LAS VEGAS -- Security specialist Charlie Miller demonstrated at the Black Hat security conference today a way to hijack an Android smartphone via the Near Field Communication (NFC) technology that's turned on by default on the device, and said he's found problems with NFC implementations on Nokia as well.
NFC tags have built-in antennas and are found in stickers and smart cards that are designed to transfer data to NFC readers, to send specific phone numbers and Web addresses to smartphones and other benign purposes. They require close proximity, a few centimeters or so, for data to be transmitted.
Attacks using NFC typically involve someone using a hidden reader to surreptitiously snag data from an NFC-enabled card in someone's pocket by swiping a reader very close to the card. But in this case, the risk is a tag sending a smartphone to a malicious Web site via the Android Beam feature without the user's consent.
In his talk, entitled "Don't Stand So Close to Me: An Analysis of the NFC Attack Surface," Miller showed how he could direct a phone to automatically visit a malicious Web site. He also was able to download to the device malware that exploited a browser bug that would give an attacker the ability to read cookies and watch the Web browsing done on a victim's device and eventually take control of the phone. "I can get to the browser with no user interaction," Miller said.
Miller, a principal security consultant at Accuvant, speculated about various attack scenarios, including one in which an attacker replaces a tag on a movie poster that sends viewers to a film preview with a tag that instead directs to a Web site hosting malware that can compromise the phone. An attacker could also replace tags used on point-of-sale payment terminals, he said.
The smartphones should not be allowed to directly take action based on an NFC communication, but should instead warn the user that the device is being directed to a particular Web site and prompt for permission, he said.
Miller also said he found bugs in the way NFC parsing code was written on Android Nexus S and a Galaxy Nexus from Samsung, but he did not try to exploit the holes. At least one of the problems has been fixed in Ice Cream Sandwich, but Gingerbread is still vulnerable, he said.
Miller didn't just pick on Android. He also found some problems with the Nokia N9 phone running the MeeGo Linux-based operating system, which accepts NFC requests without user permission if NFC is enabled. If the default settings are unchanged, MeeGo allows another device to pair with it via Bluetooth over the NFC reader, even if Bluetooth is turned off. This feature can be used for interoperation with NFC-enabled devices like speakers, so a user can easily play music from the device. But this puts the phone and its data at risk via any ordinary Bluetooth attack, allowing someone else to make phone calls, send text messages, and download data, he said.
Miller also discussed a second attack using NFC on Nokia N9 in which an attacker could send the phone a malicious Word document that exploits a bug in the way documents are viewed on the device. "If an attacker gets close he can make the phone open up and render a document and exploit that," he said.
Devices are protected when the screen is off, because the NFC chip is off then, and if the phone is locked, according to Miller. And the smartphones have to come within a few centimeters of the tag for an attack to work, further limiting the threat, he said.
Miller said he had sent his research to Google and Nokia and they acknowledged receiving it but have not discussed the issues with him.
The iPhone does not have NFC capability at this time, though it's rumored to come in a future version, according to Miller.