Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Wows Black Hat With NFC-based Smartphone Hacking Demo

Posted by samzenpus on from the unsafe-at-any-speed dept.

alphadogg writes "At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones. NFC is still new but it's starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it's possible to set up NFC-based radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even in certain circumstances read files on the phone and more."

33 of 95 comments (clear)

  1. Hmm by masternerdguy · · Score: 3, Insightful

    Workaround: Blacklist the kernel module used for NFC?

    --
    To offset political mods, replace Flamebait with Insightful.
    1. Re:Hmm by sexconker · · Score: 3, Insightful

      Solution: Don't buy a phones with NFC gimmickry, NFC gimmickry goes away.

    2. Re:Hmm by socceroos · · Score: 3, Interesting

      I cannot believe..........no wait....I cannot understand why these things aren't being made with security at the forefront. Surely anyone with half a brain realises that every point of communication with a phone is a potential point of exploitation. LOCK IT DOWN PEOPLE - FOR BLINKY'S SAKE, THIS HAS BEEN GOING ON TOO LONG.

    3. Re:Hmm by Emetophobe · · Score: 5, Informative

      You can disable NFC in the android settings.

      System Settings -> More... -> NFC (uncheck it).

    4. Re:Hmm by Eponymous+Hero · · Score: 2

      maybe NFC just needs something like a public key/private key handshake. the services you use would give you a public key (like banks, paypal, etc) so that hackers would have to have the institution's private key in order to break in. it could be made so that only insured/bonded institutions could offer NFC services that access vulnerable information. i'm probably overlooking something, but then it's time for that end of day coffee so i can wake up again. oh i know what it is. we can't even get ssl to work right, private keys will get stolen/forged. oh well.

      --
      insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
    5. Re:Hmm by socceroos · · Score: 4, Insightful

      I'm under no illusion that a large code base is hard to secure, but I'm still baffled^H^H^H^H^H^H^Hannoyed that when a new point of access to a device is born that it isn't done with utmost security in mind. We live in an age where the devices we own hold the keys to our lives, why aren't they as secure as they possibly can be short of not existing??

    6. Re:Hmm by wierd_w · · Score: 2

      The problem is that this is intended for one-off purchases, like vending machines.

      TPI will make that considerably less convenient, unless the device was issued unique certificates.

      In which case, there would be a sudden market for stolen device certificates for credit fraud purposes, which would exploit the broken security flag implementation of the android marketplace. (The ad supported freemium content requires phonehome powers to serve you ads, and the frequently ask for phonebook and local storage as well. An application could yank the device cert store at the same time with those privs.)

    7. Re:Hmm by SpzToid · · Score: 3, Informative

      The Nokia N9 is mentioned, and the NFC settings required for this exploit are turned off by default. I first read this detail on arstechnica.com and then double-checked on my own device; it is true.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
    8. Re:Hmm by jader3rd · · Score: 5, Insightful

      why aren't they as secure as they possibly can be short of not existing?

      Because first to market wins.

    9. Re:Hmm by SomePgmr · · Score: 4, Informative

      Well, that's an important bit of info I didn't see in the article.

      And I suppose it's worth reminding everyone that this is NFC. Your phone would have to be in near-contact with the exploiting hardware. Not impossible I suppose, given that skimming happens with traditional payment cards.

      I didn't understand the two word description of the problem with Android, so I looked up that Ars article you mentioned...

      The Nexus Sâ"when running the Gingerbread (2.3), by far the most dominant Android installationâ"contains multiple memory-corruption bugs. They allow Millerâ"using nothing more than a specially designed tagâ"to take control of the application "daemon" that controls NFC functions. With additional work, he said the tag could be modified to execute malicious code on the device. Some, but possibly not all of those bugs were fixed in the Ice Cream Sandwich (4.0) version of Android, so the attacks may also work against that release and Jelly Bean (4.1) as well.

      Ah. So upgrade your phone.

      http://arstechnica.com/security/2012/07/android-nokia-smartphone-hack/

    10. Re:Hmm by socceroos · · Score: 5, Insightful

      That's what people said about RFID tags until people started skimming them at distances beyond a kilometre.

    11. Re:Hmm by Opportunist · · Score: 4, Insightful

      Because security does not sell. It's that simple.

      Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security. Not even at any point in that whole list of things they might mention.

      Security is a non-issue for pretty much every phone user out there save a few "computer people" who know what you just said: Any channel, if not properly secured, can and will be abused to compromise the confidentiality of the device using it.

      Problem is, I guess for at least 80% of the phone users out there reading half of the last sentence is enough to make their eyes glaze over. Doesn't take pictures, doesn't play MP3s, doesn't let me tell everyone I'm on the can on Facebook, so why'd I need it?

      Making code secure costs money and is no selling point. Well, it sure as hell would be with me and most likely you, but for every you or me, there's a thousand Bobs out there who prefer shiny.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:Hmm by Opportunist · · Score: 4, Funny

      Damn, you beat me to it and cashed in the insightful mods.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    13. Re:Hmm by Opportunist · · Score: 2

      The more interesting question is why do I have to turn it off if I don't want it and not turn it on if I want it?

      Why does every maker of Smartphones think I want all their new, and usually quite battery draining, bells and whistles? I dunno, I might be old fashioned, but a phone that can make phone calls is a good start for me. Put the rest in the manual and gimme a hint that it is there, and if I am interested I'll try it out and turn it on when I find the time to do that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    14. Re:Hmm by Opportunist · · Score: 2

      Getting close to a cell is trivial. Take for example every place where people have to sit close together like theaters or lecture halls. Hey, how about conferences, just go into one of the panels, sit down and presto.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    15. Re:Hmm by admdrew · · Score: 2

      Very cool demo/exploit, but:
      http://www.androidcentral.com/android-nfc-hack-cool-not-new-or-dangerous

      - majority of phones running exploitable version of Android don't support NFC
      - majority of phones supporting NFC have patched version of Android
      - future phones supporting NFC will all have patched version of Android

      --
      LegendMUD
    16. Re:Hmm by sjames · · Score: 3, Funny

      Even better, all we need to do is come up with a way to use NFC to share music and movies. Then the *AA won't rest until it's dead.

    17. Re:Hmm by chiguy · · Score: 3, Insightful

      Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security.

      All true, security is not a selling point.

      But the reason people don't list it for cell phones is that security is assumed. Similar to if you asked me what I look for in a bank, security is not something I would list. I assume all banks offer adequate security. At least to the level required by law.

      What you're pointing out is the average user does not realize/understand how poor the security really is on their devices.

      --
      passetspike!
    18. Re:Hmm by sjames · · Score: 3, Informative

      Have a look here(PDF doc).

      I know it has been demonstrated at 217 feet (well short of a kilometer but well more than the industry claimed) with a U.S. passport, but the paper above indicates 2 miles is theoretically possible.

    19. Re:Hmm by fatphil · · Score: 2

      Let me introduce you to the concept of a "switch" with settings we like to call "on" and "off". With said feature, you can have the NFC functionality enabled (or "on") when you specifically want it, and disabled ("off") the rest of the time. And the N9 has that.

      If you want to connect to any wireless network you're not in control of, then you are just as vulnerable from most facets of this attack as you are from using NFC. More so, as with NFC you actually have to be physically close to Malory.

      --
      Also FatPhil on SoylentNews, id 863
    20. Re:Hmm by fatphil · · Score: 2

      The Forbes and arstechnica write-ups are worth a read, and it appears that the bluetooth "off" switch is the problem. It's just plain ignored. You turn it off, NFC turns it back on without asking you. Braindead.

      Then again, Nokia's maemo devices have a long history of ignoring user preferences or choices because of braindead diktats made by people who were incapable of thinking through the consequences of their demands. (Yes, I'm ex-Nokia, and could write a book full of the horror-stories I've seen.)

      --
      Also FatPhil on SoylentNews, id 863
  2. eavesdropping by Anonymous Coward · · Score: 2, Interesting

    Ironic. The technical tools to solve all these problems exist, but if they were used properly, even the gov't. couldn't break in.

    So which do you want? An inherently weak system that allows civil monitoring, or something so secure it'd be as anonymous as cash. After all, this is *cash* we are talking about replacing here.

    The gov't. has a "thing" about encrypting wireless communications ...

  3. Re:Fuzzing by Keith111 · · Score: 2

    Very easy, actually. The focus of a huge portion of my work is dedicated to writing or improving fuzz technology for security testing. I could write a basic fuzzer for almost anything in 20 minutes...

  4. It's a simple rule, really... by gstrickler · · Score: 2

    Another network or communications port = another attack vector.

    The question is why to vendors think they need to keep adding new communication methods faster than they can test and debug those ports?

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  5. Out-of-band comm + PKE = enough security by davidwr · · Score: 5, Interesting

    One, both sides of the conversation should know "something" about who they are talking to before engaging or continuing a transaction.

    "Enough" may be nothing more than making sure a man-in-the-middle hasn't taken over the conversation.

    Second, any conversation has to begin at a minimum trust level - basically "I don't trust you, you don't trust me, here's my name-of-the-day, what should I call you today?" level.

    Some people have suggested public key cryptography. While this is cool, it may be simpler to use "out of band" communication to verify identities. Since phones have cameras and screens, these can provide the necessary out of band communications.

    Scenario:

    Say I'm at the Burger Bar and I want to buy something using my phone. My phone doesn't trust the radio signal pretending to be Burger Bar's, and Burger Bar doesn't trust that my phone isn't someone else's phone nearby.

    So I use my phone to take a picture of a display at the Burger Bar order counter. This picture has a QR code for Burger Bar's public key or web site that has the public key, as well as a second, changing QR code that is my transaction ID plus some randomness. I encrypt all of this plus my made-up-on-the-spot public key plus a made-up QR code using Burger Bar's public key. I display this QR code on my phone and put it in range of the small camera at the register. Burger Bar's computer checks the QR code against what I just transmitted to verify it's my phone it's talking to.

    Now we can talk to each other securely and, thanks to the ordinary security cameras that show me holding my phone close to the order counter, in a difficult-to-repudiate way.

    I didn't have to give Burger Bar my phone's serial number. I didn't have to give it any identification beyond what our banks need to transact business, just as if I were using a traditional credit card or debit card payment. If we are using bit-coin or something similar, I didn't even have to give them that much - true anonymity.

    Now I go enjoy my meal. Oh wait, this is Burger Bar we are talking about. Now I go ingest my mass quantities.

    Burger Bar really doesn't have to use its own public key. Like me, it can make up one for this transaction. It's the taking-a-picture of the public key and transaction code that make this secure against a radio-only intercept. If there is a risk that the transaction code picture or my phone's on-screen QR code will be intercepted, it's easy enough to let the two devices look at each other in a way that's very difficult to "peek into."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Out-of-band comm + PKE = enough security by vux984 · · Score: 4, Insightful

      Well, yes, that's all great...

      But the problem you need to solve is "paying for a burger with less effort than using a debit / credit card" while not being less secure.

      Your solution passes on being more secure, but fails dismally at being easier.

  6. My quick tests with NFC by witherstaff · · Score: 3, Informative

    I've played with distances using a few different smart cards, a USB NFC reader, and a nexus S. I couldn't get a smartcard to read through the front of the phone or the side. I could get a USB NFC reader to detect if smartphone was placed face down. From the back it is about 3 inches with a USB reader, 1-2 inches with a smartcard.

    NFC is also a battery hog. I don't see having it running all the time.

  7. Re:Fact? Who needs em. by iluvcapra · · Score: 5, Informative

    Here are some videos. He represents the phones as unmodified, though running an old version.

    The distance isn't so much of an issue because he was able to use an NFC tag, not a transmitter, not an active device of any kind, but a mere tag to cause the phone to switch on its bluetooth radio and give him a sudoer's command line over the BT radio. An attacker could hide an NFC tag in a table or at waist level in a public place, or in a tag that's disguised to be legitimate, where people are liable to stand for more than 10 seconds: the tag cracks the phone open, and then someone with a laptop within BT distance conducts a brief session to grab what they can, or install a rootkit.

    --
    Don't blame me, I voted for Baltar.
  8. NFC is too Functional by Jah-Wren+Ryel · · Score: 5, Interesting

    I've long thought that NFC was a disaster waiting to happen - or really a never-ending series of disasters, just as each one is patched-over a new one will appear.

    The problem is that NFC's functionallity is all out of proportion to the problem it is intended to solve. It's kind of like adding a video display when all you need is an LED indicator light. NFC is supposed to handle short and fast communications between devices that are in very close proximity. Stuff like exchanging v-cards, electronic payments at the register, kickstarting ad-hoc wifi connections, etc.

    None of that stuff requires radio communications and even though NFC is designed for broadcast ranges of a couple of centimeters, that never stops the bad guy from using high-powered transmitters and ultra-sensitive antennas to do their dirty work from a more comfortable and non-obvious location.

    I believe that almost everything that NFC is likely to ever be useful for could also be done with no extra hardware. Just use the camera already built into every smart-phone to take a picture of a 2d-barcode displayed by the other device. That gets you physical access controls limited by line of site and a window of opportunity limited to the second or so that the user explicitly presses the camera button.

    --
    When information is power, privacy is freedom.
  9. NFC for authentication by jbeaupre · · Score: 3, Interesting

    The discussion about single point login got me thinking. Rather than having some server out there become a single point of failure, how about a device you carry with you that stores the multitude of logins and passwords? Smart phones seem capable of just that.

    Has anyone come across using NFC on a phone as a login/password authentication method? Store all of your login and passwords on the phone. Then when prompted for login info (website, laptop login, etc), you use your phone.

    Yeah, a whole new security nightmare. But the idea still appeals to me.

    --
    The world is made by those who show up for the job.
  10. Re:Fact? Who needs em. by wierd_w · · Score: 3, Informative

    The near field is within the first 1.5 wavelengths of the frequency used. It has certain special properties related to it having a higher (proportionally) density of virtual photons entangled with the source antenna than does the far field.

    (A connection on the near field will actively change the resistance and resonance characteristics of the signalling antenna, where a far field connection will not.)

    Giving a set distance is moot. Saying it is near field is accurate, and sufficient. The distance in which NFC is possible is inseperable from the chosen comm frequency. A very short wavelength frequency will have a very tiny near field. A long wavelength frequency will have a very large near field.

    Cellular devices in the ghz band will have only a few millimeters around the antenna as the NFC reception range.

    The deal that I would consider to be the threat, is that you can't have a near field without a far field. The far field will also have broadcasted data encoded into it, and will travel much further. It could well be intercepted.

  11. Re:Is it that hard to buy a phone w/ NFC default=o by 93+Escort+Wagon · · Score: 2

    Regardless of what the default NFC state is, we've been hearing NFC is the nifty next thing for these phones. Google made a huge deal about it at Google IO.

    Stating that NFC is secure because you can turn it off is analogous to claiming SSH1 is secure because it can be turned off. It's not secure; you're just ameliorating the problem - not to mention losing the desired functionality.

    Besides, what are all the people who bought those Nexus Q's supposed to do now?

    --
    #DeleteChrome
  12. Overrated... by Anonymous Coward · · Score: 2, Insightful

    Unfortunately, like most web sites, slashdot brings this article way too sensational, omitting most of the facts that make this a lot less impressive and worrisome.

    First, at least on Android devices, NFC is only enabled when the screen is on and unlocked. That means that nobody can just walk by you and communicate to your device over NFC. You need to be already working with your phone.

    Second, there is the range. NFC typically only works one or two inches away, and the two devices interacting need to be aligned properly as well. Somebody literally needs to put a phone back to yours to make this work. Of course, range could be expanded a bit with some seriously large gear, but it is still extremely difficult to align to such a small antenna from a distance. And remember, your phone's screen needs to be and unlocked. You'll notice when someone comes that close to you or your phone.

    Third, you can't just pull data from an Android device over NFC. You need to confirm that you want to push data. What Charlie did was to push a web link over NFC to a remote device. Because there was a bug in webkit on the remote device (only on 4.0.1), this allowed him to execute code. If he had entered the URL manually, or scanned a QR code, the same would have happened. It's true that Android does not ask for confirmation when *receiving* data over NFC. That said, most users would click *yes* anyway on such confirmations. And there are more effective ways to exploit webkit bugs (sending mass e-mails, just putting a link to the malicious URL on a popular website).