Thursday, 26 July 2012

Android NFC 'hacking' is ingenious, but not yet dangerous


Android Central


The Black Hat Conference takes place in Las Vegas this week, where hackers, security experts and representatives from major companies meet to discuss all things relating to information security. If you're following the news out of the conference today, you may have come across reports of a new security vulnerability in Android (and NFC-enabled Meego phones) that could allow a malicious NFC (near-field communication) tag to beam malware directly onto your phone. Sounds terrifying, right? Now hackers can take over your smartphone without you even doing anything. But as is always the case with these kinds of security issues, it's not as simple as it seems, and this NFC 'hack,' sexy and technically impressive as it is, isn't really anything particularly scary to regular smartphone users.
Read on to find out why.
First off, we should quickly explain what NFC actually is. It stands for near-field communication, and it's a a very short-range wireless communication technology designed for sending small amounts of data instantly over very short distances. On smartphones, this can be used to transfer things like URLs from one handset to another, or alternatively to scan NFC "tags," which can themselves contain small quantities of data that the phone can then act upon. It can also be used for facilitate payments, for example via Google Wallet. (Read more in our Android A-Z)
Multiple sources report that security researcher Charlie Miller demonstrated a variety of techniques for hacking into the Nexus S (on Gingerbread), the Galaxy Nexus (on Ice Cream Sandwich) and the Meego-powered Nokia N9 at Black Hat this week. Many of the scariest exploits were found on the N9, but we'll focus on Android here, 'cause that's what we do. (And that's also what many of today's headlines focus on.)
Starting at the high end, on the Galaxy Nexus Miller demonstrated that NFC-enabled Android phones running Ice Cream Sandwich or later use Android Beam, a feature which some (but not all) them have turned on by default. Amongst other things, Beam lets users load URLs from another phone or NFC tag directly into the device's web browser. That means it's possible, with a malicious NFC tag, to send an unassuming user directly to a malicious web page. For that to work, though, the tag needs to be within the very short range at which NFC radios can operate -- basically all but touching the back of the device. Android Beam opens tagged URLs automatically without any prompt, by design. It's a valid security concern, but not an exploit in the traditional sense, as in order to do anything you need to find a vulnerability in the user's web browser of choice.
If you're using the built-in Android browser on Android 4.0.1, then such a bug exists, and that could allow a specially designed web page to run code on the device. Again, an entirely valid security issue, but using NFC as a delivery method for this kind of exploit is far from practical. (Not to mention Android 4.0.1 was only released on the Galaxy Nexus, a phone which has since been updated to Android 4.0.4 or 4.1.1, depending on your carrier.)
Miller also demonstrated how he could exploit bugs in Android 2.3's memory management to cause a Gingerbread device with NFC support to execute code using a malicious tag. That potentially gives an attacker the ability to take complete control of the device using only an NFC tag, but we should point out a few factors that make this a less serious issue that you might think. Sure, Android 2.3 Gingerbread is still the most-used version of Android, and many new Android devices ship with NFC support, but there's little cross-over between the two. The Nexus S was the first Android handset to support NFC, but that's since been updated to Jelly Bean. Other NFC-supporting devices may remain on 2.3, but most of the mainstream Android phones with NFC run at least version 4.0.3, which isn't vulnerable to the exploits used in this demo. In fact, we can't think of a single Gingerbread phone with NFC that's yet to be updated to at least Android 4.0.3.
So vulnerabilities certainly exist, but right now the only serious ones are limited to a very small subset of the Android population with NFC, and a very specific OS version. What's more, the phone needs to be powered on, the NFC radio needs to be enabled, and the user needs to be distracted enough so as not to notice the tell-tale NFC tone or vibration.
Ultimately, any exploit involving physical access to the device being hacked is going to be of limited use to the real bad guys. Taking control of a smartphone over NFC in the real world is going to be dangerous and impractical, even after the methods shown at the Black Hat Conference are publicized. If I have access to your phone, powered on, for an extended period, with malicious intent, NFC isn't going to be my first port of call. The exploits demonstrated by Charlie Miller this week are ingenious and cool to read about, but it's easy to exaggerate the real danger posed by them, especially when mainstream reporting of these hacks is light on important technical details.
Bottom line -- if you enjoy using NFC on your Android phone from time to time, you're safe to continue doing just that.

No comments: