Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Wows Black Hat With NFC-based Smartphone Hacking Demo

Posted by samzenpus on from the unsafe-at-any-speed dept.

alphadogg writes "At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones. NFC is still new but it's starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it's possible to set up NFC-based radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even in certain circumstances read files on the phone and more."

8 of 95 comments (clear)

  1. Hmm by masternerdguy · · Score: 3, Insightful

    Workaround: Blacklist the kernel module used for NFC?

    --
    To offset political mods, replace Flamebait with Insightful.
    1. Re:Hmm by sexconker · · Score: 3, Insightful

      Solution: Don't buy a phones with NFC gimmickry, NFC gimmickry goes away.

    2. Re:Hmm by socceroos · · Score: 4, Insightful

      I'm under no illusion that a large code base is hard to secure, but I'm still baffled^H^H^H^H^H^H^Hannoyed that when a new point of access to a device is born that it isn't done with utmost security in mind. We live in an age where the devices we own hold the keys to our lives, why aren't they as secure as they possibly can be short of not existing??

    3. Re:Hmm by jader3rd · · Score: 5, Insightful

      why aren't they as secure as they possibly can be short of not existing?

      Because first to market wins.

    4. Re:Hmm by socceroos · · Score: 5, Insightful

      That's what people said about RFID tags until people started skimming them at distances beyond a kilometre.

    5. Re:Hmm by Opportunist · · Score: 4, Insightful

      Because security does not sell. It's that simple.

      Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security. Not even at any point in that whole list of things they might mention.

      Security is a non-issue for pretty much every phone user out there save a few "computer people" who know what you just said: Any channel, if not properly secured, can and will be abused to compromise the confidentiality of the device using it.

      Problem is, I guess for at least 80% of the phone users out there reading half of the last sentence is enough to make their eyes glaze over. Doesn't take pictures, doesn't play MP3s, doesn't let me tell everyone I'm on the can on Facebook, so why'd I need it?

      Making code secure costs money and is no selling point. Well, it sure as hell would be with me and most likely you, but for every you or me, there's a thousand Bobs out there who prefer shiny.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Hmm by chiguy · · Score: 3, Insightful

      Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security.

      All true, security is not a selling point.

      But the reason people don't list it for cell phones is that security is assumed. Similar to if you asked me what I look for in a bank, security is not something I would list. I assume all banks offer adequate security. At least to the level required by law.

      What you're pointing out is the average user does not realize/understand how poor the security really is on their devices.

      --
      passetspike!
  2. Re:Out-of-band comm + PKE = enough security by vux984 · · Score: 4, Insightful

    Well, yes, that's all great...

    But the problem you need to solve is "paying for a burger with less effort than using a debit / credit card" while not being less secure.

    Your solution passes on being more secure, but fails dismally at being easier.