Slashdot Mirror
Researcher Wows Black Hat With NFC-based Smartphone Hacking Demo
alphadogg writes "At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones. NFC is still new but it's starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it's possible to set up NFC-based radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even in certain circumstances read files on the phone and more."
You can disable NFC in the android settings.
System Settings -> More... -> NFC (uncheck it).
I'm under no illusion that a large code base is hard to secure, but I'm still baffled^H^H^H^H^H^H^Hannoyed that when a new point of access to a device is born that it isn't done with utmost security in mind. We live in an age where the devices we own hold the keys to our lives, why aren't they as secure as they possibly can be short of not existing??
why aren't they as secure as they possibly can be short of not existing?
Because first to market wins.
One, both sides of the conversation should know "something" about who they are talking to before engaging or continuing a transaction.
"Enough" may be nothing more than making sure a man-in-the-middle hasn't taken over the conversation.
Second, any conversation has to begin at a minimum trust level - basically "I don't trust you, you don't trust me, here's my name-of-the-day, what should I call you today?" level.
Some people have suggested public key cryptography. While this is cool, it may be simpler to use "out of band" communication to verify identities. Since phones have cameras and screens, these can provide the necessary out of band communications.
Scenario:
Say I'm at the Burger Bar and I want to buy something using my phone. My phone doesn't trust the radio signal pretending to be Burger Bar's, and Burger Bar doesn't trust that my phone isn't someone else's phone nearby.
So I use my phone to take a picture of a display at the Burger Bar order counter. This picture has a QR code for Burger Bar's public key or web site that has the public key, as well as a second, changing QR code that is my transaction ID plus some randomness. I encrypt all of this plus my made-up-on-the-spot public key plus a made-up QR code using Burger Bar's public key. I display this QR code on my phone and put it in range of the small camera at the register. Burger Bar's computer checks the QR code against what I just transmitted to verify it's my phone it's talking to.
Now we can talk to each other securely and, thanks to the ordinary security cameras that show me holding my phone close to the order counter, in a difficult-to-repudiate way.
I didn't have to give Burger Bar my phone's serial number. I didn't have to give it any identification beyond what our banks need to transact business, just as if I were using a traditional credit card or debit card payment. If we are using bit-coin or something similar, I didn't even have to give them that much - true anonymity.
Now I go enjoy my meal. Oh wait, this is Burger Bar we are talking about. Now I go ingest my mass quantities.
Burger Bar really doesn't have to use its own public key. Like me, it can make up one for this transaction. It's the taking-a-picture of the public key and transaction code that make this secure against a radio-only intercept. If there is a risk that the transaction code picture or my phone's on-screen QR code will be intercepted, it's easy enough to let the two devices look at each other in a way that's very difficult to "peek into."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Here are some videos. He represents the phones as unmodified, though running an old version.
The distance isn't so much of an issue because he was able to use an NFC tag, not a transmitter, not an active device of any kind, but a mere tag to cause the phone to switch on its bluetooth radio and give him a sudoer's command line over the BT radio. An attacker could hide an NFC tag in a table or at waist level in a public place, or in a tag that's disguised to be legitimate, where people are liable to stand for more than 10 seconds: the tag cracks the phone open, and then someone with a laptop within BT distance conducts a brief session to grab what they can, or install a rootkit.
Don't blame me, I voted for Baltar.
I've long thought that NFC was a disaster waiting to happen - or really a never-ending series of disasters, just as each one is patched-over a new one will appear.
The problem is that NFC's functionallity is all out of proportion to the problem it is intended to solve. It's kind of like adding a video display when all you need is an LED indicator light. NFC is supposed to handle short and fast communications between devices that are in very close proximity. Stuff like exchanging v-cards, electronic payments at the register, kickstarting ad-hoc wifi connections, etc.
None of that stuff requires radio communications and even though NFC is designed for broadcast ranges of a couple of centimeters, that never stops the bad guy from using high-powered transmitters and ultra-sensitive antennas to do their dirty work from a more comfortable and non-obvious location.
I believe that almost everything that NFC is likely to ever be useful for could also be done with no extra hardware. Just use the camera already built into every smart-phone to take a picture of a 2d-barcode displayed by the other device. That gets you physical access controls limited by line of site and a window of opportunity limited to the second or so that the user explicitly presses the camera button.
When information is power, privacy is freedom.
Well, that's an important bit of info I didn't see in the article.
And I suppose it's worth reminding everyone that this is NFC. Your phone would have to be in near-contact with the exploiting hardware. Not impossible I suppose, given that skimming happens with traditional payment cards.
I didn't understand the two word description of the problem with Android, so I looked up that Ars article you mentioned...
The Nexus Sâ"when running the Gingerbread (2.3), by far the most dominant Android installationâ"contains multiple memory-corruption bugs. They allow Millerâ"using nothing more than a specially designed tagâ"to take control of the application "daemon" that controls NFC functions. With additional work, he said the tag could be modified to execute malicious code on the device. Some, but possibly not all of those bugs were fixed in the Ice Cream Sandwich (4.0) version of Android, so the attacks may also work against that release and Jelly Bean (4.1) as well.
Ah. So upgrade your phone.
http://arstechnica.com/security/2012/07/android-nokia-smartphone-hack/
That's what people said about RFID tags until people started skimming them at distances beyond a kilometre.
Because security does not sell. It's that simple.
Go out there and ask 1000 random people what they are looking for in a cell. NONE of them will say security. Not even at any point in that whole list of things they might mention.
Security is a non-issue for pretty much every phone user out there save a few "computer people" who know what you just said: Any channel, if not properly secured, can and will be abused to compromise the confidentiality of the device using it.
Problem is, I guess for at least 80% of the phone users out there reading half of the last sentence is enough to make their eyes glaze over. Doesn't take pictures, doesn't play MP3s, doesn't let me tell everyone I'm on the can on Facebook, so why'd I need it?
Making code secure costs money and is no selling point. Well, it sure as hell would be with me and most likely you, but for every you or me, there's a thousand Bobs out there who prefer shiny.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Damn, you beat me to it and cashed in the insightful mods.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.