NFC-enabled phones can be hijacked when in close proximity to bad guys.

by Dan Goodin - July 25 2012



A computer screen captures the output of an Android phone after it receives data from an NFC tag.
Charlie Miller

A new technology being added to smartphones running the Google Android and Linux-based MeeGo operating systems makes it trivial for hackers to electronically hijack handsets that are in close proximity, a researcher appearing at the Black Hat security conference said.

By exploiting multiple security weakness in the industry standard known as Near Field Communication, smartphone hacker Charlie Miller can take control of handsets made by Samsung and Nokia. The attack works by putting the phone a few centimeters away from a quarter-sized chip, or touching it to another NFC-enabled phone. Code on the attacker-controlled chip or handset is beamed to the target phone over the air, then opens malicious files or webpages that exploit known vulnerabilities in a document reader or browser, or in some cases in the operating system itself.

NFC is already widely available in some countries and is slowly being rolled out in handsets marketed in the United States. It allows devices to establish radio communications when they are gently bumped together or pass within close proximity of special chips. The feature allows people to share business cards and Web links on the fly or to effortlessly establish a Bluetooth connection with PCs, speakers or other devices. It can also be used to zap payment-card data to point-of-sale terminals. It's already built into smartphones running the Android and MeeGo mobile OSes and has been rumored to be a part of future Windows Phone and iOS devices.

Miller, who is principal research consultant at security firm Accuvant, has spent the past five years demonstrating software flaws that allow hackers to take control of Macs, iPhones, and Android handsets. For this year's Black Hat security conference in Las Vegas, he turned his attention to NFC capabilities available in two three popular devices: the Nexus S made by Samsung, the Galaxy Nexus, and the Nokia N9. The results aren't encouraging.

"[NFC] certainly increases the risk that something could go wrong," Miller told Ars in an interview ahead of his Wednesday presentation. "It opens you up to a lot more than you would think."
Insecure by default

The Nexus S—when running the Gingerbread (2.3), by far the most dominant Android installation—contains multiple memory-corruption bugs. They allow Miller—using nothing more than a specially designed tag—to take control of the application "daemon" that controls NFC functions. With additional work, he said the tag could be modified to execute malicious code on the device. Some, but possibly not all of those bugs were fixed in the Ice Cream Sandwich (4.0) version of Android, so the attacks may also work against that release and Jelly Bean (4.1) as well.

But even if there are no exploitable bugs in the NFC code itself, a feature known as Android Beam, which Google developers added to Ice Cream Sandwich, allows Miller to force a handset browser to open and visit any website he chooses—without first getting permission of the end user.

"What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to," Miller said. "So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC."

Surprisingly, when NFC and Android Beam are enabled—as they are by default—devices will automatically download any file or Web link sent through the service. There's no way for end users to selectively approve or reject a specific transfer initiated by another handset. "The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal," Miller said in a noted understatement.

Making a malicious hacker's job easier, older Android versions contain known security vulnerabilities that often remain unpatched for months or even years. Miller's Black Hat demonstration includes an attack that exploits a browser bug that ships with every phone running 4.0.1 or earlier of the operating system. Using NFC and Android Beam, he can force the phone to visit a booby-trapped website that allows him to run arbitrary commands as the Web browser, including viewing files stored on the device. He said other documented security bugs in the WebKit browser engine, which is included in Android, can be exploited in the same manner.
Enter Nokia

NFC on the N9 isn't turned on by default, but once it's enabled, it too will accept malicious content and requests with no prompting. Among the easiest and most damaging attacks are those that use NFC to establish a Bluetooth connection with another device. Once NFC is turned on, an N9 will automatically accept all connection requests with no prompting. Once Miller connects his MacBook to a handset in range, he can force it to make phone calls, send text messages, or upload and download proprietary files, including contact lists. Users can reject requests for unauthorized Bluetooth connections, but they must first select a configuration setting requiring each one to be approved.

But even when N9 users change default configurations so they're notified of such NFC requests, the phones accept file transfers initiated by other users without warning. The N9 then opens an application to render the downloaded file, again without prompting. Miller will demonstrate an attack that exploits a known vulnerability in the Microsoft Word-compatible reader, which is based on the open-source KOffice that ships with the phone. Similar attacks can be launched using booby-trapped PDF files. Using NFC to send a poisoned document to an unsuspecting end user, would make it "easy" to exploit such bugs, Miller said.

"If you know of a PDF bug, instead of trying to e-mail it to the person or get them to go to your website, you can just get near them with NFC and get them to render it," he explained.
Son of credit-card skimming

Most of the attacks Miller described could be waged using a concealed NFC tag attached to a payment terminal or other legitimate NFC-enabled device. For attacks to work, a phone's screen must be active, and when it's running Ice Cream Sandwich or MeeGo, it must also be unlocked. Miller said those requirements provide little protection since the most common attack scenario involves targeting people as they're already in the process of using NFC. Attackers who are targeting someone they know can also call or text their victim before exposing him to a malicious tag to ensure the phone is unlocked.

In a statement, Nokia officials wrote: "Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities."

Google representatives didn't have any comment.

Miller's demonstration is the culmination of more than six months of painstaking research. He ultimately chose the ACR122U and SCL3711 card readers. To automate the process, he placed his test phones on the computer-connected NFC reader devices and then turned the phone's NFC on and off thousands of times. Each time he made subtle changes to the data beamed to the handset. The process of "fuzzing"—in which software is exposed to data millions of times to isolate payloads to make them crash—has long been a core part of Miller's work.

"The hard part was finding the right hardware and software where all this magic would work," Miller said. "It's a big, elaborate mess that eventually worked."