PDA

View Full Version : FYI - proof of concept hacking of Android phones via NFC




VulchR
Jul 27, 2012, 12:12 PM
No doubt the hack vulnerability will be shut down relatively easily and quickly, but it does make me wonder about the wisdom of using a phone as a payment device. See story (http://www.bbc.co.uk/news/technology-19010945) at the BBC web site.



ChazUK
Jul 27, 2012, 12:36 PM
I must admit I got confused by Nokia commenting on an Android vulnerability but then I remembered some people had ported ICS to the N9. Got my hopes up for a second! :D

kdarling
Jul 28, 2012, 07:10 AM
No doubt the hack vulnerability will be shut down relatively easily and quickly, but it does make me wonder about the wisdom of using a phone as a payment device. See story (http://www.bbc.co.uk/news/technology-19010945) at the BBC web site.

This is about the ability to do things like sharing a website URL with another user by holding two phones together. (My son-in-law loves doing this.)

You have to have your phone turned on, not notice someone holding their phone against yours, not be suspicious that a new website pops up on your screen after someone did that, and then you have to be fooled into doing something on that website.

VulchR
Jul 28, 2012, 10:38 AM
This is about the ability to do things like sharing a website URL with another user by holding two phones together. (My son-in-law loves doing this.)

You have to have your phone turned on, not notice someone holding their phone against yours, not be suspicious that a new website pops up on your screen after someone did that, and then you have to be fooled into doing something on that website.

I understand that - however, it does not inspire confidence that a system used to make payments could be used for a purpose not given explicit consent by the user. FWIW I am not so much concerned that this was on Android, but that it revels that NFC is vulnerable just like any form of communication.

kdarling
Jul 28, 2012, 10:54 AM
I understand that - however, it does not inspire confidence that a system used to make payments could be used for a purpose not given explicit consent by the user. FWIW I am not so much concerned that this was on Android, but that it revels that NFC is vulnerable just like any form of communication.

The simple beaming of URLs and app data between phone users over NFC, is not secured because there's no compelling reason to do so.

Obviously payments use far more security, in addition to requiring a PIN for non-minimal amounts.

The breathless articles about this make it sound like NFC for payments was hacked. On the contrary, he simply used the stock open method of transferring URLs and data.

You could do almost the same thing by sending someone the URL of a malicious website via SMS or email. The big difference here is that often the phone will automatically open itself to that website, where you might be lured into clicking and downloading something. An easy way around that would be to add a prompt.

Mac.World
Jul 28, 2012, 09:43 PM
I understand that - however, it does not inspire confidence that a system used to make payments could be used for a purpose not given explicit consent by the user. FWIW I am not so much concerned that this was on Android, but that it revels that NFC is vulnerable just like any form of communication.

You do realize you have to be less than about half an inch for the tag or payment device to connect? So let's say I wanna steal your info. I have to know where your phone is on your person, then hope there isn't too much clothing in the way, then figure out how to be that close to you for at least 2 seconds. Then, and only then, can the chips data be accessed. And most of that data has two layer encryption, like financial.

In other words, it's more likely you will get struck by lightening on a sunny day than have your nfc chip hacked.

By the way, I use NFC every day. I have 6 nfc discs that give my phone different commands depending if I am home, in the car or at work. You have to be pretty precise when you tap them to where the chip is on the phone. If someone has a phone in their pocket and the screen is facing outward, no crook could access the chip. Even if someone were to pit another phone up against your pocket. The inside components between the nfc chip and glass would prevent signal transmission.