Earlier this week at the Black Hat USA 2012 conference, former National Security Agency employee and current Accuvant principal research consultant Charlie Miller demonstrated what could very well be the most dangerous emerging mobile security threat out there. The security expert has been focusing on the exploitation of near-field communications (NFC) technology to corrupt the systems of unsuspecting device owners.
NFC technologies are most readily recognizable in their access control and contactless payment applications. Essentially, tiny computer chips storing a small set of identification and/or financial data are embedded inside smart cards. When waved in front of a related reading device at close proximity, information is exchanged between the card and endpoint device to complete a transaction. For example, the card reader could interpret an employee's credentials and enable access to restricted office locations or deduct fares when a commuter enters the subway station.
However, the success enjoyed by these limited applications has inspired engineers to apply the technology to far greater effect by embedding NFC chips in smartphones and tablets. And as consumers slowly come around to the convenience offered by mobile payments and other possibilities, hackers could have a new avenue through which to wreak havoc.
Anatomy of an attack
As it stands, NFC-enabled devices have been primarily restricted to Android and the Linux-based MeeGo operating systems. The technology is widely available internationally, though it is just starting to gain traction in the United States. In Miller's demonstration, according to Ars Technica, he successfully compromised Samsung Nexus S and Galaxy Nexus smartphones in addition to Nokia's N9 handset.
By placing their NFC-enabled device within a few centimeters of another, hackers can beam code stored on their NFC chips over to the target smartphone. After this transmission has been made, hackers can exploit known vulnerabilities to open malicious files and webpages without the user's authorization and potentially even gain root level control of the device.
According to Ars Technica, what may be most troubling is the relative ease with which this attack can be carried out. Miller was able to compromise a Nexus S running the Gingerbread operating system, which is by far the most popular Android setup. The system contains multiple memory-corruption bugs, only a few of which were rectified in Android's Ice Cream Sandwich update. As a result, even the latest Jelly Bean operating system update could contain the vulnerabilities Miller exploited.
What's more, the Android Beam feature on the later devices allowed Miller to manipulate a target device's browser as he saw fit – whether or not the memory-corruption bugs had been patched.
"What this means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your web browser, without you doing anything, will open up and go to a page that I tell it to," Miller told Ars Technica. "So instead of the attacks surface being the NFC stack, the attack surface really is the whole web browser and everything a web browser can do. I can reach that through NFC."
Unfortunately for the unsuspecting user, NFC and Android Beam are enabled by default in the typical setup. But according to Ars Technica, even the Nokia device, which does not automatically enable NFC, can be corrupted. Even though users can set up notifications to alert them of nearby NFC requests, the N9 smartphones still initially accept the connection prior to the prompting.
As a result, Miller was able to establish a Bluetooth connection with the smartphone from a laptop within range to force it to make phone calls, send text messages and even upload contact lists. According to Ars, this could be of particular concern if point-of-service systems are corrupted with hacker-controlled NFC chips to effectively siphon data from mobile payment transactions.
An unavoidable issue
While Miller's conference presentation was only a proof-of-concept attack, his methods certainly carry weight in the real world.
According to the latest survey conducted by M for Mobile, two-thirds of U.S. and U.K. consumers indicated that they would likely make the move to mobile payments if provided with more information regarding NFC applications – and the requisite technology. Even ahead of confirmation of an NFC-enabled iPhone, Juniper Research analysts recently predicted that more than $180 billion worth of global mobile payment transactions will take place by 2017.
It remains to be seen how quickly mobile manufacturers will start flocking to this technology, but Android's leadership has certainly left a shaky foundation. As InfoWorld's Ted Samson noted, the brand's reputation for sluggish security patching may only exacerbate the danger of the earliest NFC threats. Google's diverse portfolio of device partners and operating system versions could come back to bite consumers, as a lack of standardization allows issues to linger much longer than they have to.
Security News from SimplySecurity.com by Trend Micro