Blame crap mobe apps for swap-by-bonk hacks, say NFC bods
The Near Field Communications (NFC) Forum has defended its short-range radio standard, and blamed flaws in apps that use the tech for the security vulnerabilities revealed at the Black Hat conference last week.
Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops, demonstrated weaknesses in NFC implementations including Android Beam – which allows simple peer-to-peer data exchange between two Android-powered devices using the radio-tag tech – and Nokia’s NFC content-sharing and pairing tech. To do so, Miller tested Nokia’s N9 handset, an NFC handset which runs on the MeeGo system, and the Samsung Nexus S and Google Galaxy Nexus – both of which use Android Beam.
The security researcher began his work scanning the drivers, hardware and program stack on both Nokia Meego and Google Android for problems, using fuzzing, a software testing technique using random data injection to flush out bugs. He found some minor shortcomings using this approach, discovering a vulnerability in Android affecting all “Gingerbread” devices and “Ice Cream Sandwich” smartphones running flavours of Android prior to version 4.0.1.
But he was far more successful finding bugs at the application layer, involving the many applications that interface with NFC technology.
For example, an Android phones running the Android Beam app can simply touch another NFC-enabled Android in order to get it to load a webpage controlled by the toucher. This means the technology can be used to initiate an attack that involves content loaded into a browser, not just the relatively secure NFC driver and kernel stack, greatly increasing the potential for mischief.
The Nokia Content Sharing app running on the Nokia N9 with Meego offers a route into the same type of attack. As with Android Beam, Nokia’s Content Sharing app allows a user to force another person’s smartphone to load a web page without any user interaction. Disturbingly, this works irrespective of the whether or not the “Confirm Sharing and Connecting” setting is enabled.
The Nokia smartphone is configured to automatically pair with Bluetooth devices when its NFC tag-tapping functionality is switched on. In cases where Bluetooth is disabled, the phone will actually turn Bluetooth on and pair with devices without asking for permission, unless Confirm Sharing and Connecting is enabled.
Miller pointed out, for example, that the OS level handler for.png graphics files on the Nokia N9 contains known vulnerabilities. So a potential hacker would only need to force a targeted Nokia user to load a webpage containing PNG exploits in order to hijack his or her smartphone.
In one demo, Miller was able to view files on a targeted Android handset. Hacking the Nokia handset allowed Miller to send texts or make calls on the compromised device.
He concluded that NFC-enabled devices should offer an option to seek user confirmation before allow data received over NFC channel to be processed by application, and that confirmation should be requested by default. NFC exploits are particularly nasty because, as things stand, certain smartphones can be made to download and execute a malicious payload without the user even knowing any interaction has occurred.
Miller’s presentation, Don’t stand so close to me: An analysis of the NFC attack surface, was one of the highlights of this year’s Black Hat USA conference.
The NFC Forum praised Miller’s work, and acknowledged the possibility of app bugs and implementation flaws, while stressing the overall robustness of NFC technology.
“Miller’s demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences,” the NFC Forum said in a statement published by NFC World. “The NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security.”
Debbie Arnold, director of the NFC Forum, told NFC World.
However, the NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security. These tools include: (a) Signature RTD (NDEF Signing), a specification the NFC Forum has released to digitally sign messages transmitted between devices and tags; (b) ISO/IEC 13157, a data link security standard to complement higher-layer security, originally developed by the standardization body Ecma International; (c) application security (end-to-end encryption) defined by the service provider; and (d) additional security layers in service providers’ respective back-end systems.
All of these activities and mechanisms work hand-in-hand. NFC solution providers may add security measures to their applications as they see fit, including both required and optional user actions to enable or disable functions.
Miller’s demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.
Smartphones from Google, Nokia and Samsung already ship with built-in NFC technology while Apple and Microsoft are both widely expected to add the short-range radio tech later this year. The killer application for the technology is “pay by tap”, which has prompted the launch of many competing mobile wallets, including Google’s Google Wallet, Orange’s QuickTap, Visa’s PayWave and MasterCard’s PayPass.
Additional security commentary on Miller’s presentation can be found in a blog post by Sophos here. ®