Feeds

Blame crap mobe apps for swap-by-bonk hacks, say NFC bods

Radio tech defended after hacker's revelations

SANS - Survey on application security programs

The Near Field Communications (NFC) Forum has defended its short-range radio standard, and blamed flaws in apps that use the tech for the security vulnerabilities revealed at the Black Hat conference last week.

Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops, demonstrated weaknesses in NFC implementations including Android Beam – which allows simple peer-to-peer data exchange between two Android-powered devices using the radio-tag tech – and Nokia's NFC content-sharing and pairing tech. To do so, Miller tested Nokia's N9 handset, an NFC handset which runs on the MeeGo system, and the Samsung Nexus S and Google Galaxy Nexus - both of which use Android Beam.

The security researcher began his work scanning the drivers, hardware and program stack on both Nokia Meego and Google Android for problems, using fuzzing, a software testing technique using random data injection to flush out bugs. He found some minor shortcomings using this approach, discovering a vulnerability in Android affecting all "Gingerbread" devices and "Ice Cream Sandwich" smartphones running flavours of Android prior to version 4.0.1.

But he was far more successful finding bugs at the application layer, involving the many applications that interface with NFC technology.

For example, an Android phones running the Android Beam app can simply touch another NFC-enabled Android in order to get it to load a webpage controlled by the toucher. This means the technology can be used to initiate an attack that involves content loaded into a browser, not just the relatively secure NFC driver and kernel stack, greatly increasing the potential for mischief.

The Nokia Content Sharing app running on the Nokia N9 with Meego offers a route into the same type of attack. As with Android Beam, Nokia's Content Sharing app allows a user to force another person's smartphone to load a web page without any user interaction. Disturbingly, this works irrespective of the whether or not the "Confirm Sharing and Connecting" setting is enabled.

The Nokia smartphone is configured to automatically pair with Bluetooth devices when its NFC tag-tapping functionality is switched on. In cases where Bluetooth is disabled, the phone will actually turn Bluetooth on and pair with devices without asking for permission, unless Confirm Sharing and Connecting is enabled.

Miller pointed out, for example, that the OS level handler for.png graphics files on the Nokia N9 contains known vulnerabilities. So a potential hacker would only need to force a targeted Nokia user to load a webpage containing PNG exploits in order to hijack his or her smartphone.

In one demo, Miller was able to view files on a targeted Android handset. Hacking the Nokia handset allowed Miller to send texts or make calls on the compromised device.

He concluded that NFC-enabled devices should offer an option to seek user confirmation before allow data received over NFC channel to be processed by application, and that confirmation should be requested by default. NFC exploits are particularly nasty because, as things stand, certain smartphones can be made to download and execute a malicious payload without the user even knowing any interaction has occurred.

Miller's presentation, Don't stand so close to me: An analysis of the NFC attack surface, was one of the highlights of this year's Black Hat USA conference.

The NFC Forum praised Miller's work, and acknowledged the possibility of app bugs and implementation flaws, while stressing the overall robustness of NFC technology.

"Miller's demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences," the NFC Forum said in a statement published by NFC World. "The NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security."

Debbie Arnold, director of the NFC Forum, told NFC World.

However, the NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security. These tools include: (a) Signature RTD (NDEF Signing), a specification the NFC Forum has released to digitally sign messages transmitted between devices and tags; (b) ISO/IEC 13157, a data link security standard to complement higher-layer security, originally developed by the standardization body Ecma International; (c) application security (end-to-end encryption) defined by the service provider; and (d) additional security layers in service providers' respective back-end systems.

All of these activities and mechanisms work hand-in-hand. NFC solution providers may add security measures to their applications as they see fit, including both required and optional user actions to enable or disable functions.

Miller's demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.

Smartphones from Google, Nokia and Samsung already ship with built-in NFC technology while Apple and Microsoft are both widely expected to add the short-range radio tech later this year. The killer application for the technology is "pay by tap", which has prompted the launch of many competing mobile wallets, including Google's Google Wallet, Orange's QuickTap, Visa's PayWave and MasterCard's PayPass.

Additional security commentary on Miller's presentation can be found in a blog post by Sophos here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.