Android Central

The Black Hat conference takes place in Las Vegas this week, where hackers, security experts and representatives from major companies meet to discuss all things relating to information security. If you're following the news out of the conference today, you may have come across reports of a new security vulnerability in Android (and NFC-enabled Meego phones) that could allow a malicious NFC (near-field communication) tag to beam malware directly onto your phone. Sounds terrifying, right? Now hackers can take over your smartphone without you even doing anything. But as is always the case with these kinds of security issues, it's not as simple as it seems. And this NFC 'hack,' sexy and technically impressive as it is, isn't really anything particularly scary to regular smartphone users.

Read on to find out why.

First off, we should quickly explain what NFC actually is. It stands for near-field communication, and it's a a very short-range wireless communication technology designed for sending small amounts of data instantly over very short distances. On smartphones, this can be used to transfer things like URLs from one handset to another, or alternatively to scan NFC "tags," which can themselves contain small quantities of data that the phone can then act upon. It can also be used for facilitate payments, for example via Google Wallet. (Read more in our Android A-Z)

Multiple sources report that security researcher Charlie Miller demonstrated a variety of techniques for hacking into the Nexus S (on Gingerbread), the Galaxy Nexus (on Ice Cream Sandwich) and the Meego-powered Nokia N9 at Black Hat this week. Many of the scariest exploits were found on the N9, but we'll focus on Android here, 'cause that's what we do. (And that's also what many of today's headlines focus on.)

Starting at the high end, on the Galaxy Nexus Miller demonstrated that NFC-enabled Android phones running Ice Cream Sandwich or later use Android Beam, a feature which some (but not all) have turned on by default. Amongst other things, Beam lets users load URLs from another phone or NFC tag directly into the device's web browser. That means it's possible, with a malicious NFC tag, to send an unassuming user directly to a malicious web page. For that to work, though, the tag needs to be within the very short range at which NFC radios can operate -- basically all but touching the back of the device. Android Beam opens tagged URLs automatically without any prompt, by design. It's a valid security concern, but not an exploit in the traditional sense, as in order to do anything you need to find a vulnerability in the user's web browser of choice.

If you're using the built-in Android browser on Android 4.0.1, then such a bug exists, and that could allow a specially designed web page to run code on the device. Again, an entirely valid security issue, but using NFC as a delivery method for this kind of exploit is far from practical. Not to mention Android 4.0.1 was only released on the Galaxy Nexus, a phone which has since been updated to Android 4.0.4 or 4.1.1, depending on your carrier.

Miller also demonstrated how he could exploit bugs in Android 2.3's memory management to cause a Gingerbread device with NFC support to execute code using a malicious tag. That potentially gives an attacker the ability to take complete control of the device using only an NFC tag, but we should point out a few factors that make this a less serious issue that you might think. Sure, Android 2.3 Gingerbread is still the most-used version of Android, and many new Android devices ship with NFC support, but there's little cross-over between the two. The Nexus S was the first Android handset to support NFC, but that's since been updated to Jelly Bean. Other NFC-supporting devices shipped on 2.3, but most of the mainstream Android phones with NFC run at least version 4.0.3, which isn't vulnerable to the exploits used in this demo. In fact, we can't think of a single Gingerbread phone with NFC that's yet to be updated to at least Android 4.0.3.

So vulnerabilities certainly exist, but right now the only serious ones are limited to a very small subset of the Android population with NFC, and a very specific OS version. What's more, the phone needs to be powered on, the NFC radio needs to be enabled, and the user needs to be distracted enough so as not to notice the tell-tale NFC tone or vibration.

Ultimately, any exploit involving physical access to the device being hacked is going to be of limited use to the real bad guys. Taking control of a smartphone over NFC in the real world is going to be dangerous and impractical to would-be perps, even after the methods shown at Black Hat are publicized. If I have access to your phone, powered on, for an extended period, with malicious intent, NFC isn't going to be my first port of call. The exploits demonstrated by Charlie Miller this week are ingenious and undeniably cool to read about. But it's easy to exaggerate the real danger they pose, especially when the mainstream reporting of these hacks is light on important technical details.

Bottom line -- if you enjoy using NFC on your Android phone from time to time, you're safe to continue doing just that.

More: Arc Technica

 

Reader comments

Android NFC 'hacking' is ingenious, but not yet dangerous

26 Comments

So you need to have:

1) Outdated version of ICS or an outdated Nexus S
&
2) Be within an inch or two of the tag

Yeah...I'm not worried, yet.

I'd change

2) Be with in half an inch of the tag

And add

3) Have your phone on and unlocked

At least this is how it is with my HTC One X. It does not work if the phone is not switched on and is not unlocked, and as I say you need to be much closer than 2 inches.

I'm sure there are many easier ways to get some one to follow a URL than an NFC tag.

With the Galaxy Nexus, you don't need to have it unlocked, just the screen on. But yeah, 1/2 an inch is about right.

Sure about that? I happen to have a GNEX and a NFC tag next to me. I cannot get the phone to read the tag until I unlock it. That was the case on ICS, and it's the case on JB as well.

on my gs3 the instructions for google wallet says i don't have to unlock to use google wallet. It may not be the same for every device.

you still have to enter a 4 digit pin to use google wallet. And an nfc tag would have to wait for you to enter and accept charges for a transaction to take place. It'd be easier to just steal someone's phone than try and use nfc tags to send you to a malicous site or get into google wallet..

great, next time i'll think twice when some strange guy rubs up against me on a train or an even stranger guy reaches into my pocket grabs my phone, turns on nfc and then swipes his phone against mine after which placing my phone back into my pocket...thanks paranoia.

Off topic, but what is that power control widget in the notification bar in the photo? It looks much nicer than the one I'm using.

It's not a widget, it's the standard power control thing in the notification dropdown on LG's ICS phones (phone in the pic is an Optimus Vu)

Okay, thanks. I really hope Google decides to make that a standard Android feature sometime soon.

I just tested this on my Samsung Galaxy S3 (I have RFID tags from a school project that'll work). I wrote a URL to an NFC capable tag and then scanned it using my S3 and when the phone detected the tag it created a pop-up prompt that said "About to connect to Browser. Continue?" So I see this NFC 'exploit' as an even more unlikely issue. It's much harder to sneakily inject code with this sort of prompt, the only way this could become a real threat is through social engineering (which have always been a concern with QR Codes).

If NFC catches on, and I hope it does, then this becomes a much bigger issue. If people get used to the idea of scanning tags for discounts and information then using this in the wild becomes as easy as putting up a poster advertising free beer.

^^ This is the most likely attack vector. Not someone grabbing your phone or patting your butt, but putting up false tags - e.g. phishing scams - which unsuspecting people then voluntarily tap with their phones.

You expect it to go a web page and launch stuff, so someone not paying real close attention wouldn't even suspect.

Of course, as mentioned, up-to-date software seems to close this avenue. But the potential is still there.

If you think about it, this exploit could have been used for years with anyone who uses a barcode scanner on their phone. Almost everyone who comes in to my store with a smartphone has one installed. It seems like if this was to run rampant it would already have happened through this avenue.

The real question is: will these exploits NOT work in Jellybean, or has the effort just not yet been made to try?
Hopefully future coding will make it such that there is a safe/known database for nfc one will be able to register and update against with public/private key protection. This should solve the store/retail concern if not already in place.
But I expect as more exploits come, it will only become less safe to be tapping strangers' phones to exchange anything, as you can't control what security apps or practices they do or don't employ. This part is no different than plugging/wifing your laptop or phone into an unknown, unsecure, network without a firewall and realtime security scans. Eventually, bad things will happen to your device. I'd expect the proper tools will exist for Android as the need grows.

ADS

Soooo if you have NFC off then this isn't a problem correct?

Only other thing I can think of to make this dangerous is someone some how created an NFC signal booster that amplified the NFC signal so that you didn't have to be that close.

I just wonder if the future NFC support iOS will have is also vulerable to this attack.

Clearly since the hardware doesn't exist it couldnt be tested, this is a pretty big anvil on the entire NFC movement, I always thought a wireless wallet was a bad idea ;-)

Actually, there's talk now about how some credit cards have NFC chips in them and there's concern that people could "steal" your credit card simply by taping a "reader" against your wallet. Don't know that there's much real truth, there, but NFC does seem to present from valid things to at least be conscious of.

Similar stuff happened when bluetooth came out, and that had much larger range. AFAIK it is still doing just fine.

I'm really hoping this story doesn't get reported on a large scale. New hacks and exploits that are demonstrated at the Black Hat conference should NOT be told to the masses. I can't tell you how many times I've had to explain to an individual that the adds in angry birds aren't really scanning your phone for viruses and then telling you how many they found.