Android Hacked Via NFC On the Samsung Galaxy S 3

← Back to Stories (view on slashdot.org)

Android Hacked Via NFC On the Samsung Galaxy S 3

Posted by timothy on Thursday September 20, 2012 @02:04AM from the use-barrier-methods dept.

An anonymous reader writes with an item from The Next Web: "Security researchers participating in the Mobile Pwn2Own contest at the EuSecWest Conference in Amsterdam [Wednesday] demonstrated how to hack Android through a Near Field Communication (NFC) vulnerability. The 0day exploit was developed by four MWR Labs employees (two in South Africa and two in the UK) for a Samsung Galaxy S 3 phone running Android 4.0.4 (Ice Cream Sandwich). Two separate security holes were leveraged to completely take over the device, and download all the data from it."

39 of 198 comments (clear)

Min score:

Reason:

Sort:

So am I safe? by Anonymous Coward · 2012-09-20 02:08 · Score: 5, Funny

This was hacked via NFC. But I live in Pittsburgh, and the Steelers are in the AFC.
So I can assume I am safe?
1. Re:So am I safe? by davester666 · 2012-09-20 05:17 · Score: 5, Funny
  
  No. Your defense is weak.
  
  --
  Sleep your way to a whiter smile...date a dentist!
And... iOS6 by jkflying · 2012-09-20 02:09 · Score: 5, Informative

At the same event, they also hacked iOS6. Just to give an unbiased view...

--
Help I am stuck in a signature factory!
1. Re:And... iOS6 by Anonymous Coward · 2012-09-20 02:10 · Score: 5, Funny
  
  You must be new here.
2. Re:And... iOS6 by jkflying · 2012-09-20 02:10 · Score: 2
  
  http://thenextweb.com/apple/2012/09/19/dutch-security-researchers-hack-apple-iphone-4s-exploiting-safari/
  
  --
  Help I am stuck in a signature factory!
3. Re:And... iOS6 by jkflying · 2012-09-20 02:14 · Score: 4, Informative
  
  Read the link:
  http://thenextweb.com/apple/2012/09/19/dutch-security-researchers-hack-apple-iphone-4s-exploiting-safari/
  They did it via a malicious webpage, which IMO is even worse than via NFC.
  
  --
  Help I am stuck in a signature factory!
4. Re:And... iOS6 by jkflying · 2012-09-20 02:15 · Score: 4, Insightful
  
  They did it via a malicious webpage. I said hack, not jailbreak.
  
  --
  Help I am stuck in a signature factory!
5. Re:And... iOS6 by TeRanEX · 2012-09-20 02:29 · Score: 5, Funny
  
  At the same event, they also hacked iOS6. Just to give an unbiased view...
  So apple can now sue Samsung because they copied the 'security issues'-feature from the iphone into the Galaxy?
6. Re:And... iOS6 by Graham+J+-+XVI · 2012-09-20 02:47 · Score: 2
  
  They both have web exploits but the Android variety can be triggered simply by being nearby an attacker. The iOS one needs a tricked user.
7. Re:And... iOS6 by LordLimecat · 2012-09-20 03:01 · Score: 2
  
  To give the unbiased view, a hack via website is bad, but one via NFC seems a lot worse (although one hopes you would be suspicious when a stranger starts holding your android up to his; its not exactly "stealthy").
8. Re:And... iOS6 by UnknowingFool · 2012-09-20 03:16 · Score: 4, Informative
  
  Also for unbiased view, Pwn2Own is turn based as far as I remember. So any gloating that X device was first to be pwned is meaningless. Teams register before the contest. Team order is chosen randomly (drawing straws, 12 sided dice, whatever). The first team decides which device to be hacked and is given a time period to do so. If they succeed, they get the device. If the first team fails, the second team gets their chance and choice of device. If the first team succeeds, the next team with an unhacked device goes. Some teams register for multiple devices to get a better chance to win something.
  So gloating that iOS or Androd was first to be pwned is useless. It doesn't tell anything about ease of hack or relative security of devices. What matters if they were pwned.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
9. Re:And... iOS6 by Anonymous Coward · 2012-09-20 03:23 · Score: 2, Interesting
  
  Worse? People visit a dozen websites everyday, but how often do they bump phones with somebody else?
  More than that, to prevent NFC hack you just have to flip it off, but to prevent hack via rogue ad iframe... well, if it was Android, you could just block the ads, for example, even with hosts file, or use a different browser, but on iOS you're SoL.
  Good thing for Apple this is before iOS6 release, not right after.
10. Re:And... iOS6 by h4rr4r · 2012-09-20 03:52 · Score: 2
  
  2 centimeters is pretty darn close. How close do you stand to people?
11. Re:And... iOS6 by Graham+J+-+XVI · 2012-09-20 04:00 · Score: 2
  
  The idea being that it's ok to have an insecure wireless interface on your smartphone as long as you don't have to be *too* close to it for it to work?
  NFC stations are not usually on other people, they're in stores and random other places that entice you to use it. A hacked or augmented genuine NFC reader could be made to steal your data, for example.
12. Re:And... iOS6 by hobarrera · 2012-09-20 04:14 · Score: 3, Insightful
  
  Ever been on the subway or a bus? It's around 0cm in either of those during some hours of the day.
13. Re:And... iOS6 by rjr162 · 2012-09-20 04:37 · Score: 2
  
  You didn't read the article did you?
  "The security researchers used a malicious webpage to send the iPhone 4S’ address book, browsing history, photos, and videos to a server of their choice. It was a drive-by download attack, meaning the user just has to go to the website, but doesn’t have to click (err, tap) on anything to have their data stolen. Furthermore, the site does not crash the browser, so the user is oblivious to losing their data."
  Yeah, that sounds just like jailbreaking doesn't it?
14. Re:And... iOS6 by Graham+J+-+XVI · 2012-09-20 04:39 · Score: 2
  
  It is indeed. The difference is your average Joe is fairly likely to know now that he shouldn't click on a link from an unknown address, or his email AV will have sanitized it first. Even if he keeps NFC turned off most of the time (which is not the default) he'll still have to turn it on to, for example, pay for something, and I think that's when it will be most dangerous.
15. Re:And... iOS6 by 93+Escort+Wagon · 2012-09-20 05:49 · Score: 2
  
  Samsung will defend themselves by claiming their vulnerability is an inferior implementation compared to iOS's.
  
  --
  #DeleteChrome
Is it really such a big deal? by pablo_max · 2012-09-20 02:11 · Score: 4, Informative

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.
Has it not been the case for a very long time that if you lose your handset that someone can use it, NFC or no NFC? Oh, and they need to trigger the exploit 185 times before it worked. I think we are still reasonably safe.
1. Re:Is it really such a big deal? by CimmerianX · 2012-09-20 02:15 · Score: 3, Interesting
  
  The Hacks just prove that there is a rush to implement new technology without considering the security implications of the tech.
  This is just history repeating itself. Every company wants to be the first to announce this brand new, 'cool' feature, but none will wait for the 'geeks' to test it for security issues.
2. Re:Is it really such a big deal? by fuzzyfuzzyfungus · 2012-09-20 02:28 · Score: 3, Insightful
  
  The Hacks just prove that there is a rush to implement new technology without considering the security implications of the tech.
  This is just history repeating itself. Every company wants to be the first to announce this brand new, 'cool' feature, but none will wait for the 'geeks' to test it for security issues.
  The irksome thing is that, while NFC is mildly novel in terms of the RF tricks(supporting both active/passive RFID-type use cases and short-range active/active ones), and I could see there being some teething pains on that side, these attacks are on NFC as an external data bus that wasn't attended to properly... Some sort of 'specially crafted responses cause hard lockup on $FOOCORP NFIC123 chips with firmware 1.0A' attack would be bad; but more or less par for the course. A more generic 'Hi guys! We added another wireless interface to your phone that happily talks to anything nearby by default, and even automatically executes certain local commands based on what it hears, that's cool, right?" mistake is... unimpressive.
  NFC may be new; but the fact that an easily accessible external bus would be an attack vector, against which you should be on your guard, sure isn't. It's less clunky that having some 80's 25-pin RS-232 port on the back of your phone; but it's conceptually pretty similar.
3. Re:Is it really such a big deal? by vawwyakr · 2012-09-20 02:32 · Score: 5, Insightful
  
  I think that is pretty key here, 185 times at the range of less than and inch or so is basically someone sitting there next to you pretty much touching you for 5 minutes. Obviously this is something that needs to be fixed but I'll hold off on my panic just yet. Even if it worked on the first try someone would have to first identify you as having a vulnerable phone, and where you have if (ie which pocket, etc) then get so close as to be practically touching you and then they have to hope that you have nfc enabled. This isn't some sort of thing you can do just casually walking down the street. It might be an issue for a particular person being targeted but not very likely for a random attack.
4. Re:Is it really such a big deal? by wile_e8 · 2012-09-20 02:50 · Score: 3, Informative
  
  Launching Tasks
  Sharing Wifi
  Just a couple I use off the top of my head
5. Re:Is it really such a big deal? by vawwyakr · 2012-09-20 03:07 · Score: 4, Insightful
  
  So that assumption here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:
  
  1) The bump into the side where the strangers phone was being held.
  2) The two phones are perfectly at the same height (presumably in a pocket).
  3) The strangers phone is vulnerable.
  4) They have NFC enabled.
  5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).
  6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.
  
  All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).
Jelly bean fixes this? by Terry+Pearson · 2012-09-20 02:14 · Score: 2

The article eludes to the fact that Jellybean may fix this. All the more reason for carriers and manufactures to expedite upgrades.
DEFCON 20 by phantomcircuit · 2012-09-20 02:14 · Score: 2

This was demonstrated at DEFCON 20. He live demo'd rooting an android device using NFC to open the browser and a brwoser exploit to gain root. https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Miller
Not exactly practical by ThunderBird89 · 2012-09-20 02:17 · Score: 3, Informative

Given the short range and low bandwidth (424 kilobits/s) of NFC technology, this is more of an esoteric attack than a practical one. I think I'd notice someone shadowing me with a hand at my pocket to connect to my Nexus S via its NFC chip and pull data from it...
Still, it's a show of force (and vulnerabilities).

--
Hyperbole: I use it liberally!
1. Re:Not exactly practical by jkflying · 2012-09-20 02:27 · Score: 3, Interesting
  
  They don't need to. Just upload a little executable that sends everything over wifi/3G to them, and listens to new commands over those interfaces as well.
  
  --
  Help I am stuck in a signature factory!
2. Re:Not exactly practical by fuzzyfuzzyfungus · 2012-09-20 02:35 · Score: 5, Insightful
  
  The more worrisome thing is probably that NFC is built in in the hope that swiping it all over the place against untrusted devices will become a normal behavior(sort of the way that attacks against the USB charge/data port are wildly impractical, until random charging kiosks start popping up in airports and all over the place, at which point behavioral protection goes out the window, and a bunch of systems intended only to connect to your home PC start getting shoved into god-knows-what...). Sure, as an attack to execute against the phone in your pocket, it is only marginally more practical than making a stab for the USB port; but if the happy-magic-future-of-even-more-middlemen-and-fees comes to pass, you'll see anywhere between several and dozens of readers a day getting a chance to try whatever they want when you shove your phone onto the pad(plus, if ATMs and mag stripe skimming are any indication, it will be about 20 minutes before somebody comes out with a nice little stick-on thin-circuit-in-rugged-sticker NFC 'skimmer' that can be planted on top of legitimate NFC pads and will do its best to MitM legitimate conversations or attack devices while they converse with the genuine NFC pad and log the results).
It's a good thing I don't go bumping/grinding by BMOC · 2012-09-20 02:19 · Score: 3, Informative

against random hackers while having my cell phone in my pocket at the geek-overloaded dance clubs on a regular basis... I guess I'm safe for now.
Key phrase from the report: by holding two Galaxy S 3s next to each other .

--
I swear they give me mod points to shut me up.
to be fair by batistuta · 2012-09-20 02:20 · Score: 3, Insightful

you also need to have NFC enabled on your Galaxy for this to work. NFC is enabled by default, sure. But it can be disabled easily. I also find myself living happily without NFC, but not without tethering, which I use daily during my bus commute.
So my point is that both vulnerabilities suck, and which one sucks the most depends solely on your use-case. There is no point in saying that one device is more secure than the other, both Apple and Google seem to suck big time here. You should not store any sensitive data on your phone.
1. Re:to be fair by ToastedRhino · 2012-09-20 04:29 · Score: 2
  
  you also need to have NFC enabled on your Galaxy for this to work.
  No, you don't. If you take a minute to RTFA you'll see this:
  
  The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.
  They chose to use NFC for the novelty effect. This could just as easily have been done via a malicious website.
  Yes both vulnerabilities suck, but they are not equal. For instance, the iOS attack allowed the stealing of contacts, pictures, video, and browsing history. Things that are supposed to be protected in iOS, but in this case weren't sufficiently so. The Android attack allowed the execution of arbitrary code. These two things are not the same, though both definitely need to be fixed ASAP. And to be fair, JB may have already patched the holes in Android, provided people can actually get it on their phones this is a really good thing.
2. Re:to be fair by batistuta · 2012-09-20 08:40 · Score: 2
  
  you also need to have NFC enabled on your Galaxy for this to work.
  No, you don't. If you take a minute to RTFA you'll see this:
  
  The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.
  Yes, you do. What you are describing is a different way to accomplish the attack. As an end user, I don't care if the underlying exploit is similar, I only care about how I can be affected by it. This leads to the next point.
  
  They chose to use NFC for the novelty effect.
  No, they've chosen NFC because now more phones have it, but mostly because it allows accomplishing the attack without any user intervention at all. People could avoid getting hacked from visiting malicious websites, simply by limiting themselves to trusted sites. Most people only frequent their usual places. But the NFC is a hidden vector that many users are not even aware of.
  As I've mentioned in my first post, I could live with an NFC or browser vulnerability, but not with a tethering one. Other people will think the opposite. At the end of the day, these news make wish you didn't depend on your cell phone so much, because there are always security holes in there.
  I find it funny when automotive industry push to connect their cars to the network, as if they could do any better.
Re:Well that stinks by dmacleod808 · 2012-09-20 02:40 · Score: 2

Whilst if Apple acknowledges the security issue, they will fix it pretty quick for ALL devices, OTA.

--
There Can Be Only One...
NFC Doesn't Work That Easily by Chibi+Merrow · 2012-09-20 02:49 · Score: 5, Informative

With this Galaxy 3 NFC hack, a stranger could do it sitting next to you on the bus.
No, they'd have to be sitting next to me on the bus AND physically touch my phone with another device long enough to trigger NFC AND I have to have NFC enabled AND keep the devices in physical contact long enough for the download to complete OR hope that I have an active data connection AND the right web browser set as my default so their specially crafted web page loads to root my device...
Except that (since I have like six web browsers installed) it requires me to interact with the phone to pick the web browser to open the page... A lot more difficult to arrange than "sitting next to someone".
Also, the ASLR implementation is known to be incomplete on ICS. It's apparently fully fixed on Jelly Bean, so this hack shouldn't be possible on the S3 in a couple months, when the update is rolled out. Likewise, all of the Nexus NFC devices have been updated to Jelly Bean, so they're secure.
Yeah, it's sad that the hack was possible, but it was due to flaws in the OS, not due to problems with NFC, and only under a very contrived set of circumstances...

--
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
1. Re:NFC Doesn't Work That Easily by hobarrera · 2012-09-20 04:16 · Score: 2
  
  1) Average users don't install several browsers.
  2) On a subway or any other crowded enviroment, it's not hard to stay that close to someone for plenty of time.
  3) "Rolled in a few months" can also be read as "All S3's will be vulnerable for several more months".
  4) Average users don't change the defaults, including disabling the NFC.
Only on Slashdot by EGSonikku · 2012-09-20 03:38 · Score: 5, Insightful

Someone discusses an NFC hack to root and steal data off Android and half the posts are "Apple isn't secure either!"
Focus people! Slashdot is supposed to be the home of Linux and Open Source and über hacks! Why isn't anyone deceminating how this hack works and posting some kind of work-around that isn't just "Don't use NFC" (a feature which Apple gets derided for not having)?
Remember, a fix isn't "Don't use NFC and switch to another browser." Let's assume a user *likes* NFC, and *likes* his web browser as it is. Lets *fix* the problem here. Any thoughts or conjecture?

--
- "Scientia non habet inimicum nisp ignorantem"
Sure, exactly the same by SuperKendall · 2012-09-20 04:00 · Score: 2, Informative

Yes, iOS6 was hacked. So if you were lured into visiting some bad web site site someone could potentially see your address book and photos - Oh no!
Meanwhile everyone you bump with the S3 could be a carrier of a filthy, filthy disease that would render your entire system open to keyloggers or whatever.
The iOS6 attack is read only, the NFC attack write...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Well that stinks by CoolVC · 2012-09-20 04:22 · Score: 2

Good question. That's part do the reason I have an iPhone. Less carrier involvement in everything.