Computer security experts were gathered in Las Vegas yesterday at the Black Hat USA 2012 Hacking Conference. In a presentation by Charlie Miller of Accuvant Labs an NFC exploit, capable of executing without user interaction, was disclosed. “This is sort of frightening,” Miller said. “I can get shell and all I did was get near the phone.”
NFC and Android Beam leave you open by default
Miller said “NFC opens a new wave of server-side attacks, without user interaction.” The security researcher used three smartphones to show the vulnerabilities in NFC; the Nexus S (Gingerbread), the Galaxy Nexus (ICS) and the Nokia N9 (MeeGo). The Android phones both have NFC enabled by default and are attacked through NFC opening a browser to exploit a browser vulnerability. The Nokia N9 doesn’t have NFC turned on by default, but if it’s on the phone can be hacked by utilising flaws in its Powerpoint and PDF apps.
NFC enabled SIM card
The NFC hack works like this; a postage stamp sized device (or another NFC enabled phone, prepared by the hacker) is concealed somewhere like a payment desk at a restaurant. When the NFC user walks by, their NFC smartphone gets infected and could be taken over. Android Beam, a new feature added to Android ICS using NFC technology, is similarly open to suggestion. Using Android Beam, Miller showed he could force a nearby handset browser to open and visit any website of his choice.
Android browser holes, most people can't get security updates
As well as the NFC route to taking over your phone several other security problems of Android phones were discussed. There is a security flaw in the stock Android browser (in Android 4.0.1 or earlier), a flaw publicly revealed by the Google Chrome browser team and subsequently fixed within that often updated piece of software. However as many Android users are stuck on old versions of the OS they will never get fixes or patches. BeyondTrust CTO Marc Maiffret says “Google has added some great security features, but nobody has them” which illustrates the Android smartphone owner update problems very succinctly.
Bouncer gets bypassed
Another security firm, Trustwave, showed that Google’s much heralded “Bouncer” technology, meant to identify and remove malicious software from Google Play, could simply be evaded. After uploading a legitimate non-malware app the researchers remotely added malware features using something called a Javascript bridge, bypassing Google Play updates. This same Javascript bridge is used by Facebook and LinkedIn apps for legitimate purposes.
Responses of Google and Nokia
In response to an Ars Technica article about these NFC shenanigans, Nokia said “Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9.” Google representatives have not yet commented.
