At the Black Hat convention, researchers discussed how NFC tags can be used to exploit smartphone vulnerabilities. It’s a serious topic, as more and more devices are being shipped with NFC chips standard, and NFC technology is being leveraged for sharing content between phones, contactless payments and more.
As a smartphone user, developer or retailer it’s important to recognize the vulnerabilities that come with NFC technology. It may be becoming a standard before it’s been properly secured.
Charlie Miller and Collin Mulliner’s talk, entitled “Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface,” described how NFC tags on stickers and smart cards can be hi-jacked to redirect NFC-smartphones to malicious sites where their personal data can be acquired effortlessly. This type of attack is dubbed as “fuzzing”. NFC-capable smartphones usually ship with the feature turned on and the problem with this is when it comes in contact with an NFC tag, it does automatic actions, like load specific websites without even notifying the user.
Miller stated that this doesn’t have to be the case, as users should be informed when a smartphones is being asked to perform a task like opening a mobile browser or downloading content. Malicious NFC tags can be used to siphon important personal data, such as credit card information.
If this is the case, attendees and participants of the 2012 London Olympics may soon be faced with a horrible nightmare.
Samsung and Visa announced their partnership last May that enables contactless payments during the Olympics. A limited edition Galaxy SIII equipped with Visa’s payment application, payWave, will be available for Samsung and Visa sponsored athletes and trialists, making it possible to buy merchandise with a wave of the device at thousands of retail locations throughout London.
Though it may sound like a dream shopping experience, it might soon turn into a nightmare, especially with the above mentioned vulnerability of the NFC technology. But what Miller discussed in his report is just the tip of the iceberg. There are plenty of security threats surrounding NFC. McAfee security expert Jimmy Shah backed Miller’s report and extended it to identity theft as well. If an NFC vulnerability lets attackers siphon information from a user’s device, then he could use it to steal more than credit card information, taking the entire identity of a person.
But NFC may not be the sole culprit to blame as apps can also play a part in rendering NFC a still vulnerable technology. Researchers at Symantec were able to find an app called Ecardgrabber that can obtain contactless credit card data over the air for a limited set of cards. According to Symantec, the author of the app is a German researcher whose aim was to expose the vulnerabilities of NFC. And he was successful in doing so. For weeks, the app was left undetected on Google Play, and allowed smartphones with NFC to retrieve credit card details on contactless payment cards just a mere four centimeters away.