Smartphone hacker Charlie Miller was scheduled to present an attack today at the Black Hat USA 2012 security conference, demonstrating what he claims are security vulnerabilities in the NFC peer-to-peer and tag-reading features of Android phones, as well as on Nokia’s N9 device.
Miller, well-known in Apple developer circles for his successful attacks on the iPhone and other Apple devices, reportedly was to say at the conference that such NFC phones as the Galaxy Nexus and Nexus S, both made by Samsung for Google, as well as the MeeGo-based N9, could be easily compromised through peer-to-peer and, in some cases, tag reading to force the phones to visit Web sites or download files.
For example, Miller told publication Ars Technica before his presentation that Android Beam, Google’s souped-up version of NFC’s peer-to-peer communication feature in its Android 4.0 operating system, could enable a hacker to force a victim’s phone to visit a malicious Web site.
Miller said he could then run his own commands in the phone’s Web browser and also view files on the device. Of course, he would have to get close enough to the victim’s phone to touch it in peer-to-peer mode with his own device. The Galaxy Nexus supports Android Beam, also known as Ice Cream Sandwich.
With the older Nexus S, which runs an earlier–but still widely used–version of the mobile operating system, Android 2.3, Miller said he could encode an NFC tag to send malicious code that could be executed on the device, the publication reported. Android 2.3, dubbed Gingerbread, doesn’t support Android Beam.
Android 4.0 and above apparently fix many of the bugs enabling the attacks using tags, but it also introduced Android Beam and what Miller seemed to characterize as generous attack opportunities.
“If I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,” Miller, who is a researcher with security firm Accuvant, told the publication. “So instead of the attack surface being the NFC (software) stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.”
With the Nokia N9, Miller reportedly said he could use NFC to open up a Bluetooth connection with another device, and although users can control which devices are connected, Miller is reportedly claiming the N9 would accept file transfers “without warning,” and the handset would then open an application to “render” the downloaded file automatically, according to the publication.
Nokia, in a statement to the publication said that it was aware of Miller’s research and is investigating his claims about the security vulnerabilities of the N9. It reportedly said it doesn’t know of any malicious attacks on the handset because of the vulnerabilities and that any attack on a broad scale would be unlikely.
Google hasn’t reportedly commented on Miller’s claims.
It’s not the first report of security flaws in Google’s NFC phones or its Google Wallet.
In addition to well-publicized hacks earlier this year of the wallet PIN, which didn’t actually compromise the payment applications in the wallet, Austrian researcher Michael Roland, of the NFC Research Lab Hagenberg, this spring demonstrated a successful relay attack on the wallet payment applications.
And unlike most relay attacks, Roland said his attack does not require the attacker to be in close proximity of the target mobile phone. The attacker could make purchases with the victim’s payment account miles away, accessing the secure element in the victim’s Google Wallet phone over the mobile network, he said.
The hacker would have to install software on the victim’s handset to make the attack work, however.