Feeds

Blame crap mobe apps for swap-by-bonk hacks, say NFC bods

Radio tech defended after hacker's revelations

Protecting users from Firesheep and other Sidejacking attacks with SSL

The Near Field Communications (NFC) Forum has defended its short-range radio standard, and blamed flaws in apps that use the tech for the security vulnerabilities revealed at the Black Hat conference last week.

Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops, demonstrated weaknesses in NFC implementations including Android Beam – which allows simple peer-to-peer data exchange between two Android-powered devices using the radio-tag tech – and Nokia's NFC content-sharing and pairing tech. To do so, Miller tested Nokia's N9 handset, an NFC handset which runs on the MeeGo system, and the Samsung Nexus S and Google Galaxy Nexus - both of which use Android Beam.

The security researcher began his work scanning the drivers, hardware and program stack on both Nokia Meego and Google Android for problems, using fuzzing, a software testing technique using random data injection to flush out bugs. He found some minor shortcomings using this approach, discovering a vulnerability in Android affecting all "Gingerbread" devices and "Ice Cream Sandwich" smartphones running flavours of Android prior to version 4.0.1.

But he was far more successful finding bugs at the application layer, involving the many applications that interface with NFC technology.

For example, an Android phones running the Android Beam app can simply touch another NFC-enabled Android in order to get it to load a webpage controlled by the toucher. This means the technology can be used to initiate an attack that involves content loaded into a browser, not just the relatively secure NFC driver and kernel stack, greatly increasing the potential for mischief.

The Nokia Content Sharing app running on the Nokia N9 with Meego offers a route into the same type of attack. As with Android Beam, Nokia's Content Sharing app allows a user to force another person's smartphone to load a web page without any user interaction. Disturbingly, this works irrespective of the whether or not the "Confirm Sharing and Connecting" setting is enabled.

The Nokia smartphone is configured to automatically pair with Bluetooth devices when its NFC tag-tapping functionality is switched on. In cases where Bluetooth is disabled, the phone will actually turn Bluetooth on and pair with devices without asking for permission, unless Confirm Sharing and Connecting is enabled.

Miller pointed out, for example, that the OS level handler for.png graphics files on the Nokia N9 contains known vulnerabilities. So a potential hacker would only need to force a targeted Nokia user to load a webpage containing PNG exploits in order to hijack his or her smartphone.

In one demo, Miller was able to view files on a targeted Android handset. Hacking the Nokia handset allowed Miller to send texts or make calls on the compromised device.

He concluded that NFC-enabled devices should offer an option to seek user confirmation before allow data received over NFC channel to be processed by application, and that confirmation should be requested by default. NFC exploits are particularly nasty because, as things stand, certain smartphones can be made to download and execute a malicious payload without the user even knowing any interaction has occurred.

Miller's presentation, Don't stand so close to me: An analysis of the NFC attack surface, was one of the highlights of this year's Black Hat USA conference.

The NFC Forum praised Miller's work, and acknowledged the possibility of app bugs and implementation flaws, while stressing the overall robustness of NFC technology.

"Miller's demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences," the NFC Forum said in a statement published by NFC World. "The NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security."

Debbie Arnold, director of the NFC Forum, told NFC World.

However, the NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security. These tools include: (a) Signature RTD (NDEF Signing), a specification the NFC Forum has released to digitally sign messages transmitted between devices and tags; (b) ISO/IEC 13157, a data link security standard to complement higher-layer security, originally developed by the standardization body Ecma International; (c) application security (end-to-end encryption) defined by the service provider; and (d) additional security layers in service providers' respective back-end systems.

All of these activities and mechanisms work hand-in-hand. NFC solution providers may add security measures to their applications as they see fit, including both required and optional user actions to enable or disable functions.

Miller's demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.

Smartphones from Google, Nokia and Samsung already ship with built-in NFC technology while Apple and Microsoft are both widely expected to add the short-range radio tech later this year. The killer application for the technology is "pay by tap", which has prompted the launch of many competing mobile wallets, including Google's Google Wallet, Orange's QuickTap, Visa's PayWave and MasterCard's PayPass.

Additional security commentary on Miller's presentation can be found in a blog post by Sophos here. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.