Feeds

Blame crap mobe apps for swap-by-bonk hacks, say NFC bods

Radio tech defended after hacker's revelations

Reducing security risks from open source software

The Near Field Communications (NFC) Forum has defended its short-range radio standard, and blamed flaws in apps that use the tech for the security vulnerabilities revealed at the Black Hat conference last week.

Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops, demonstrated weaknesses in NFC implementations including Android Beam – which allows simple peer-to-peer data exchange between two Android-powered devices using the radio-tag tech – and Nokia's NFC content-sharing and pairing tech. To do so, Miller tested Nokia's N9 handset, an NFC handset which runs on the MeeGo system, and the Samsung Nexus S and Google Galaxy Nexus - both of which use Android Beam.

The security researcher began his work scanning the drivers, hardware and program stack on both Nokia Meego and Google Android for problems, using fuzzing, a software testing technique using random data injection to flush out bugs. He found some minor shortcomings using this approach, discovering a vulnerability in Android affecting all "Gingerbread" devices and "Ice Cream Sandwich" smartphones running flavours of Android prior to version 4.0.1.

But he was far more successful finding bugs at the application layer, involving the many applications that interface with NFC technology.

For example, an Android phones running the Android Beam app can simply touch another NFC-enabled Android in order to get it to load a webpage controlled by the toucher. This means the technology can be used to initiate an attack that involves content loaded into a browser, not just the relatively secure NFC driver and kernel stack, greatly increasing the potential for mischief.

The Nokia Content Sharing app running on the Nokia N9 with Meego offers a route into the same type of attack. As with Android Beam, Nokia's Content Sharing app allows a user to force another person's smartphone to load a web page without any user interaction. Disturbingly, this works irrespective of the whether or not the "Confirm Sharing and Connecting" setting is enabled.

The Nokia smartphone is configured to automatically pair with Bluetooth devices when its NFC tag-tapping functionality is switched on. In cases where Bluetooth is disabled, the phone will actually turn Bluetooth on and pair with devices without asking for permission, unless Confirm Sharing and Connecting is enabled.

Miller pointed out, for example, that the OS level handler for.png graphics files on the Nokia N9 contains known vulnerabilities. So a potential hacker would only need to force a targeted Nokia user to load a webpage containing PNG exploits in order to hijack his or her smartphone.

In one demo, Miller was able to view files on a targeted Android handset. Hacking the Nokia handset allowed Miller to send texts or make calls on the compromised device.

He concluded that NFC-enabled devices should offer an option to seek user confirmation before allow data received over NFC channel to be processed by application, and that confirmation should be requested by default. NFC exploits are particularly nasty because, as things stand, certain smartphones can be made to download and execute a malicious payload without the user even knowing any interaction has occurred.

Miller's presentation, Don't stand so close to me: An analysis of the NFC attack surface, was one of the highlights of this year's Black Hat USA conference.

The NFC Forum praised Miller's work, and acknowledged the possibility of app bugs and implementation flaws, while stressing the overall robustness of NFC technology.

"Miller's demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences," the NFC Forum said in a statement published by NFC World. "The NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security."

Debbie Arnold, director of the NFC Forum, told NFC World.

However, the NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security. These tools include: (a) Signature RTD (NDEF Signing), a specification the NFC Forum has released to digitally sign messages transmitted between devices and tags; (b) ISO/IEC 13157, a data link security standard to complement higher-layer security, originally developed by the standardization body Ecma International; (c) application security (end-to-end encryption) defined by the service provider; and (d) additional security layers in service providers' respective back-end systems.

All of these activities and mechanisms work hand-in-hand. NFC solution providers may add security measures to their applications as they see fit, including both required and optional user actions to enable or disable functions.

Miller's demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.

Smartphones from Google, Nokia and Samsung already ship with built-in NFC technology while Apple and Microsoft are both widely expected to add the short-range radio tech later this year. The killer application for the technology is "pay by tap", which has prompted the launch of many competing mobile wallets, including Google's Google Wallet, Orange's QuickTap, Visa's PayWave and MasterCard's PayPass.

Additional security commentary on Miller's presentation can be found in a blog post by Sophos here. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.