Just by getting a few centimeters from a phone running NFC (Near Field Communications) with a malicious NFC tag you can take control of that phone. Charlie Miller demonstrated the attack at Black Hat using an Android phone and some test devices he created.

Larry Seltzer, Contributor

July 25, 2012

4 Min Read

One of the main tracks Wednesday at the Black Hat 2012 conference in Las Vegas was Mobile. The most compelling one to me was Don't Stand So Close To Me: An Analysis Of The NFC Attack Surface by the famous Charlie Miller. The others raised important concerns, but only Miller's made me cringe. His presentation included a demonstration of the use of a malicious NFC device which, simply when placed close enough to a user's phone, resulted in a complete compromise of the phone, or what security people call "remote code execution."

Dr. Miller, formerly of the NSA, is well-known in the security field as a top security researcher and probably the top researcher of Apple products. He has won many awards for impressive attacks on Macs and iPhones. He is currently a principal research consultant for Accuvant Labs.

The NFC Forum's N-Mark logo for NFC-enabled devices The NFC Forum's N-Mark logo for NFC-enabled devices. NFC is designed for close wireless communications with the most famous application being wireless payments. It's very similar to RFID in design, but devices can exchange much richer sets of data. NFC communications are very close-range. Miller said he heard it can be made to work as far as 10 cm, but 4 cm was about where he found the outer range.

It turns out that, at least on Android, if your phone is on and awake, NFC is active. And if it's asleep and locked, an attacker who knows the number can wake it up with an SMS message. Google addressed this some in Android 4 (Ice Cream Sandwich) by turning NFC off when the phone is locked. You have to first unlock it with the passcode. Miller did all his testing on Android and on a Nokia phone running Meego.

It was the rich data that attracted Miller to NFC, because where you find programs parsing rich data sets you find bugs that can be exploited by malicious software. Miller approached the whole NFC architecture with an eye towards identifying and probing the attack surface. The attack surface is the portion of a software system that is exposed to attack. As a general matter, the more complex a program gets, the larger the attack surface.

He used a popular technique for quick discovery of bugs: fuzzing. Fuzzing consists of programmatically sending erroneous input to a system under test in order to provoke crashes. After the tests, you have a set of inputs which merit further analysis. There are many different types of tags in the standard and they each have their own programming protocol. Each requires its own fuzzing.

Miller found many crashes in his testing, but drilled down on one of them in particular, one which was due to a type of vulnerability called a "double free," where memory is allocated by a program, released, and then released again. This allows the attacker to run code in the context of the NFC service. Miller did all his Android testing on Android 2.3.3 (Gingerbread), the most common version in use. Many of the bugs he found are fixed on Android 4, but about 90% of users are on earlier versions.

The malicious NFC attack tag The malicious NFC attack tag

But the really scary attack didn't involve a vulnerability at all, but a poorly thought out feature. Android Beam is a standard app in Android 4+ that allows peer-to-peer exchanges over NFC.

One of the things you can push to another Android device is a Web page, and when the device receives that beam it launches that Web page in the browser--without the user having to approve it. Miller chose a Web page that exploited a separate vulnerability in Webkit, the browser engine behind Google Chrome and many other browsers. Webkit vulnerabilities are common. The browser exploit then downloaded a real payload and conducted a real attack.

This is the sort of attack that will force quick action by Google. The first thing Google should do is display the URL being beamed and ask users whether they want to open it or not.

Charlie Miller and his magic NFC attack tag.

About the Author(s)

Larry Seltzer


Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+:

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights