Make no mistake about, NFC is the future of our wallets. Windows Phone 8 is aggressively pushing their spin on it, and Google Wallet has been around long enough to be a “thing.” Our Angry Man of the Noisecast, Vitto, fancies it. Unfortunately security in the Near Field Communications wonderland isn’t all rainbows and unicorns; an article in Ars Technica explains how a known security flaw in NFC devices leaves Android handsets and Nokia’s N9 vulnerable to an attack.
By either tapping or keeping the target phone, Charlie Miller – a security consultant and smartphone hacker – can beam over malicious code that open files on the target phone or open a webpage that takes advantage of known exploits in the document reader, browser or even the OS.
Miller tested his exploit on two Android handsets running Gingerbread (Samsung Nexus S) and Ice Cream Sandwich (Galaxy Nexus) and on the MeeGo powered N9. In the case of the Nexus S and Galaxy Nexus NFC is on (and vulnerable) by default and even with Android Beam, was still able to force the phone’s browsers to visit websites of his choosing without needing the permission of the end-user.
Nokia’s MeeGo results didn’t fair any better. Though the N9 does not have NFC on by default, once it was turned on, the device was equally vulnerable – downloading files without the consent of the user. Pretty scary stuff as NFC becomes less of a fad and more of a legitimate payment method.
One of Miller’s main concerns is the way a hack like this may implemented in the real world. This is credit card skimming of the 21st century; by placing the malicious device on a point-of-sale terminal, you could in theory have all you need to take control of your phone (and more importantly all that info stored on your phone).
For what it’s worth, Ars was at least able to get Nokia to look into Miller’s claims:
In a statement, Nokia officials wrote: “Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities.”
Google representatives didn’t have any comment.
Hit the source link for the full story.
Hat tip to Killahkaz
Source: Ars Technica
You must be logged in to post a comment.