Black Hat Researcher Demonstrates Massive Security Flaws in NFC-enabled Mobile Devices
Chris Miller, a security researcher presenting his findings at the Black Hat security conference in Las Vegas, has discovered some severe security flaws with the new Near Field Communications technology.
The next big thing in smartphones is here, and it’s insecure. Surprise, surprise.
Smartphones running Google’s Android or the Linux-based MeeGo operating systems are extremely vulnerable to major security flaws in a new technology they are including called Near Field Communication, or NFC. The security flaws in this technology make it trivially easy for hackers to hijack handsets in close proximity according to a researcher appearing at the Black Hat security conference.
Charlie Miller, the researcher exposing the flaws in NFC, is able to take control of handsets made by Samsung and Nokia trivially easy. His attack, which takes advantage of multiple security flaws and weaknesses in the NFC protocol, works by either placing the target phone near a chip roughly the size of a US quarter or touching it to another NFC-enabled phone; code on the chip or attacker-controlled handset then gets beamed to the target device wirelessly which opens malicious files or websites which exploit known vulnerabilities in either a document reader, web browser or the operating system itself.
Miller is the principal research consultant at the security firm Accuvant and has spent the past five years demonstrating various software flaws that allow hackers to take control of Macs, iPhones and Android smartphones; this year, at the Black Hat security conference in Las Vegas, Miller decided to turn his attacks on the NFC capabilities available in three popular devices: Samsung’s Nexus S and Galaxy Nexus and the Nokia N9. The results of his research and attacks are far from encouraging.
While it’s already widely available in some countries, NFC has only recently been added to devices being marketed in the United States. NFC allows devices to establish a wireless signal with other devices containing NFC chips when they pass within close proximity. It allows people to exchange business cards or web links on the fly or establish Bluetooth connections with PCs, speakers or other devices effortlessly. While already built into Android and MeeGo devices, it’s been rumored to be part of future Windows Phone and iOS devices.
The Nexus S contains multiple memory-corruption bugs when running Android 2.3, also known as Gingerbread, the most common Android version installed on handsets by far. These bugs allow Miller to take control of the application “daemon”, or controller, that controls the NFC functions with nothing more than a specially designed tag. With some extra work, the tag could be modified in order to execute malicious code on the device. Some of these bugs were fixed in the Ice Cream Sandwich version of Android, version 4.0, but not all of them were, meaning that the attacks might also work against both it and Jelly Bean, version 4.1. But even if the NFC code itself has no exploitable bugs, a new feature added to Ice Cream Sandwich called Android Beam allows Miller to force the handset’s browser to open and visit any website he chooses without requiring permission from the user. “What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your web browser, without you doing anything, will open up and go to a page that I tell it to,” Miller said. “So instead of the attack surface being the NFC stack, the attack surface really is the whole web browser and everything a web browser can do. I can reach that through NFC.”
Shockingly, NFC and Android Beam are enabled by default, causing devices to automatically download any file or web link sent through the service. There is no way for users to approve or reject specific transfers initiated by other devices. This is a gaping security flaw, since it requires no action from the end user and provides no feedback to the end user when such an attack occurs. In a statement which deserves an award for “Understatement of the Year,” Miller called this situation “not ideal.”
What makes malicious hackers’ jobs easier is the fact that older versions of Android contain known security vulnerabilities that remain unpatched months or even years after they’ve been revealed. Miller’s demonstration at Black Hat this year includes an attack exploiting a browser bug that has shipped with every phone running Android version 4.0.1 or earlier. Using NFC and Android Beam, he can force the phone to visit a malicious website that allows him to execute arbitrary commands as the web browser, including viewing files that are stored on the device, and he claims that other documented security flaws in the WebKit browser engine can be exploited in exactly the same way.
With Nokia’s N9 handset, NFC is at least not enabled by default, but once it is enabled it also accepts malicious content and requests, no questions asked. Some of the easiest and most dangerous attacks using the NFC capabilities of the phone are attacks that use NFC to establish a Bluetooth connection with another device; an N9 will automatically accept any connection requests over NFC with no prompts to the user, allowing the device to then make phone calls, send text messages or upload and download files, including contact lists. But even if users enable a feature on the N9 that notifies them of any NFC connection request the phone will still accept file transfers automatically without prompting the user, then opens an application to render that file, again without prompting the user. Using NFC to exploit known vulnerabilities in various apps that handle documents like PDFs and Microsoft Word documents would be trivially easy, according to Miller. “If you know of a PDF bug, instead of trying to email the person or getting them to go to your website, you can just get near them with NFC and get them to render it,” he said.
Many of the attacks Miller is describing could be initiated using a concealed NFC tag attached to a payment terminal or other legitimate NFC device. While the attacks require that the phone’s screen be active and, in the case of Android Ice Cream Sandwich or MeeGo, unlocked, Miller said that provided little protection since the most common attack scenario targets people already using NFC, much like card skimmers target credit cards and debit cards as they’re being used.
While Google representatives have not issued a comment on this research, Nokia has made an official statement, saying “Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities.”