Android Hacked Via NFC On the Samsung Galaxy S 3

An anonymous reader writes with an item from The Next Web: "Security researchers participating in the Mobile Pwn2Own contest at the EuSecWest Conference in Amsterdam [Wednesday] demonstrated how to hack Android through a Near Field Communication (NFC) vulnerability. The 0day exploit was developed by four MWR Labs employees (two in South Africa and two in the UK) for a Samsung Galaxy S 3 phone running Android 4.0.4 (Ice Cream Sandwich). Two separate security holes were leveraged to completely take over the device, and download all the data from it."

So am I safe?

This was hacked via NFC. But I live in Pittsburgh, and the Steelers are in the AFC.

So I can assume I am safe?

Re:So am I safe?

[Deekin_Scalesinger]

You are safe from winning the Super Bowl this year, yes. Go Eagles!

Re:So am I safe?

I'm guessing this is a result of the shitty replacement refs..so until the real refs are back noone is safe!

Re:So am I safe?

[davester666]

No. Your defense is weak.

Re:So am I safe?

[nighthawk243]

Pittsburgh's going to win the Superb Owl since they'll just hack the phones of the NFC team and disable their alarm clock. Can't lose a game if the other team doesn't show up.

Re:So am I safe?

Why on earth? There is already article for steelers.

Re:So am I safe?

[Noone+Thirty]

so until the real refs are back noone is safe!

Maybe so, but I'm still not taking any chances.

Re:So am I safe?

[bkcallahan]

Go stillers!

And... iOS6

[jkflying]

At the same event, they also hacked iOS6. Just to give an unbiased view...

Re:And... iOS6

You must be new here.

Re:And... iOS6

[jkflying]

http://thenextweb.com/apple/2012/09/19/dutch-security-researchers-hack-apple-iphone-4s-exploiting-safari/

Re:And... iOS6

[jkflying]

Read the link:
http://thenextweb.com/apple/2012/09/19/dutch-security-researchers-hack-apple-iphone-4s-exploiting-safari/

They did it via a malicious webpage, which IMO is even worse than via NFC.

Re:And... iOS6

[jkflying]

They did it via a malicious webpage. I said hack, not jailbreak.

Re:And... iOS6

iOS safari hacks aren't really news though.. you'd think they would close them after 6 os generations but noooo....

Re:And... iOS6

[grub]

Yeah, I was trying to reply to myself with that but here's a several minute delay between posts. :(

Re:And... iOS6

By what means? I don't doubt it was done, but the details would be interesting.

Re:And... iOS6

[dimeglio]

But it's certainly not using passive NFC.

Re:And... iOS6

And the most prolific phone hackers are going to be the cops, who probably have keys to any phone at all.

Re:And... iOS6

[TeRanEX]

At the same event, they also hacked iOS6. Just to give an unbiased view...

So apple can now sue Samsung because they copied the 'security issues'-feature from the iphone into the Galaxy?

Re:And... iOS6

So, if I don't ride the bus, I'm safe?

Re:And... iOS6

[Graham+J+-+XVI]

They both have web exploits but the Android variety can be triggered simply by being nearby an attacker. The iOS one needs a tricked user.

Re:And... iOS6

[LordLimecat]

To give the unbiased view, a hack via website is bad, but one via NFC seems a lot worse (although one hopes you would be suspicious when a stranger starts holding your android up to his; its not exactly "stealthy").

Re:And... iOS6

[UnknowingFool]

Also for unbiased view, Pwn2Own is turn based as far as I remember. So any gloating that X device was first to be pwned is meaningless. Teams register before the contest. Team order is chosen randomly (drawing straws, 12 sided dice, whatever). The first team decides which device to be hacked and is given a time period to do so. If they succeed, they get the device. If the first team fails, the second team gets their chance and choice of device. If the first team succeeds, the next team with an unhacked device goes. Some teams register for multiple devices to get a better chance to win something.

So gloating that iOS or Androd was first to be pwned is useless. It doesn't tell anything about ease of hack or relative security of devices. What matters if they were pwned.

Re:And... iOS6

[emho24]

It seems like you have never used NFC on Android devices. On my Android tablet and smartphone, you have to physically press them together and make sure you hit the "sweet spot". It doesn't work when the devices are inches apart.

Re:And... iOS6

Worse? People visit a dozen websites everyday, but how often do they bump phones with somebody else?

More than that, to prevent NFC hack you just have to flip it off, but to prevent hack via rogue ad iframe... well, if it was Android, you could just block the ads, for example, even with hosts file, or use a different browser, but on iOS you're SoL.

Good thing for Apple this is before iOS6 release, not right after.

Re:And... iOS6

[Zizagoo]

You have to tether your iOS 6 device to hack it. With this Galaxy 3 NFC hack, a stranger could do it sitting next to you on the bus.

...with your phone unlocked, and your volume muted, and they'd have to touch the exact spot in the middle of that giant phone without being noticed...

Re:And... iOS6

[sarysa]

I for one keep my device close, and only leave my phone lying under my car's seat or at home. (For extended periods of time) It doesn't take a security researcher to get my data if they could get close enough for NFC. NFC's real working range is less than 2 centimeters. (You might get lucky beyond 2, but you see what I mean) TFA states that the exploit can also be delivered with more conventional means, so I see no purpose for this article except to cause a panic about NFC. Pretty shameful. And people wonder why Android users claim the media is in Apple's pocket.

Re:And... iOS6

[h4rr4r]

2 centimeters is pretty darn close. How close do you stand to people?

Re:And... iOS6

[Graham+J+-+XVI]

The idea being that it's ok to have an insecure wireless interface on your smartphone as long as you don't have to be *too* close to it for it to work?

NFC stations are not usually on other people, they're in stores and random other places that entice you to use it. A hacked or augmented genuine NFC reader could be made to steal your data, for example.

Re:And... iOS6

[SuperKendall]

Worse? People visit a dozen websites everyday,

Not ones I don't know well...

How often do they bump phones with somebody else?

Presumably only when you are outside Apple store lines mocking Apple users? That judging from the short historical documentary I watched. That's just the time an Apple fan might strike with a bump attack though.

to prevent hack via rogue ad iframe...

You have to wait a week or so for the next update, which 90% of the users will get.

Good thing for Apple this is before iOS6 release, not right after.

Nope. iOS6 is out. But it doesn't mean they can't do a quick update, in fact they usually do.

Re:And... iOS6

Worse? People visit a dozen websites everyday,

Not ones I don't know well...

Bullshit you piece of shit shill. People search for shit constantly on their phone and end up on fuck-all-who-know.com to find stuff. Your apologizing is fail.

Re:And... iOS6

[hobarrera]

Ever been on the subway or a bus? It's around 0cm in either of those during some hours of the day.

Re:And... iOS6

[h4rr4r]

I did not say that, I only meant the attack vector is pretty small.

Scanning/running random code in public is as dumb as running an exe you get in an email.

My phone has NFC, that shit is turned off.

Re:And... iOS6

[rjr162]

You didn't read the article did you?

"The security researchers used a malicious webpage to send the iPhone 4S’ address book, browsing history, photos, and videos to a server of their choice. It was a drive-by download attack, meaning the user just has to go to the website, but doesn’t have to click (err, tap) on anything to have their data stolen. Furthermore, the site does not crash the browser, so the user is oblivious to losing their data."

Yeah, that sounds just like jailbreaking doesn't it?

Re:And... iOS6

[Graham+J+-+XVI]

It is indeed. The difference is your average Joe is fairly likely to know now that he shouldn't click on a link from an unknown address, or his email AV will have sanitized it first. Even if he keeps NFC turned off most of the time (which is not the default) he'll still have to turn it on to, for example, pay for something, and I think that's when it will be most dangerous.

Re:And... iOS6

[rjr162]

Again, another person who can't read :)

"The security researchers used a malicious webpage to send the iPhone 4S’ address book, browsing history, photos, and videos to a server of their choice. It was a drive-by download attack, meaning the user just has to go to the website, but doesn’t have to click (err, tap) on anything to have their data stolen. Furthermore, the site does not crash the browser, so the user is oblivious to losing their data."

Yup, really sounds like it's tethered to me. You folks are getting "jailbreak" and "hacked" completely mixed up somehow....

Re:And... iOS6

[organgtool]

How close do you stand to people?

It depends on how pretty she is. If she's really pretty, I like to stand directly behind her, almost touching her. It's not creepy, though, because I make sure she knows I'm there by breathing heavily. Then I usually whisper a compliment into her ear, like how her hair reminds me of my momma's wig. So yeah, I'm definitely worried about pretty ladies stealing my credentials over NFC.

Re:And... iOS6

"Not ones I don't know well..."

The well known sites are the ones that do the most damage, though if you use adblock you are a bit better protected.

Re:And... iOS6

[von_rick]

If you are standing that close and are being creepy, NFC hack is less of a concern. Getting kicked in the balls is the bigger concern.

Re:And... iOS6

[93+Escort+Wagon]

2 centimeters is pretty darn close. How close do you stand to people?

Just offer a public charging station for the phones - lots of people will willingly set their phone within the requisite distance for NFC, no questions asked - even at DefCon or BlackHat, where they should know better.

Also, there have been eavesdropping attacks demonstrated that work at a distance of several meters.

Re:And... iOS6

[93+Escort+Wagon]

Samsung will defend themselves by claiming their vulnerability is an inferior implementation compared to iOS's.

Re:And... iOS6

[thetoadwarrior]

iOS6 being hacked doesn't change that NFC is a busted technology.

Re:And... iOS6

[SternisheFan]

At the same event, they also hacked iOS6. Just to give an unbiased view...

...and CNET has more details... http://m.cnet.com/news/iphone-4s-samsung-galaxy-s3-hacked-in-contest/57516966

Re:And... iOS6

That was reported yesterday - you must be a Slashdot editor.

Anyway, I think the point of this article is that it was via NFC so it would have been necessary to add that to the iPhone before trying to exploit it, oh fuck it, I'm bored with this already, in short; you're a bell-end, get over it.

Re:And... iOS6

Worse? People visit a dozen websites everyday,

Not ones I don't know well...

That has got to be the ultimate apologist response...you know what? All the IE security flaws are fine because i don't visit websites i don't know well!

How often do they bump phones with somebody else?

Presumably only when you are outside Apple store lines mocking Apple users? That judging from the short historical documentary I watched. That's just the time an Apple fan might strike with a bump attack though.

I have an iphone, idiot. And the question still stands.

You have to wait a week or so for the next update, which 90% of the users will get.

And in the meantime, where on other platforms (except WP) you could just use another browser, you are stuck. FWIW Apple took weeks to patch that jailbreakme exploit, as an apologist i'm sure you'll direct people to Android updates but doesn't help anyone, if we could use alternative browsers (not just other UIs that use the Apple built-in version of webkit) that would be helpful.

Re:And... iOS6

[exomondo]

Worse? People visit a dozen websites everyday,

Not ones I don't know well...

An Android user could respond in the same way to make the android marketplace malware argument non sequitur. Dismissing a browser flaw on the basis that you don't visit malicious sites is obviously pretty silly.

Re:And... iOS6

[mjwx]

To give the unbiased view, a hack via website is bad, but one via NFC seems a lot worse (although one hopes you would be suspicious when a stranger starts holding your android up to his; its not exactly "stealthy").

To give a perspective from security, a hack via a web browser is worse because it's not proximity dependent and cant be switched off. An attack via NFC requires your attacker to be physically close and NFC can be turned off.

What isn't clear from the article is if this is a vulnerability in Android or in the S-Beam application used for NFC file transfers on the SGS3. But the article stated the attack is initiated by uploading a malicious file, so there are three really huge hurdles to this attack.

1. You have to be in NFC range. Depending on the hardware, this could be between a few centimetres to several metres (I think the max radius of NFC is about 5 metres but under real world conditions it's measured in milimetres).
2. You have to have NFC switched on.
3. You have to accept a malicious file.

The simple workaround is switching off NFC in the setting menu. I've got a GNex and not an SGS3 so I've never used S-Beam so I cant say if you can deny access to anyone trying to upload a file.

Re:And... iOS6

In a crowded subway/train/bus/tram/etc you'd be pretty close.

Re:And... iOS6

[mjwx]

So gloating that iOS or Androd was first to be pwned is useless. It doesn't tell anything about ease of hack or relative security of devices. What matters if they were pwned.

What matters is how easily and how quickly (in terms of "go to pwned") they were pwned.

A web browser vulnerability concerns me more than a NFC vulnerability where an attacker has to upload a malicious file. A web browser vulnerability can get you anywhere, you just have to navigate to a site with the malicious code. With an the NFC vulnerability, you have to have your phone centimetres from mine.

From the article about the IOS vulnerability

The security researchers used a malicious webpage to send the iPhone 4Sâ(TM) address book, browsing history, photos, and videos to a server of their choice. It was a drive-by download attack, meaning the user just has to go to the website,

So if my favourite site, IOS.foo.com gets hacked and the malicious code is implanted, it's quite likely I'd get compromised.

What people forget is that in the real world it is very, very easy to direct people to malicious sites and very, very hard to stay within centimetres of people without being noticed.

Re:And... iOS6

[dudpixel]

They both have web exploits but the Android variety can be triggered simply by being nearby an attacker. The iOS one needs a tricked user.

NFC also needs to be turned on for the exploit to work. Android users therefore have a workaround (turn NFC off if/when not needed) that doesn't involve not surfing the web.

Re:And... iOS6

[Paradise+Pete]

it's not specifically an NFC vulnerability. They just used NFC for, I presume, dramatic purposes. It could have been done with an email or a webpage. It's also a much more severe vulnerability. They achieved complete control of the device, including the ability to make phone calls. "What are all these 1-900 numbers, honey? And why is our phone bill $6,000?"

Finally, Apple actually updates the OS on existing devices, so theirs will likely be fixed in short order. Does Samsung ever update its Android devices? (I really don't know the answer to that. Maybe they do it all the time).

Re:And... iOS6

[Paradise+Pete]

Do you mean to say that you actually read the article and you still don't know that NFC was simply the conduit they chose to deliver the exploit? Turning off NFC does not fix the underlying problem. It's by far the least likely way for this exploit to be delivered.

Re:And... iOS6

Can it? NFC is switched off on my phone unless I unlock it.

Re:And... iOS6

[Graham+J+-+XVI]

Ya I've heard mixed information on whether NFC is on by default or not. Either way there's still a web exploit on both which means Android is at best no more secure, and at worse, less.

Re:And... iOS6

[dudpixel]

Fair enough. I can't remember if NFC was enabled on my phone when I got it. It isn't enabled now, and I've always been a bit unsure about it.

I believe the exploit is fixed in JB so I wont need to worry soon.

I think the Android ecosystem needs to put more emphasis on bugfix/security updates, and force manufacturers to keep on top of them. Feature updates are not a primary concern - I got the phone I paid for.

Well that stinks

[halfEvilTech]

Hopefully they actually patch something like this, but knowing Verizon, AT&T, etc it won't for at least 6 months

Re:Well that stinks

[dmacleod808]

Whilst if Apple acknowledges the security issue, they will fix it pretty quick for ALL devices, OTA.

Re:Well that stinks

[hobarrera]

How are service providers involved in what updates you install on your OS, which is not developed or maintained by them?

Re:Well that stinks

[CoolVC]

Good question. That's part do the reason I have an iPhone. Less carrier involvement in everything.

The U.S. will probably mandate the use of NFC now

[Terry+Pearson]

This will be a big boon for Android. Given the current infatuation with government invasion of privacy here, government will probably mandate NFC capable phones everywhere now that you can get so much information off of it so easily :-)

Is it really such a big deal?

[pablo_max]

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.
Has it not been the case for a very long time that if you lose your handset that someone can use it, NFC or no NFC? Oh, and they need to trigger the exploit 185 times before it worked. I think we are still reasonably safe.

Re:Is it really such a big deal?

[CimmerianX]

The Hacks just prove that there is a rush to implement new technology without considering the security implications of the tech.

This is just history repeating itself. Every company wants to be the first to announce this brand new, 'cool' feature, but none will wait for the 'geeks' to test it for security issues.

Re:Is it really such a big deal?

I don't think you're qualified to determine that "we are still reasonably safe". And there are definite indications you have a biased opinion towards Android. This whole smartphone fanboyism is completely ridiculous. It's making people ignore legitimate problems that need immediate attention. Downplaying vulnerabilities like this doesn't help anyone so stop it. Android should be held accountable for this and required to immediately patch, as should iOS for their recent exploits, as should Windows phone, BlackBerry and whoever else. The costs that result from mobile exploits aren't limited to the victim and I for one think we should be shaming these companies not brushing it off.

Re:Is it really such a big deal?

[fuzzyfuzzyfungus]

The Hacks just prove that there is a rush to implement new technology without considering the security implications of the tech.

This is just history repeating itself. Every company wants to be the first to announce this brand new, 'cool' feature, but none will wait for the 'geeks' to test it for security issues.

The irksome thing is that, while NFC is mildly novel in terms of the RF tricks(supporting both active/passive RFID-type use cases and short-range active/active ones), and I could see there being some teething pains on that side, these attacks are on NFC as an external data bus that wasn't attended to properly... Some sort of 'specially crafted responses cause hard lockup on $FOOCORP NFIC123 chips with firmware 1.0A' attack would be bad; but more or less par for the course. A more generic 'Hi guys! We added another wireless interface to your phone that happily talks to anything nearby by default, and even automatically executes certain local commands based on what it hears, that's cool, right?" mistake is... unimpressive.

NFC may be new; but the fact that an easily accessible external bus would be an attack vector, against which you should be on your guard, sure isn't. It's less clunky that having some 80's 25-pin RS-232 port on the back of your phone; but it's conceptually pretty similar.

Re:Is it really such a big deal?

[vawwyakr]

I think that is pretty key here, 185 times at the range of less than and inch or so is basically someone sitting there next to you pretty much touching you for 5 minutes. Obviously this is something that needs to be fixed but I'll hold off on my panic just yet. Even if it worked on the first try someone would have to first identify you as having a vulnerable phone, and where you have if (ie which pocket, etc) then get so close as to be practically touching you and then they have to hope that you have nfc enabled. This isn't some sort of thing you can do just casually walking down the street. It might be an issue for a particular person being targeted but not very likely for a random attack.

Re:Is it really such a big deal?

[interkin3tic]

One, you would need to have NFC enabled, which people may do, but at least I never do by default.

What ARE the uses for NFC right now. I know google wallet works for the galaxy nexus and a few phones by sprint, and ISIS hasn't come out yet, but what are people actually doing with it besides hacking phones and thinking about how at some point in the future, they'll be able to buy coffee with their phone?

Re:Is it really such a big deal?

No what's key is that it's proven. Who gives a flying F about it happening while you're walking down the street. If you can't think of multiple scenarios where this attack could be executed you're either too dense to discuss the topic or too biased.

Re:Is it really such a big deal?

[wile_e8]

Launching Tasks
Sharing Wifi

Just a couple I use off the top of my head

Re:Is it really such a big deal?

[fast+turtle]

and this is just one more reason I'm quite happy with my dumb phone and no, it's not even a feature phone. It is simply a phone and that's exactly the way I like it.

Re:Is it really such a big deal?

basically someone sitting there next to you pretty much touching you for 5 minutes.

So slashdot users are safe from this!

Re:Is it really such a big deal?

[vawwyakr]

So that assumption here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.
2) The two phones are perfectly at the same height (presumably in a pocket).
3) The strangers phone is vulnerable.
4) They have NFC enabled.
5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).
6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.

All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).

Re:Is it really such a big deal?

It's a big story because it shows such over-the-top astounding shocking unbelievable massive incompetence on the part of the OS maker.

It shows that while on a normal computer, you don't think of just any I/O, e.g.
10 PRINT "ANDROID AND IOS ARE THE WINDOWS 95 OF OUR TIME"
20 GOTO 10
as being potentially unsafe for the entire device, nearly everyone is using garbage where the designers really do get totally basic things wrong, that a typical inexperience teenager wouldn't screw up.

Android and iOS suck. They aren't merely "below average" but really are the Windows 95 of our time. So bad, so apparently-bad-on-purpose, so much worse than everything you have grown used to, and yet also so ubiquitous, that's it's just totally comical.

Such things really are worth talking about. It's like voters actually choosing GWB to be re-elected in 2004. It really happened. The most absurd fiction writer would never think up anything as stupid as reality itself.

Re:Is it really such a big deal?

it would be nice if the market would demand that the carriers guarantee an OS upgrade path and update repos for as long as you own your device. instead of wasting 6 months-1year+ crippling a single OS release and then never getting a single update. until the masses realize the absurdity of this arrangement, the carriers will keep treating their customers like they are stupid. maybe the existence of android will increase the numbers exposed to linux(repos+updates) and more will start to question why their phone is different somehow. you already see windows users installing ubuntu at xda-developers so they can hack on android more efficiently.

Re:Is it really such a big deal?

Finally, a good reason not to bathe or shave or get my hair cut!

It's for security, mom! Go back upstairs!

Re:Is it really such a big deal?

[vawwyakr]

Missed the part about walking down the street, ok so what other anonymous situations do you see? On the bus? Or are we talking about pickpockets? I can see this as an issue for non-anonymous situations (I know that guy and his phone is vulnerable) but for random situations I can't see a lot that would be overly successful. Perhaps you can help me see some of these situations instead of just cussing at me and calling me names?

Re:Is it really such a big deal?

[danomac]

If someone bumped into me 185 times, I'd notice and do something about it.

Re:Is it really such a big deal?

[vawwyakr]

184 though....I'd just sit back and enjoy it.

Re:Is it really such a big deal?

Um, yeah, except the current version of Android has this vulnerability fixed. Have fun getting your tin-foil hat refitted, jackass.

Re:Is it really such a big deal?

[hobarrera]

1) No challenge there.
2) Try a few times, you're bound to have luck sooner or later - pocket heights don't vary that much.
3/4) It's the default, and what most average users will have.
5) Just a few seconds will do.
6) The attacker can run anything on the target phone. I expect that whatever he runs would steal the data through other means, and not NFC (ie: email? remote server?)

Re:Is it really such a big deal?

[kqs]

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.

I'm guessing it's a bigger deal to those who RTFA and see that this flaw can also be exploited by web and email; they just used NFC because it was novel. But true, it's not a big deal to people who like to complain but hate to be informed.

I'm saddened that so many of these people also choose to vote. Perhaps a little quiz at the polls: "Did Obama say that business owners didn't build their own businesses? Did Romney say that he wants to fire people? Did you ever, for more than 1.3 seconds, have a doubt that Obama was born in the US?" Any "yes" answers means that your vote is ignored for the next 6 years.

Re:Is it really such a big deal?

[danomac]

Yeah, at about 182 I might raise an eyebrow!

Re:Is it really such a big deal?

Well, according to the Samsung ads that ran during the Olympics, couples can send pictures to each other through a window by holding their S3s next to it.

Re:Is it really such a big deal?

[KingMotley]

Great, and how long do you think it will be until all of them are upgraded to the "current version"? a year? 2 years? Never is my guess.

Re:Is it really such a big deal?

[Have+Brain+Will+Rent]

You've never met a woman have you? Sorry that was rhetorical - it is /. after all....

"Miss stop touching me, stop holding yourself so close, stop letting your hands roam all over my body..."

Re:Is it really such a big deal?

[oakgrove]

Great, and how long do you think it will be until all of them are upgraded to the "current version"? a year? 2 years? Never is my guess.

I would say get a Nexus were it not for the tarnishing given the line by the Verizon debacle so I'll just say get a Nexus with GSM. And if the Galaxy Nexus isn't your speed then wait just a couple of months until Google releases the planned multiple simultaneous Nexus lines. As far as patching and new versions of the operating system go, Google is updating Android and releasing security fixes responsibly but it is still up to the OEMs to actually release for their individual handsets. The formula works though if market share is the goal and my understanding is that for Google, it is. More people using internet capable smartphones = more people viewing ads. And unlike the iPhone or any other competitor, Google's presence on the vast majority of Android handsets is a given and won't be changing any time soon.

For the general consumer, I'm not convinced that most even care about Android functionality updates. Many users of the OS are smartphone first-timers and would be loath to install anything that made significant changes to how the phone looked or behaved. OEMs do need to focus on security updates though as that is a genuinely pressing issue. Much more so than whether Aunt Tilly is running ICS or Jellybean in my opinion.

Re:Is it really such a big deal?

[KingMotley]

And none of that changes the fact that there is, and will continue to be, a lot of NFC enabled android phones out there that are vulnerable -- basically forever. Android has now become the new windows XP; Vulnerable with patches taking years to get to end users, and millions of users who don't patch their systems even when they are available.

Re:Is it really such a big deal?

[oakgrove]

Android has now become the new windows XP; Vulnerable with patches taking years to get to end users, and millions of users who don't patch their systems even when they are available.

I hate to be the one to break the news to you but every OS has unpatched vulnerabilities. Every. Single. One. Check Secunia or your favorite security site if you don't believe me and marvel at the number of known security holes that vendors have left unadressed. There are something like 500 million Android devices in the wild. When some malware epidemic of epic remote Pwnage happens then you can call Android the new Windows XP. Many hackers might consider an Android device an even juicier target than XP since it is almost guaranteed to contain intimate personal details. Yet life goes on and despite the weekly scare stories the security press likes to churn out, Android users are mostly free from pretty much any malware that they didn't explicitely install themselves either by pirating apps, using third party unvetted app stores, or the rare malicious app that slips through Google's fingers and ends up on the official Play Store (a rarity that is only getting harder for authors to succeed at since Google started really paying attention). My daily driver is a fully updated Galaxy Nexus but you'll have to pardon me for not getting too up in arms over my assortment of lesser Android devices as they've all been trundling along on whatever version of Android they shipped with/got updated to and not a one has yet to show any signs of being the worse for it.

a lot of NFC enabled android phones out there that are vulnerable

By an attack that requires the victim's phone to first actually be on (NFC deactivates when the screen is off), within a very small number of centimeters aligned at just the right place with the attacker's device, in communication for an extended period of time, have NFC actually on at all, and the user to be totally oblivious as a stranger who both miraculously is on the ball enough to strike at just the right moment and takes advantage of all of these variables being perfectly aligned for him to do his dirty work. Um, yeah. Maybe I should play the numbers too since I'm apparently the recipient of the cosmos' so ridiculously contrived you can still smell the glue statistical outlier joke of the day award. Or I'll just have a shirt printed saying "The Universe hates me and all I got was this lousy t-shirt".

Re:Is it really such a big deal?

[KingMotley]

By an attack that requires the victim's phone to first actually be on (NFC deactivates when the screen is off), within a very small number of centimeters aligned at just the right place with the attacker's device, in communication for an extended period of time, have NFC actually on at all, and the user to be totally oblivious as a stranger who both miraculously is on the ball enough to strike at just the right moment and takes advantage of all of these variables being perfectly aligned for him to do his dirty work. Um, yeah. Maybe I should play the numbers too since I'm apparently the recipient of the cosmos' so ridiculously contrived you can still smell the glue statistical outlier joke of the day award. Or I'll just have a shirt printed saying "The Universe hates me and all I got was this lousy t-shirt".

Or maybe you should actually try and think. How difficult would it be to place a NFC skimmer next to or on top of that Mcdonald's payment console? Your device would be on, and within range. Oh, yes, I'm sure no one could do that, that hasn't been done before. I think you should get a shirt printed, but choose another slogan.

Re:Is it really such a big deal?

How difficult would it be to place a NFC skimmer next to or on top of that Mcdonald's payment console?

The attack requires much longer than the second or two a person is likely to take swiping their phone at a McDonald's POS. If you wanted to make your scenario even prima facie plausible you could at least have proposed something like a malicious charging station. Of course then the phone would have to be laying down with the screen on in order for NFC to even work and when NFC on the S3 actually does do its thing it makes a distinct sound alerting the user. I've only read the descriptions of the attack and they aren't perfectly clear but the number 185 is thrown around in relation to how many times the exploit had to be ran before it even worked. Can the planets align just right for something like this to actually work on a profitable enough basis that you would have a chance of seeing something like it deployed in the real world? Based on what I've read I seriously wouldn't bet on it. Make it happen and I'll be a believer but like so many other seemingly daily scare-sploits that come and go in the tech press, I'll keep reminding people that for any set A number of conceptually demonstrated exploits paraded under controlled circumstances there is a much much smaller subset B of actual practical worthwhile hacks that will ever be put into practice in the real world. Not only that but in this particular instance, it depends on certain architectural weaknesses in Android 4.0.4 on the Galaxy S3 and that OS/device window is rapidly closing with no hard evidence that the exploit works on anything else.

tl;dr *yawn*

Re:Is it really such a big deal?

[vawwyakr]

Hey some random woman rubs up against me 185 times...I will get suspicious! 184....just good times.

Jelly bean fixes this?

[Terry+Pearson]

The article eludes to the fact that Jellybean may fix this. All the more reason for carriers and manufactures to expedite upgrades.

Re:Jelly bean fixes this?

The article may allude to it, but I doubt it eludes it.

Re:Jelly bean fixes this?

[fuzzyfuzzyfungus]

By 'upgrade', you mean the new handset that you get for 'free' when you sign my two-year service contract, right consumer?

Re:Jelly bean fixes this?

[NatasRevol]

Which the carriers may or may not ever provide.

So your security is a crap shoot.

Re:Jelly bean fixes this?

[BradleyUffner]

By 'upgrade', you mean the new handset that you get for 'free' when you sign my two-year service contract, right consumer?

Cyanogen Mod.

Re:Jelly bean fixes this?

The article eludes

...And by "elude" you mean "allude" ("To refer to something indirectly or by suggestion")... unless you're claiming that the article is attempting To evade, or escape from" the fact, which is an interesting visual but probably not intended.

Homophones are hard.

Re:Jelly bean fixes this?

[hobarrera]

The carrier has nothing to do with this, it's just the manufacturer's problem, or maybe Google's in the long run, but no-one else's.

Re:Jelly bean fixes this?

[Terry+Pearson]

The carrier has nothing to do with this...

If you are not on a custom Rom, you will not get an upgrade until 1) The manufacturer provides the approved upgrade, and 2) The carrier determines whether they will push OTA the upgrade. While the carrier may not always be a huge part of the upgrade, they make it happen in the end. All the more reason to jump on XDA and get a custom rom for your device.

Re:Jelly bean fixes this?

[Rich0]

Yup. For a Nexus device you will probably get security updates for about 1.5 years from the date that the device was FIRST announced (ie passed out at IO or whatever). For any other device you probably won't ever get an update, unless somebody manages to totally own the thing will it is still being advertised on TV.

If you care about updates on Android don't ever buy anything but a Nexus device, and don't buy the Nexus device unless it is no more than a few months old. I'd say in a few months the Nexus 7 is going to be obsolete as far as updates go (sure, it will still get them, but likely for only a year after you buy it). I think two years is the minimum a phone should be supported, but if you want that you need to buy an iPhone (if you buy a 4s TODAY you'll probably STILL get updates for a full two years). I love Android, but the lack of updates just kills me.

Re:Jelly bean fixes this?

[hobarrera]

You could just download the update from the net/using the OS's update mechanism. If your ISP filters this, just use WiFi.

DEFCON 20

[phantomcircuit]

This was demonstrated at DEFCON 20. He live demo'd rooting an android device using NFC to open the browser and a brwoser exploit to gain root. https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Miller

Not exactly practical

[ThunderBird89]

Given the short range and low bandwidth (424 kilobits/s) of NFC technology, this is more of an esoteric attack than a practical one. I think I'd notice someone shadowing me with a hand at my pocket to connect to my Nexus S via its NFC chip and pull data from it...
Still, it's a show of force (and vulnerabilities).

Re:Not exactly practical

[jkflying]

They don't need to. Just upload a little executable that sends everything over wifi/3G to them, and listens to new commands over those interfaces as well.

Re:Not exactly practical

[fuzzyfuzzyfungus]

The more worrisome thing is probably that NFC is built in in the hope that swiping it all over the place against untrusted devices will become a normal behavior(sort of the way that attacks against the USB charge/data port are wildly impractical, until random charging kiosks start popping up in airports and all over the place, at which point behavioral protection goes out the window, and a bunch of systems intended only to connect to your home PC start getting shoved into god-knows-what...). Sure, as an attack to execute against the phone in your pocket, it is only marginally more practical than making a stab for the USB port; but if the happy-magic-future-of-even-more-middlemen-and-fees comes to pass, you'll see anywhere between several and dozens of readers a day getting a chance to try whatever they want when you shove your phone onto the pad(plus, if ATMs and mag stripe skimming are any indication, it will be about 20 minutes before somebody comes out with a nice little stick-on thin-circuit-in-rugged-sticker NFC 'skimmer' that can be planted on top of legitimate NFC pads and will do its best to MitM legitimate conversations or attack devices while they converse with the genuine NFC pad and log the results).

Re:Not exactly practical

It's only short range with standard consumer equipment. There's nothing stopping someone from boosting the signals. It's like claiming wifi or bluetooth is secure because the range is within your building. That malicious guy over there has no problem using a booster (or even just a simple yagi)

Re:Not exactly practical

You know how people have fake ATM machines? What's stopping a hacker or CIA from putting up fake Coca-Cola kiosks. Just swipe your phone for a free Coke. Consumer gets free Coke and free spyware installed.

Re:Not exactly practical

[fuzzyfuzzyfungus]

Aside from the fact that just sticking a skimmer onto real Coca-Cola kiosks would be cheaper? Nothing at all. Same basic reason that ATM card skimmers are more common than full fake ATMs.

It's a good thing I don't go bumping/grinding

[BMOC]

against random hackers while having my cell phone in my pocket at the geek-overloaded dance clubs on a regular basis... I guess I'm safe for now.

Key phrase from the report: by holding two Galaxy S 3s next to each other .

Re:It's a good thing I don't go bumping/grinding

Until they start placing skimmers on NFC readers or whatever they are called, just like they do with ATMs.

Re:It's a good thing I don't go bumping/grinding

Like sitting on the bus/train?

Re:It's a good thing I don't go bumping/grinding

Another S3 isn't a requirement, it was just demonstrated like that, you fucktard.

Re:It's a good thing I don't go bumping/grinding

[Zizagoo]

But practically any app which interacted with an NFC reader would force the phone into write mode, which blocks incoming packets. Otherwise you'd never get the chance to write...

Re:It's a good thing I don't go bumping/grinding

[Bill+Dimm]

Like sitting on the bus/train?

The trick is to get onto the bus/train smelling really bad, so nobody will dare get close to you. Many people seem to already be employing this technique.

Re:It's a good thing I don't go bumping/grinding

Like sitting on the bus/train in close enough proximity for both phones to be no more then a couple centimeters apart. So maybe if some random hot chick sits down next to you offers you a lap dance.

Re:It's a good thing I don't go bumping/grinding

Do you also never want to use NFC for any case where you do not control the other device? Like a shop, bus, or bar? because they could all be using this to steal data from the phone at the same time.

to be fair

[batistuta]

you also need to have NFC enabled on your Galaxy for this to work. NFC is enabled by default, sure. But it can be disabled easily. I also find myself living happily without NFC, but not without tethering, which I use daily during my bus commute.

So my point is that both vulnerabilities suck, and which one sucks the most depends solely on your use-case. There is no point in saying that one device is more secure than the other, both Apple and Google seem to suck big time here. You should not store any sensitive data on your phone.

Re:to be fair

you also need to have NFC enabled on your Galaxy for this to work. NFC is enabled by default, sure. But it can be disabled easily. I also find myself living happily without NFC

But, but, I was told the iPhone 5 was DOA without NFC!
What to believe? What to believe?

Re:to be fair

[ToastedRhino]

you also need to have NFC enabled on your Galaxy for this to work.

No, you don't. If you take a minute to RTFA you'll see this:

The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.

They chose to use NFC for the novelty effect. This could just as easily have been done via a malicious website.

Yes both vulnerabilities suck, but they are not equal. For instance, the iOS attack allowed the stealing of contacts, pictures, video, and browsing history. Things that are supposed to be protected in iOS, but in this case weren't sufficiently so. The Android attack allowed the execution of arbitrary code. These two things are not the same, though both definitely need to be fixed ASAP. And to be fair, JB may have already patched the holes in Android, provided people can actually get it on their phones this is a really good thing.

Re:to be fair

[rjr162]

Weird.. on my International Galaxy S III (GT-i9300T) the NFC was disabled by default. Must be something the carriers decide

Re:to be fair

[batistuta]

you also need to have NFC enabled on your Galaxy for this to work.

No, you don't. If you take a minute to RTFA you'll see this:

The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.

Yes, you do. What you are describing is a different way to accomplish the attack. As an end user, I don't care if the underlying exploit is similar, I only care about how I can be affected by it. This leads to the next point.

They chose to use NFC for the novelty effect.

No, they've chosen NFC because now more phones have it, but mostly because it allows accomplishing the attack without any user intervention at all. People could avoid getting hacked from visiting malicious websites, simply by limiting themselves to trusted sites. Most people only frequent their usual places. But the NFC is a hidden vector that many users are not even aware of.

As I've mentioned in my first post, I could live with an NFC or browser vulnerability, but not with a tethering one. Other people will think the opposite. At the end of the day, these news make wish you didn't depend on your cell phone so much, because there are always security holes in there.

I find it funny when automotive industry push to connect their cars to the network, as if they could do any better.

Re:NFC no thank you

No, YOUR an idiot.

Doesn't this violate Apple's new NFC/TSA patent?

I mean, that's exactly what Apple's patent lets the TSA do to your phone.

Security by Obscurity?

424kb/s is 42k/second is all your telephone contacts, emails addresses etc per second. That's plenty for a major heist. It was only a few years back that 128kbps was called broadband FFS (2004 my DSL was 128kbps).

Short range is a fairer comment, but even so, someone will simply invent a booster antenna like they did with Bluetooth hacks to expand the range. Hacking the person sitting in front of you on the bus or next to you on the train is quite feasible.

Basically Samsung or Google screwed up, the best cause of action is hands up, then a quick fix, followed by detailed analysis of all the other front facing code to see what else might be hiding. Denial never works in these situations.

lol andoird

your animes will get hax0red

NFC Doesn't Work That Easily

[Chibi+Merrow]

With this Galaxy 3 NFC hack, a stranger could do it sitting next to you on the bus.

No, they'd have to be sitting next to me on the bus AND physically touch my phone with another device long enough to trigger NFC AND I have to have NFC enabled AND keep the devices in physical contact long enough for the download to complete OR hope that I have an active data connection AND the right web browser set as my default so their specially crafted web page loads to root my device...
Except that (since I have like six web browsers installed) it requires me to interact with the phone to pick the web browser to open the page... A lot more difficult to arrange than "sitting next to someone".

Also, the ASLR implementation is known to be incomplete on ICS. It's apparently fully fixed on Jelly Bean, so this hack shouldn't be possible on the S3 in a couple months, when the update is rolled out. Likewise, all of the Nexus NFC devices have been updated to Jelly Bean, so they're secure.

Yeah, it's sad that the hack was possible, but it was due to flaws in the OS, not due to problems with NFC, and only under a very contrived set of circumstances...

Re:NFC Doesn't Work That Easily

Also, the ASLR implementation is known to be incomplete on ICS. It's apparently fully fixed on Jelly Bean, so this hack shouldn't be possible on the S3 in a couple months, when the update is rolled out.

When the update is rolled out? That makes me laugh.

Re:NFC Doesn't Work That Easily

It's apparently fully fixed on Jelly Bean, so this hack shouldn't be possible on the S3 in a couple months, when the update is rolled out.

A couple of months? Based on my Galaxy Tab 10.1 ICS experience, I think a couple of *years* is a better guess.

Re:NFC Doesn't Work That Easily

First up NFC == RFID. When RFID was discredited for very good reasons, it was simply rebranded as NFC.

Secondly, all this bullshit about NFC being secure because you need close proximity is also bullshit. My credit card issuer insists on giving me cards with this stupid technology built in, and no amount of ranting at them will change their mind. Hackers with pringle can antennae have picked peoples' pockets from hundreds of metres away via this stupid RFID in a credit card crap, and now they want to put one in my phone as well. I hope someone exploits this hole and hugely embarrasses everyone involved, then maybe RFID / NFC can finally die. But more likely it will just be rebranded again.

Re:NFC Doesn't Work That Easily

[hobarrera]

1) Average users don't install several browsers.
2) On a subway or any other crowded enviroment, it's not hard to stay that close to someone for plenty of time.
3) "Rolled in a few months" can also be read as "All S3's will be vulnerable for several more months".
4) Average users don't change the defaults, including disabling the NFC.

Re:NFC Doesn't Work That Easily

[rjr162]

I just wanted to mention I received an update last night on my S3 (international GT-i9300T). It wasn't super large, and it didn't change the OS version #, so I'm not sure if it was a patch for the NFC already pushed out or what it may have related to. Maybe Samsung's website will list it?

Re:NFC Doesn't Work That Easily

You should read up on NFC. You're first sentence is provably false making the rest of your conjecture meaningless.

Re:NFC Doesn't Work That Easily

[thetoadwarrior]

And guess what, you're not the average android owner. So the little story you typed out doesn't really mean anything. it was a waste of time.

Re:NFC Doesn't Work That Easily

Max range including fancy antennas for NFC is still pretty darn short. Other types of RFID designed for longer range can be read from meters away, but NFC is designed for very short range and even extended it still doesn't reach very far. Of course, having any way to communicate with your cell phone in an unsecure way at any range is bad.

Re:NFC Doesn't Work That Easily

1) Average users don't install several browsers.

But there's no reason to think they wouldn't install something like Firefox for Android, but yeah probably not 'several'.

3) "Rolled in a few months" can also be read as "All S3's will be vulnerable for several more months".

It can, but it would be wrong to read it as such given that the update has already begun being rolled out.

Re:NFC Doesn't Work That Easily

[Xest]

Yes, effectively if they could get close enough to your phone, they might as well just outright steal it.

Re:NFC Doesn't Work That Easily

[Chibi+Merrow]

Except everything I typed out applies to the average android owner. Even my Mom has two web browsers installed, the default the phone came w/ and Dolphin. With mobile versions of Firefox, Opera, Chrome, and hundreds of apps out there that also offer to open URLs when prompted...

Really that's the least important part of the story. The important part is them somehow holding their phone to mine back-to-back long enough to do the exploit 185 times. It's much more likely they'd just pickpocket my phone at that point. Anyone going on about "Ever been in a crowded subway!?" has obviously never tried to use NFC.

Going to sum up what I see as the threat here

[vawwyakr]

I posted this above but here's what I see (maybe I'm missing something so help me out). So that assumption of danger here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.
2) The two phones are perfectly at the same height (presumably in a pocket).
3) The strangers phone is vulnerable.
4) They have NFC enabled.
5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).
6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.

All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).

Re:Going to sum up what I see as the threat here

[BradleyUffner]

I posted this above but here's what I see (maybe I'm missing something so help me out).
So that assumption of danger here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.
2) The two phones are perfectly at the same height (presumably in a pocket).
3) The strangers phone is vulnerable.
4) They have NFC enabled.
5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).
6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.

All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).

This could be done similar to the way Bank Card Skimmers work. Place a fake nfc device in a situation where a real one would be likely (gas station pump for example). Then sit and wait for people to try and use it.

Re:Going to sum up what I see as the threat here

[megalomaniacs4u]

An episode of NCIS had a girl bumping into strangers with a NFC skimmer http://www.imdb.com/title/tt1683271/ NCIS season 8 episode 8 - Enemies Foreign

Re:Going to sum up what I see as the threat here

[poofmeisterp]

I posted this above but here's what I see (maybe I'm missing something so help me out).

So that assumption of danger here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.

2) The two phones are perfectly at the same height (presumably in a pocket).

3) The strangers phone is vulnerable.

4) They have NFC enabled.

5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).

6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.

All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).

All ya gotta do is knock the stranger out. This just helps hackers not physically steal phones. Because stealing phones is wrong. :>

Take over meaning root access?

If that's the case, someone is probably already making a root-access-giving program that works through phone-to-phone NFC as we speak.
Although... transmission through intimate contact? That sounds awfully like an STD...

Re:Take over meaning root access?

[poofmeisterp]

If that's the case, someone is probably already making a root-access-giving program that works through phone-to-phone NFC as we speak.
Although... transmission through intimate contact? That sounds awfully like an STD...

I can't wait until that's heard in a patent infringement suit.

Only on Slashdot

[EGSonikku]

Someone discusses an NFC hack to root and steal data off Android and half the posts are "Apple isn't secure either!"

Focus people! Slashdot is supposed to be the home of Linux and Open Source and über hacks! Why isn't anyone deceminating how this hack works and posting some kind of work-around that isn't just "Don't use NFC" (a feature which Apple gets derided for not having)?

Remember, a fix isn't "Don't use NFC and switch to another browser." Let's assume a user *likes* NFC, and *likes* his web browser as it is. Lets *fix* the problem here. Any thoughts or conjecture?

Re:Only on Slashdot

[vawwyakr]

Well based on the article it sounds like its already fixed in the current version of Android. So not much to focus on I suppose?

Re:Only on Slashdot

[jo_ham]

Well based on the article it sounds like its already fixed in the current version of Android. So not much to focus on I suppose?

The 2% of Android users that have the current version are safe then!

Re:Only on Slashdot

[vawwyakr]

Well the 5% who have a phone with NFC and Android ICS are in trouble huh? I wasn't saying that the discussion isn't interesting I'm just saying that the OP's comment that we have to focus on finding a solution isn't really relevant since it's already fixed in the OS and NFC can be disabled if you haven't been updated.

Re:Only on Slashdot

[jo_ham]

I was just being facetious - I admit this issue isn't as big as the story is making out (although any 0 day exploit is serious). I was just bringing up a counter point to the claim that the issue didn't matter because Jelly Bean fixes it, when only a couple of weeks ago slashdot ran a story about how the bulk of Android users are at least one version behind, and in some cases stuck there for good (unless they root their phone).

Re:Only on Slashdot

[Paradise+Pete]

Well the 5% who have a phone with NFC and Android ICS are in trouble huh?

NFC is not a requirement. That was merely how they chose to deliver the payload.

Feature deactivation

Turns out users can simply deactivate NFC when they're not using it. I do these things with WiFi, GPS and Bluetooth. Both for sercurity and battery-saving purposes.

Sure, exactly the same

[SuperKendall]

Yes, iOS6 was hacked. So if you were lured into visiting some bad web site site someone could potentially see your address book and photos - Oh no!

Meanwhile everyone you bump with the S3 could be a carrier of a filthy, filthy disease that would render your entire system open to keyloggers or whatever.

The iOS6 attack is read only, the NFC attack write...

Re:Sure, exactly the same

You are a complete fucking idiot. Do you even think before you run your dickbeaters over your keyboard, dufus? Come back when you actually know what you're talking about.

Re:Sure, exactly the same

[rjr162]

Android
Settings -> NFC off.
Attack vector disabled!

iPhone
Settings -> Browser of.... damn

and who says a legit site you've been going to for years can't be hacked and have this code planted within (via an iframe or whatever?), or served by a hacked ad network?

Re:Sure, exactly the same

Except that NFC is turned off when the screen is off for security reasons...

Re:Sure, exactly the same

[Paradise+Pete]

Settings -> NFC off. Attack vector disabled!

It's not an NFC vulnerability, that was merely the conduit they chose. So the device you think you just made safe is still vulnerable, and while you sleep it's dialing 1-900-HOT-CHIX all night long. Good luck with that phone bill.

Pwn2Own my Ass

That NFC exploit was F'n WEAK!
C'mon dudes. Seriously? You can do better!

"As you can see, (glaven!) with the use a willing victim who stands perfectly still; a soldering iron and logic probe; 'Don't touch!' ;we can subvert the phone after one hour. Why anyone would want to want to use such a dangerous communication medium is beyond me. (a-hem!)"

Re:Andoird no thank you

Misspell something once and it is a typo. Do it twice and you a complete fucking idiot. Idiot.

Re:The U.S. will probably mandate the use of NFC n

This is a big boon for trolls. Oh look...

185 Attempts needed?

"The flaw had to be triggered 185 times in the exploit code in order to overcome some of the vulnerability’s limitations."

While I'm certain the exploit could be improved, I'm fairly certain that if it takes 185 tries to work, it is not practical to exploit this in the wild at this time.

And Still No ATV3 Jailbreak?

[meehawl]

All this cracking and still no way to root the AppleTV 3?

The real subject is NFC, not Android

[perpenso]

At the same event, they also hacked iOS6. Just to give an unbiased view...

Actually you seem a little misleading given that the iPhones don't have NFC. I think the true subject of the article is NFC not Android. The fact that iOS and Android can get hacked by a malicious webpage seems a bit off topic.

Android and Samsung are mentioned prominently only to get people's attention.

Re:The real subject is NFC, not Android

[Paradise+Pete]

Does *nobody* RTFA anymore? It is an Android vulnerability. They used NFC as one of several ways to exploit it. They could have done the whole thing without using NFC at all.

Re:The real subject is NFC, not Android

[perpenso]

Does *nobody* RTFA anymore? It is an Android vulnerability. They used NFC as one of several ways to exploit it. They could have done the whole thing without using NFC at all.

You are actually supporting my suggestion that NFC is the real subject. An Android vulnerability is found, not exactly big news. That NFC can be the exploit vector, that is new and different.

Doesn't surprise me... Samsung software sucks

[exabrial]

Samsung has incredible hardware. The Galaxy series of phones have all been quite remarkable. Their OLED technology puts out color gamut that makes Plasma TVs look like they were painted with pastel watercolors.

Their software has always blown. Every tried to use GPS on a samsung phone? How about USB mass storage mode? How about SVoice? How about waiting 2 years for ICS to come out on a device? How about USB Host mode on CDMA models? List goes on... They cut so many corners on software to get it out the door.

They try so hard to be like Apple... they've smoked Apple on the hardware side, but the lack of quality on their software side just completely spoils their phones. So when a 0 day flaw pops up that allows one to completely take over a phone, it doesn't surprise me. Results like this usually correlate with high software engineer turnover with low management turnover, which should points to a solution: fire the management.

In other news though, I laughed at Person of Interest where the main character hacked other peoples phones by holding them together. Now I'm drinking my cup of shut up tea.

Samsung(R): Amazing Hardware, Shitty Software (TM)

Re:Doesn't surprise me... Samsung software sucks

[spire3661]

The problem is, the era of hardware differentiation is coming to a crashing close, its all software from here on out.

Re:Doesn't surprise me... Samsung software sucks

[Bill_the_Engineer]

'

Samsung has incredible hardware. The Galaxy series of phones have all been quite remarkable. Their OLED technology puts out color gamut that makes Plasma TVs look like they were painted with pastel watercolors.

There have been reports about problems with the WiFi on the S3. Also the review for the hardware have been favorable except that several reviewers commented that the display on the S3 is noticeably dimmer than the S2 and competing phones (CNET has one such review).

I'm thinking about getting an S3 but am waiting for the WiFi issue to be resolved. I depend on WiFi calling on my current Android phone when I'm out in the middle of nowhere and WiFi problems is a deal breaker for me. Luckily my current Android phone works well enough for me not to be in a hurry for a replacement.

They try so hard to be like Apple... they've smoked Apple on the hardware side, but the lack of quality on their software side just completely spoils their phones. So when a 0 day flaw pops up that allows one to completely take over a phone, it doesn't surprise me. Results like this usually correlate with high software engineer turnover with low management turnover, which should points to a solution: fire the management.

I believe a good smartphone has both good hardware and software. Unfortunately for Samsung, this means that the crappy software on their phone equates to a crappy smartphone. Despite this I think your assessment is a little unfair to both companies. They both have different priorities:

Samsung is trying to be bleeding edge with their flagship phone, so expect them to push the limits of their software developers. Anyway Samsung seems to be relying on hardware specs on the advertising lately, and so I don't expect them to wait for QA prior to releasing the next big phone. I think most people who already have an Android phone are used to having non-polished software, so Samsung is just addressing the demand for better hardware by the Android enthusiasts who probably root their phone immediately anyway.

Apple on the other hand is over engineering their phones. They try to not add hardware features that their software isn't ready to support. Most of their market runs the iPhone as is, and therefore I agree with Apple's strategy. J.D. Powers seem to agree that Apple's system engineering approach is satisfying consumer expectations.

I suspect that if you ask an Android fan what's important they will answer: Open software, fast cpu, cutting edge hardware, removable battery, and expandable memory. If you ask an Apple fan the same question, they will answer: Sleek styling, lightweight, tight-integration with their other Apple products, ease of use, no software issues, a large number of apps, and an easy to use App store. Since both camps have differing objectives and the fan base fervently believe that their world view is the best, we will continue to have these fanboy wars.

I do find Samsung's current advertising a little distasteful and childish. I hope Samsung doesn't view the Android community that way.

Re:Doesn't surprise me... Samsung software sucks

[Doctor_Jest]

What I've never understood is the non-user replaceable battery with (now almost all) Apple products. Why create a disposable anything at that price? And if its not disposable, why do people sign up to be stuck taking the device (laptop/phone) to the Apple Store so they can overcharge labor and materials?

Regardless of how great the phone may be (or laptop for that matter.) If I can't change the battery myself, I'm not buying it. That holds true for any device.... There's no need for that shit THIS far into commodity hardware. Back when equipment was fragile and new (and expensive), maybe I could see it, but these days people should at least have a choice. If, after all is said and done, someone's all thumbs, by all means take it to a store and have them replace the battery. Telling ME I have to just lost that company a sale. I may be in the minority, but I can't figure out why... convenience it ain't. Going to the damn Apple Store like some junkie needing a fix because Jobs' zombified corpse wanted all his toys hermetically sealed is just beyond stupid. The worst part of it is, Apple's products went from "closed" to "semi-open if you're not a technophobe" to "fairly open" back to "sealed with a curse"... laptops and all. I mean, RAM too? Who the hell are they kidding with that crapola? The Mac Pro is still "open", but they update that with the same frequency a turtle walks around the world. (Not to mention it's overpriced.) I guess I'm a dying breed. So be it. Saves me money. :)

(Speaking batteries, and other things, that's why I don't own a Vita or PSPGo, well, truthfully the only reason I didn't own a Go was it sucked ass....) :)

Re:Doesn't surprise me... Samsung software sucks

[Bill_the_Engineer]

What I've never understood is the non-user replaceable battery with (now almost all) Apple products.

To be fair. I'm using the same removable battery that came with my Android phone. My last Android phone that I upgraded from still has its original battery. I haven't purchased a replacement battery for either of my smartphones. I may have been lucky, but I have gone over 2 years of heavy use on my current phone (knock on wood).

Why create a disposable anything at that price? And if its not disposable, why do people sign up to be stuck taking the device (laptop/phone) to the Apple Store so they can overcharge labor and materials?

The battery is replaceable, so I think the disposable comment is hyperbole. I don't see it that big a deal to take it to Apple to have it replaced. It's covered by the original warranty and Applecare covers it longer. If you didn't have a service plan and its out of warranty, your looking at $80. Samsung's S3 battery is listed at $70. I can probably find the battery for around $50 online somewhere. So at most, I risk paying an extra $30 on the off chance I need a replacement battery and I don't mind trying my luck at one of those discount battery stores. At the very least, I risk paying an extra $10.

Anyway it seems people trade-in their old phones for the new one every two years, so the battery is probably a non-issue anyway. Except for those who buy used iPhones.

Re:Doesn't surprise me... Samsung software sucks

[Doctor_Jest]

The battery is replaceable, so I think the disposable comment is hyperbole.

I wasn't the one to coin that particular phrase, actually. I read it in an editorial from some tech website... it got me to thinking... soldered RAM, sealed cases, no (easily) removable battery.... it's becoming a commodity in the Appleverse. I believe the article made a valid point, and when you start considering the technical background of Apple's stereotypical customer, it doesn't seem so far-fetched. I don't think it'll come to that end, but it certainly brings to the forefront how things are cyclical. We had the freedom and now it's swinging back to removing that freedom (or at the very least, making it extremely difficult for those who aren't buying into the mindset Apple is putting out there.)

I don't see it that big a deal to take it to Apple to have it replaced. It's covered by the original warranty and Applecare covers it longer. If you didn't have a service plan and its out of warranty, your looking at $80.

I think you still have to factor in travel time, waiting periods, and so forth. For $70, you can most likely get a replacement Android battery shipped two-day air via Amazon (I did that for my Galaxy S. It was around $39 IIRC.) But the point I think we can take from this is that Apple (and other companies) are trying to wrest control of your devices from you and creating a dependence on their support/help while you own the product. If that's fine with most people, I respect that. I just don't like the idea. It feels like a step backwards. The tech that liberated us and advanced us is becoming another thing that tethers and restricts us. Sure, that's hyperbole, but it sounded good in my head. :)

I think the iPhone has nice features, and its very stylish, but I do not like the ecosystem surrounding Apple these days. To be fair and honest, I have a G5 tower and a Mac Mini... I have not been pleased with the direction of OS X, and plan to make the Mini an Ubuntu machine... whenever I get a wild hair. :) PPC Linux is a good idea for my boat anchor of a G5, but I need a new HDD as the reason its a boat anchor at the moment. :)

Re:Doesn't surprise me... Samsung software sucks

[Bill_the_Engineer]

I wasn't the one to coin that particular phrase, actually. I read it in an editorial from some tech website... it got me to thinking... soldered RAM, sealed cases, no (easily) removable battery.... it's becoming a commodity in the Appleverse.

Actually iFixit has determined that the iPhone5 is easier to repair than the previous iPhones.

I think you still have to factor in travel time, waiting periods, and so forth. For $70, you can most likely get a replacement Android battery shipped two-day air via Amazon (I did that for my Galaxy S. It was around $39 IIRC.)

Or I could just drive two blocks to my local Apple store and have the battery replaced.

I have not been pleased with the direction of OS X,

I haven't had any problems with OS X. With a few tweaks my desktop operates the same it always has. I run mixed environment of Linux/OS X and haven't had my desktop get in the way.

HOW????

[spire3661]

How is it possible at this age in computer development that we STILL design shit with giant holes in it? I honestly do not understand why it is so hard to make a robust and secure system. Is it because we demand so many features that they cant look at everything? How do you design a program that cannot be exploited? Why is it so very hard?

On iPhone, can use alternate browser to avoid.

[SuperKendall]

iPhone
Settings -> Browser of.... damn

The exploit (ab)uses privileges Mobile Safari.

That means ANY other browser you use on the device is safe from this attack, yes even though it's also using webkit. Like Chrome...

Re:On iPhone, can use alternate browser to avoid.

[oakgrove]

On iPhone, can use alternate browser to avoid.

That means ANY other browser you use on the device is safe from this attack, yes even though it's also using webkit. Like Chrome...

Many users (possibly even most) are content with the default browser so this is really a piss-poor solution. Not only that but last I checked iOS only opens links in other apps with Safari. It is doubtful a significant number of the people effected will be able or willing to do what it takes to fix this bug^H^H^H feature. For a mobile OS with one of its primary claims to fame being a satisfactory small-screen internet browsing experience to be so easily exploitable in the normal process of enjoying said experience is just embarrassing. So much for sandboxing and encryption and a walled-garden app store when all the hapless user has to do is surf to a given web page to get their device compromised. Truly shameful.

Re:On iPhone, can use alternate browser to avoid.

[SuperKendall]

Many users (possibly even most) are content with the default browser so this is really a piss-poor solution.

Not really, it's a temporary fix for those concerned.

People on Android all over the world are not going to be turning NFC off either even though that is a simple fix.

As I said, within a week or so Apple will probably issue a patch fix which 90% of people will update to. Android users will have to live with the NFC vulnerability for years, possibly forever depending on the phone maker.

For a mobile OS with one of its primary claims to fame being a satisfactory small-screen internet browsing experience to be so easily exploitable in the normal process of enjoying said experience is just embarrassing.

Quite a lot less embarrassing than showing a happy video of people mocking iPhone users in line while they spread malware between themselves by bumping.

Face it, the Android exploit is about 1000X worse than the Apple one.

Re:On iPhone, can use alternate browser to avoid.

Not really, it's a temporary fix for those concerned.

So the malware writers are just going to be nice and only target "those concerned"? They'll ignore the hundreds of millions of people using Safari not even realizing how precariously they are walking the rope between happy iPhone user and identity theft (and who knows what else) victim? Keep dreaming. The fact is that Safari is what most iOS users browse with and they aren't going to use anything else temporarily or otherwise. Adding to this is the fact that links open in Safari so even if users wanted to use something else they would inevitably be sucked back into Safari from time to time. This restriction on the part of Apple which once could be characterized as mere annoyance in light of this new threat now equates to negligence. If they are going to persist in making these kinds of arbitrary choices for their users then they should be held to the fire on it. You apologizing notwithstanding, hopefully less biased heads will carry the conversation.

People on Android all over the world are not going to be turning NFC off either even though that is a simple fix.

Practically one hundred percent of the iOS userbase would be severely inconvenienced if they had to studiously avoid using Safari. And since it loads links by default, many people would end up getting owned anyway since even if your fingers are fast enough to switch back to the home screen as soon as Safari pops up, how many people are going to know how to kill Safari and stop the web page from loading in the background. It's ridiculous how Apple has essentially set their users up to be sitting ducks for any exploit Safari happens to suffer from when the simplest solution would be to allow choice in the default browser. And now as payment for their customers' loyalty they have to suffer from Apples' arrogance.

As I said, within a week or so Apple will probably issue a patch fix which 90% of people will update to.

So for a week users' collective asses hang in the wind trying to play whack-a-mole to avoid using a pwned browser that cannot be removed nor can it be set as anything other than default. Great. Thanks Apple for making malware authors jobs so much easier. Why bother looking for holes in anything else since users are de facto forced to rely on Safari at least some of the time if nothing else but to open links from other apps in a sane way. I know the iPhone 5 is a bit lackluster and I admit to wondering if some of the "magic" died when the real vision that Apple had passed on but now I'm wondering if they didn't just replace the decision makers with the real-life cast of Reno 911. It's getting that stupid.

Android users will have to live with the NFC vulnerability for years, possibly forever depending on the phone maker.

You are trying to equate an exploit for the non user-changeable default iOS browser which 90 plus percent of the userbase uses to a vulnerability that has only been demonstrated on one handset running one particular version of the OS that would require multiple contrived circumstances to duplicate in the real world. Are you even listening to yourself? Every iOS user uses Safari on a daily basis, a fraction of a percent of Android users have the combination of hardware, software, and habits necessary for the NFC exploit to ever make it out of the lab. Having read your comments for years I've come to expect a certain amount of intellectual dishonesty and false equivalency but you've really outdone yourself with the bullshit this time.

Quite a lot less embarrassing than showing a happy video of people mocking iPhone users in line while they spread malware between themselves by bumping.

Those ads you call "embarrassing" have actually been rated well on their effectiveness so I doubt Samsung has too much to be sad about. Wake me up when somebody in the real

why bother hacking? "legitimate" apps do as much.

Why bother hacking Android when you can republish some open-source app, or write a crappy flashlight app, and get all the same data, "legitimately," to Google's view?

Good to know...

[Bill_the_Engineer]

Cool. A security exploit was found and now it can be fixed. A rational person would go, I'll just disable NFC and be okay.

This being slashdot, we'll have more than our fair share of people insisting that this proves that Android is somehow inferior than their favorite brand of OS. This will in turn lead to Android fans pointing out how the other OS was also hacked. The next thing you know, we have an all out fanboy war on the comments. It's as if Slashdot editors are planning on this.

Isn't there any cool news for geeks that isn't related to a cell phone?

Re:Good to know...

[kiriath]

I agree, I'm on the 'Other OS' team - but I still would like to be able to co-exist happily and not have massive flame wars back and forth.

Any security hole is bad, no matter what it is found in. The real concern should be 'does it get fixed quickly' 'is there a current viable workaround' etc...

That is why these conventions and contests are held and we should be grateful for them.

Re:Good to know...

[poofmeisterp]

...Isn't there any cool news for geeks that isn't related to a cell phone?

In what age group? :)

Re:NFC no thank you

[Velorium]

What you did there. I see it.

News that should surprise nobody

[GameboyRMH]

The first time I saw NFC demonstrated, with phones receiving and acting on data without user consent, a LOL'd at what a security disaster it would surely be.

That's the great thing about Android

[thetoadwarrior]

It has security holes and attracts malware. iOS only really has security holes.

When you're using NFC, surely

[joh]

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.
Has it not been the case for a very long time that if you lose your handset that someone can use it, NFC or no NFC? Oh, and they need to trigger the exploit 185 times before it worked. I think we are still reasonably safe.

The point is if you're actually using NFC the very device you're rubbing your phone against can run code on it, install software, whatever, without you actually noticing anything.

Yes, if you're not using NFC you're safe.

For establishing NFC this is very bad news. It's hardly used anywhere and can already take over your phone if you use it.

You dont actually understand how this attack works

[mjwx]

2) On a subway or any other crowded environment, it's not hard to stay that close to someone for plenty of time.

Wrong, We are talking milimetres here, it is very hard to keep your device within 2 or 3 centimetres of someone elses for any length of time without being noticed.

Posting this from the article (which it looks like you haven't read).

The flaw had to be triggered 185 times in the exploit code in order to overcome some of the vulnerabilityâ(TM)s limitations.

OK, so they may need to attack me 185 times.

The real world implications of this aren't significant. But it's good the vulnerability has been found so it can be patched in future versions.

Re:You dont actually understand how this attack wo

[hobarrera]

Ever been on a crowded bus/subway? Distance between people tend to be 0cm at certain times of the day, not hard to put your cell phone next to someone else's pocket.

Re:You dont actually understand how this attack wo

[Paradise+Pete]

Wrong, We are talking milimetres here, it is very hard to keep your device within 2 or 3 centimetres of someone elses for any length of time without being noticed.

Clearly you don't watch much Japanese porn.

Re:You dont actually understand how this attack wo

[hazydave]

If my phone is in my pocket screen-out, it's going to be nearly impossible to establish an NFC connection in a crowded subway. The phone itself (plus the battery... on my phone, the NFC antenna is actually in the battery, so that it can be close to the back surface) is a pretty good shield.

Re:You dont actually understand how this attack wo

And, if they just go the next step and steal the phone, they cam get whatever they want off of it and sell it... Or they can knife you and take your whole pack, purse and/or life. This vulnerability to 2cm away proximity is a tremendous flaw.

BTW, my keyless entry system on my car is vulnerable to someone with specially built transceiver equipment fooling my car into opening for them, assuming they follow me into a restaurant and relay the signals to a device left in the parking lot next to my car. This does not keep me up at night, and my car has yet to be stolen. I'm much more likely to have my identity stolen because of info pulled from a hacked online retailer's database than someone with an NFC hack or virus. They're not all that common yet, it requires close proximity, and it will be patched long before it is common enough to be a viable vector for infection. Interesting, yes. Good reminder that every new technology exposes another surface that will be exploited by criminals and thieves. Worth panicking about? Reason not to have an S3? No. But if anyone disagrees, and they have an S3 they are now too scared to use, please leave your contact info. I'll safely take your phone off your hands, no charge.

It's funny that Android users turn off a feature

[unassimilatible]

that the iPhone 5 was criticized by Android fanboys for not having.

Exactly!

[unassimilatible]

Android fanboys all over the Net pilloried iPhone 5 for not having NFC.