A security researcher at the Black Hat conference in Las Vegas has demonstrated some gaping holes in the implementation of NFC on the Samsung Nexus S, Samsung/Google Galaxy Nexus, and Nokia N9. These hacks were demonstrated by Charlie Miller, a security researcher renowned for cracking Safari, the MacBook Air, and the iPad and iPhone — and now, seemingly, he has turned his attention to Android. In all three cases, vulnerabilities in the near-field communication (NFC) implementation allowed Miller to execute arbitrary, malicious code on the smartphone — at which point, it is trivial to turn a phone into a botnet zombie, or to extract sensitive information.
In the Nexus S’s case, Android 2.3 Gingerbread contains memory corruption bugs, which allow Miller to gain control of the NFC daemon with a specially designed RFID tag (or another NFC-enabled smartphone). This tag could be tailored to contain malicious code that is executed upon scanning.
The Meego-powered Nokia N9, it turns out, will automatically accept any NFC request without confirmation by the user. Miller says he can force a Nokia N9 to make calls, send SMSes, or upload or download arbitrary files — including your address book. Apparently, even if you turn on notifications, the N9 will still accept and automatically open incoming file transfers. All you would have to do is send a specially crafted file — a Word DOC, a PDF — to gain root access to the phone.
And then we have the most important hack of all, the Galaxy Nexus. In Android 4.0 Ice Cream Sandwich, Android Beam and NFC are enabled by default — and according to Miller, Android Beam will automatically download and open any transmitted website links or files. Apparently, there is no way for users to approve/deny transfers that are initiated by another NFC handset or RFID tag. Again, when coupled with an OS or browser exploit, this functionality could be used to gain root access.
During the same presentation at Black Hat, Miller also brought up the dreaded “F” word — fragmentation. He says that older versions of Android contain lots of known vulnerabilities — and because it takes so long for carriers and OEMs to roll out patches, malicious hackers can make use of those holes for months. The Nexus S hack relied on a memory corruption exploit in Android 2.3, and the Galaxy Nexus hack exploited a bug in the Android 4.0.1 stock browser. ICS is now up to version 4.0.4, and so that browser bug is probably plugged — but even so, Miller says there are probably other WebKit holes that can be exploited in a similar way.
Ultimately, what we’re looking at here is the future of credit card skimming. NFC only has a range of a few centimeters, and so none of these hacks can be performed from a distance — but that’s the problem with smartphones: we’re constantly being encouraged to bring them very close to other gadgets. All it would take is an exploited point of sale, or even just an RFID tag affixed to the bottom of a wireless POS — and voila, your phone can be hacked.
The good news, unlike yesterday’s hack of four million hotel door locks, is that NFC can be secured quite easily. The actual transmission of NFC data can be encrypted, and strong authentication is definitely possible with the current NFC specs. In this case, though, it would seem that Google and Nokia have simply been a bit lazy with their software implementations — which, given that NFC is relatively new and untested, isn’t surprising… but it is a bit sad.
No comments:
Post a Comment