Android and Nokia smartphones hijacked via NFC
At the Black Hat information security conference in Las Vegas, security specialist Charlie Miller has demonstrated the potential risks of Near Field Communication (NFC), a standard that has already been integrated into many smartphones: the researcher managed to use NFC to infect smartphones from different manufacturers with malicious code – without any need to interact with the smartphone owner.
During his nine months of research, Miller focused on the applications that access the radio interface. The most well-known app is probably Google's Beam, which has been factory installed on all Android devices since Android 4.0 (Ice Cream Sandwich). If a victim's smartphone is placed in the vicinity of a tag that has been tampered with, the phone's browser will be launched and will access a web site – in this case one that contains malware exploits for Android.
For the demonstration, Georg Wicherski from Crowdstrike contributed a vulnerability in the Webkit browser of Android versions, 4.0.1 and earlier, that allowed Miller to take control of the device. The researcher says that 90% of all Android devices still have an old, and therefore vulnerable version of Android installed. The bug can, in principle, also be deployed via other channels, but the NFC technology allows infections to be successful without any user interaction.
The Nokia N9, which uses Nokia's MeeGo operating system, was infected in a different way: the device is factory set to accept arbitrary NFC communication and will, for example, automatically display images or Office files that are sent this way. Miller says that the file rendering applications contain numerous bugs that can cause buffer overflows and enable attackers to take control of a device.
An attacker can also activate the N9's Bluetooth interface via NFC and then pair the device with a notebook. According to Miller, it is then possible to send premium-rate SMS text messages or call premium numbers, export the address book, and access the N9's filesystem.
As NFC only has a range of a few centimetres, attackers and their NFC tags or NFC-enabled phones must get very close to their victims. Miller therefore considers it more likely that malicious tags could, for instance, be attached to advertising posters, or that NFC terminals could be exchanged for modified ones.
Correction: The article previously understated the Android versions that were affected by Wicherski's Webkit vulnerability; it has now been corrected.
(Uli Ries / djwm)