Hacker Targets NFC To Take Over Android Smartphones
Michael Harper for redOrbit.com – Your Universe Online
It’s no surprise that the hacking experts at this year’s Black Hat conference in Las Vegas would demonstrate a few of their tips and tricks on breaking into “secure” Android smartphones. What may have been surprising is just how easily these hackers were able to infiltrate devices and how they were able to do so.
Near Field Communications, or NFC, is used to submit mobile payments and transfer data from one device to another. Many Android smartphones from HTC, LG and Samsung — including Google’s own Nexus line of smartphones — feature NFC capabilities and are used with Google Wallet, Google’s mobile payment system.
Though the technology can be very cool and convenient, it can also be seen as a wide-open backdoor into a smartphone, making it susceptible to hacking.
Hacker Charlie Miller has demonstrated a way to take advantage of phones with the NFC chip built in without having to touch the phone at all.
By placing the phone near a small, yet malicious, NFC chip or touching it to another NFC-enabled smartphone, Miller is able to target the smartphone and open malicious code or webpages, exploiting vulnerabilities in either the web browser or the Android operating system.
To be fair, it isn’t just Android smartphones which can be hacked into via NFC. Nokia phones running Linux-based MeeGo are also vulnerable to these kinds of attacks. Miller, a research consultant at security firm Accuvant, also has experience breaking into Apple products, such as iPhones and Macs. This year, however, he chose to shine some light on the NFC vulnerabilities of Google’s Nexus smartphone, Nokia’s N9 and Samsung’s Nexus S.
“[NFC] certainly increases the risk that something could go wrong,” said Miller in an interview with Ars Technica.
“It opens you up to a lot more than you would think.”
For example, the Nexus S running Android’s most dominant version (Gingerbread 2.3) contains multiple bugs which allows Miller to take control of the NFC chip with a specially designed NFC tag. With some additional work, Miller said he could use the NFC tag to execute malicious code on the smartphone. Though some of these vulnerabilities were fixed in Ice Cream Sandwich, (version 4.0) Miller said these vulnerabilities might still exist in the latest version of Android, Jelly Bean 4.1.
Google may have tightened up their NFC vulnerabilities, but according to Miller, Android Beam — a new feature built into Ice Cream Sandwich — allows Miller to open any website he chooses without the permission of the user.
“What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,” Miller said.
“So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.”
Even more frightening, Android’s default settings have NFC and Android Beam turned on by default. These services will also download any file or link received through these channels, automatically. Therefore, any Android user with basic, stock settings is wide open to attacks from hackers like Miller.
“The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal.”
Using these methods, hackers could simply walk nearby at any public place to run the malicious code. Even more frightening, hackers could simply place one of these malicious NFC tags on the bottom of a legitimate NFC payment terminal at your favorite coffee shop or fast food chain, taking control of every phone used to make a mobile payment.
Though Google has yet to make any comment on Miller’s research, Nokia issued a statement, saying:
“Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities.”
Miller has admitted that these findings are the result of 6-months of exhaustive research and experimentation. In the end, he was able to get his demonstration to work, and if he could do it, someone else could as well. Though exciting, NFC might not be the most secure technology as of yet.