goh October 8, 2012
- Near Field Communications (NFC) features in mobile phones open up more of an attack surface for hackers
- Security researcher Charlie Miller to delve deeper into NFC security at this year’s HITBSecConf
CHARLIE Miller (pic), a principal research consultant for Accuvant Labs set a lot of tongues wagging at the Black Hat cybersecurity conference earlier this year.
His presentation involved demonstrating how Near Field Communications (NFC) features in mobile phones opened up new venues for hackers to gain control over the device.
NFC technology builds upon Radio-frequency identification (RFID) systems by allowing two-way communication between endpoints, where earlier systems such as contactless smart cards were one-way only.
Its uses include facilitating media sharing access control (to replace traditional keys), ticketing for social events and public transportation in lieu of traditional paper as well as contactless payments, where money is debited from financial accounts.
During the demonstration, Miller brushed a tag with an embedded NFC chip against an Android phone, activating a built-in content sharing feature called Android Beam which pushed a webpage to the phone and utilized a browser bug to gain unlimited access to everything on the device.
One would think that after showcasing how NFC technology increased the avenues of attack, Miller would have been bombarded afterwards with follow-ups and questions.
But he wasn’t.
“You might be surprised, but vendors and technology companies don't talk to me much. Researchers seemed to think it was cool, so that was good,” said Miller in an email interview with Digital News Asia.
There was one exception to the rule though. “Nokia spoke with me and let me know their plans. Basically, they're working on it,” he said.
Since then, more exploits relating to NFC have been revealed, including a presentation by researchers from security company MWR Labs during the Mobile Pwn2Own competition at the EUSecWest security conference highlighting that it is possible to beam an exploit over a NFC connection by holding two Samsung Galaxy S IIIs next to each other.
However Miller is quick to point out that his demonstration and those by other security researchers weren't really NFC vulnerabilities in themselves, it’s just that the technology can be used as a vector to exploit already known vulnerabilities.
“For example, I demoed a browser exploit triggered via NFC while the Pwn2Own winning team triggered a document viewer vulnerability via NFC. Neither of these are NFC vulnerabilities, it’s just that NFC opens up more of an attack surface,” he said.
With NFC technology being embedded into more mobile devices and companies, the most hyped aspect of the technology has been its role in spearheading the adoption of next generation of mobile payment systems.
The persistence of security issues surrounding the technology has not helped matters but that has not turned Miller himself off from the idea.
“I hope so, I think it’s cool. I want to pay for stuff with my phone!” he said when asked if he thinks NFC-enabled mobile payments will take off in a big way.
Before that though, security issues must be addressed, Miller said care needs to be taken in giving the user warnings before NFC takes actions on their phones.
“Beyond that it might make sense to build some kind of NFC tag signing structure into existence similar to Secure Sockets Layer. But even with this, there are situations where users of NFC may find themselves being attacked,” he added.
More recently, a Gizmodo report highlighted an app called UltraReset which takes advantage of NFC vulnerabilities in the systems used by many public transit systems in the United States.
Using any Android phone with NFC capabilities, and operating on version 2.3 of the operating system or later, the UltraReset app can take a train card with zero rides, and refill it repeatedly, for free.
When asked for his take on the app, Miller said it is an example of a “poorly designed use of NFC.”
“NFC technologies contain features which would allow for secure subway passes that would resist this attack. However, the people who rolled out these subway passes didn't use this and so the tags are writable by anyone,” he said.
Miller will be delving deeper into the security vulnerabilities surrounding NFC technology during his talk at Malaysia’s premier cyber-security event, HITBSecConf taking place this week at the InterContinental Hotel, Kuala Lumpur from Oct 8-11.
He last presented at HITBSecConf on the topic of iOS hacking back in 2008 and shared that his first appearance at the conference didn’t go very smoothly. His talk was mostly centered on demonstrations which required connecting to an iPhone over the conference WiFi network.
Pre-show tests had everything working fine but during Miller’s presentation, none of them worked. He couldn’t even connect to the device via a secure remote command interface.
“I was totally flustered and it was horrible. Immediately after the talk, they worked again. I found out later that in the room next to mine there was a talk about WiFi hacking going on that was taking down the WiFi, doh!” he said.