Is NFC An Unacceptable Security Risk? Exploits Demonstrated For Android, MeeGo


Near Field Communication is just now starting to become somewhat widespread among smartphones, with support for the feature included on several popular new models. Considering we’ve been waiting for well over a year to see NFC take off, that sounds like great news. Could ubiquitous NFC support end up being a cures, though, rather than a blessing? One hacker is sounding the alarm that NFC, as currently implemented on many smartphones, is just asking to be exploited to the detriment of phone owners.

The problems that lead to these vulnerabilities are due to issues on multiple levels, and the blame doesn’t lie entirely on NFC, but it’s key to letting these security holes be exploited. Ultimately, the issue is with the tendency of NFC software, like Android Beam, to automatically accept NFC transfers. Instead of prompting users to manually accept each request, phones visit URLs and retrieve those files which unknown NFC devices attempt to send without any approval from the phone’s owner.

Once on the phone, additional exploits are needed to do anything nasty, like a bug in a document-viewing app that a specially-crafted file could take advantage of, or a URL pointing to a website containing its own browser exploit code. The point, though, is that it should be difficult for an unknown party to get such files on your phone in the first place, not as simple as walking near you in a crowded room.

Proof-of-concept exploits work both on Androids like the Nexus S and Galaxy Nexus, as well as on the MeeGo-running Nokia N9. With the N9, at least, NFC has to be manually turned on, but once it’s activated, it has the same lax security standards as Android.

The fix for all this is simple: present users with an alert for NFC transmission requests, rather than accepting everything by default. Frankly, it’s a bit surprising that such a big security oversight was made in the first place; we can only assume it was done so in an effort to make NFC transfers more effortless, in an attempt to spur use of the feature.

Source: Ars Technica
Via: phoneArena


What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bitsRead more about Stephen Schenck!