PDA

View Full Version : Samsung Galaxy S3 (et al) hacked via NFC at PWN2OWN




Porshuh944turbo
Sep 19, 2012, 03:34 PM
Uh oh.....

The Samsung Galaxy S3 can be hacked via NFC, allowing attackers to download all data from the Android smartphone, security researchers demonstrated during the Mobile Pwn2Own contest in Amsterdam on Wednesday.

Still want NFC? :eek:

Using this technique, a file is loaded on the targeted S3. The file is then automatically opened and gets full permissions, meaning that the attacker has full control over the phone, explained Tyrone Erasmus, security researcher at MWR. The app runs in the background so the victim is unaware of the attack, he added.

The attacker, for instance, gets access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

http://www.networkworld.com/news/2012/091912-galaxy-s3-hacked-via-nfc-262590.html?hpg1=bn

EDIT:
To please some of you accusing me of not being fair -- yes, the iPhone 4S was hacked via a similar exploit, but obviously not via NFC, which I believe is the news here. The iPhone exploit was made possible through a website. The iPhone 5 is believed to be vulnerable, though this is unconfirmed. The exploit was used on iOS 5.1.1 and a developer version of iOS 6 on an iPhone 4S handset.


When a user visits a website where the code is running; the security mechanisms in Safari are circumvented



jaysen
Sep 19, 2012, 03:38 PM
Uh oh.....



Still want NFC? :eek:



http://www.networkworld.com/news/2012/091912-galaxy-s3-hacked-via-nfc-262590.html?hpg1=bn

If you're going to troll, be fair about it - sheesh;

It should be noted though, that the vulnerability can also be exploited in other ways, the researchers said. The payload data can for instance be attached to an email message and have the same effect when downloaded, they said.

"We used the NFC method for showmanship,"

Oh no, lets remove email from the iphone...

Cozmo85
Sep 19, 2012, 03:42 PM
NFC's range is something like touching to 4 inches. At that distance you could just steal the phone.

Porshuh944turbo
Sep 19, 2012, 04:03 PM
Most people can spot a phishing email a mile away (if it even makes it through your mail server's spam filter). Walk around a shopping mall and see how many people get close enough to your phone that is in your pocket. It takes very little time to establish an NFC connection. Once the payload is uploaded, according to the article, a hacker could connect via WiFi to your phone and access anything and everything.

I can think of numerous places a hacker could exploit this with ease:

a crowded bar
a concert
checkout line at the grocery store
checkout line just about anywhere
at the workplace where people often leave their phone on their desk

it's not about stealing a phone.. the NFC hack works without the owner's knowledge.




troll? lol.. been here since 2003, bud

Interstella5555
Sep 19, 2012, 04:05 PM
Most people can spot a phishing email a mile away (if it even makes it through your mail server's spam filter). Walk around a shopping mall and see how many people get close enough to your phone that is in your pocket. It takes very little time to establish an NFC connection. Once the payload is uploaded, according to the article, a hacker could connect via WiFi to your phone and access anything and everything.

I can think of numerous places a hacker could exploit this with ease:

a crowded bar
a concert
checkout line at the grocery store
checkout line just about anywhere
at the workplace where people often leave their phone on their desk

it's not about stealing a phone.. the NFC hack works without the owner's knowledge.




troll? lol.. been here since 2003, bud

If you were really being fair you would mention the 5 has also been hacked instead of just saying "et al". I agree though, NFC is a terrible idea.

Porshuh944turbo
Sep 19, 2012, 04:06 PM
the 5 wasn't hacked.. a 4S was and the team responsible believes the 5 is also vulnerable (unconfirmed). However, I think the news here is that NFC was used. Email and website hacks have been around for a while now (and are indeed a threat that should be patched).

If you can show me an iPhone 5 hacked via NFC, then you got me.

JohnnyAndre
Sep 19, 2012, 04:08 PM
You lose again, Samsung. Give up.

munkery
Sep 19, 2012, 04:32 PM
It should also be noted that the Android exploit included privilege escalation.

This allowed the installation of an app, which could have been malware, and the comprise of protected data, such as SMS and emails.

Privilege escalation was not achieved in iOS. So, malicious apps couldn't be installed and protected data was not compromised.

Mobile pwn2own 2012 details:

http://dvlabs.tippingpoint.com/blog/2012/07/20/mobile-pwn2own-2012

Android exploited including privilege escalation via NFC

http://labs.mwrinfosecurity.com/blog/2012/09/19/mobile-pwn2own-at-eusecwest-2012/

Android hack details:

The first vulnerability was a memory corruption that allowed us to gain limited control over the phone. We triggered this vulnerability 185 times in our exploit code in order to overcome some of the limitations placed on us by the vulnerability.

We used the second vulnerability to escalate our privileges on the device and undermine the application sandbox model. We used this to install a customised version of Mercury, our Android assessment framework. We could then use Mercury’s capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number.

iPhone browser exploited but privilege escalation not achieved

http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/

iPhone hack details:

Although the successful attack exposed the entire address book, photo/video database and browsing history, Pol and Keuper said they did not have access to the SMS or e-mail database. "Those are not accessible and they're also encrypted," Keuper explained.

Despite obliterating the security in Apple's most prized product, Pol and Keuper insists that the iPhone is the most secure mobile device available on the market. "It just shows how much you should trust valuable data on a mobile device. It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security."

"Even the BlackBerry doesn't have all the security features that the iPhone has. For example, BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said matter-of-factly.

He reckons that the Android platform is also "much better" than BlackBerry and said the decision to go after iPhone 4S at Pwn2Own was simply aimed at going after the harder target.

jaysen
Sep 19, 2012, 04:35 PM
Most people can spot a phishing email a mile away (if it even makes it through your mail server's spam filter). Walk around a shopping mall and see how many people get close enough to your phone that is in your pocket. It takes very little time to establish an NFC connection. Once the payload is uploaded, according to the article, a hacker could connect via WiFi to your phone and access anything and everything.

I can think of numerous places a hacker could exploit this with ease:

a crowded bar
a concert
checkout line at the grocery store
checkout line just about anywhere
at the workplace where people often leave their phone on their desk

it's not about stealing a phone.. the NFC hack works without the owner's knowledge.




troll? lol.. been here since 2003, bud

Most tech-savvy people can spot a phishing email a mile away, yet millions of people still fall victim to phishing scam/emails a year - go figure.

You're absolutely right in terms of the many of opportunities someone can become close enough to "exploit" this hack, yet you forget the attacker would still need to know the persons phone location to get within "4 inches" of it... I can only see this as being valid if the person has their phone swinging from their hands as they take strides...

In regards to my troll comment, I was referring to you bashing "Samsung" for including a technology that Nokia, Phillips, and Sony developed YET, the article clearly states ANYONE is vulnerable.

You also fail to realize, the team purposely used NFC for "showmanship" again failing to note this could probably be done using WiFi or bluetooth. Also note, in the GSIII, Galaxy Nexus, HTC One X, all have the capability of turning NFC on/off.

Good article nonetheless, but to say "Still want NFC" as if it's the future doomsday technology, is unfair and bias - hence my troll comment.

JohnnyAndre
Sep 19, 2012, 04:45 PM
NFC shouldn't make or break a phone. It's a stupid feature that can be easily reproduced in many different, more secure ways.

lordofthereef
Sep 19, 2012, 04:51 PM
While I agree that this is a concern, it is being overblown here by the OP. Someone walking by you at the mall? NFC on the phone isn't an always on type of thing. You don't just brush up against a person and steal their information. NFC actually has to be activated. The risk of something getting stolen would be similar to the risk of your card info being stolen by means of a skimmer (look it up for those who don't know what that is). Granted, getting the entire contents of your phone stolen is a bigger deal than a single credit card's info, which is why I am not dismissing this as nothing, but it certainly is getting way more heat than it deserves.

chakraj
Sep 19, 2012, 04:55 PM
Hackers show the world how to steal an iPhone’s pictures, address book and browser history

TechWorld reports that the hackers created a Webkit browser exploit that circumvents Safari’s security protocols if a user happens to be on a page where the malicious code is running.

The hackers told TechWorld that the browser exploit “works on iOS 5.1.1 and the developer release of iOS 6, and probably also works on the iPhone 5,” so it’s not as though upgrading to the new iPhone will deliver instant protection.

http://www.bgr.com/2012/09/19/iphone-browser-hack-pictures-address-book-browser-history-targeted/

359203

JetBlack7
Sep 19, 2012, 04:56 PM
The next big thing is here...along with the possibility to be hacked.

shawnwich
Sep 19, 2012, 05:00 PM
Yes, yes I still want NFC.

Anything can be hacked.

RotaryP7
Sep 19, 2012, 05:04 PM
Anything except Blackberries. Did you know the President has a Blackberry? It's nearly impossible to hack into those phones. That's still one of the reasons why the Blackberry still exists today.

Oppressed
Sep 19, 2012, 05:04 PM
Hard to promote something like this for public use if the public has to be afraid if they are going to be hacked.

Anything except Blackberries. Did you know the President has a Blackberry? It's nearly impossible to hack into those phones. That's still one of the reasons why the Blackberry still exists today.

"Even the BlackBerry doesn't have all the security features that the iPhone has. For example, BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said matter-of-factly.

munkery
Sep 19, 2012, 05:08 PM
Hackers show the world how to steal an iPhone’s pictures, address book and browser history

...

See my post above. The Android exploit was worse because it included privilege escalation which allows the installation of malicious apps and the compromise of SMS and emails.

The iPhone exploit didn't allow app install and protected data wasn't compromised. The data accessed with the iPhone exploit is only data available via legitimate APIs. Despite the exploit working in iOS 6, I suspect that even this limited data access may be mitigated by the new security and privacy features of iOS 6.

In terms of security, the android exploit is much more severe.

cotak
Sep 19, 2012, 09:40 PM
The problem is how NFC is implemented right now and how it automatically opens something it's sent. That will be rectified I am sure.

It's not a reason to be for or against NFC. If you think like that you'd be mistaking a bad design decision with a useful technology. Vast majority of us have NFC in our lives already be it the paypass in your credit card or the badge you open doors with at your office.

throAU
Sep 19, 2012, 09:56 PM
NFC is retarded.


They're making all the same mistakes the desktop world went through in the late 90s.

Unauthenticated, unencrypted traffic, sent to my device?

Sure, come right in, i'll process that!


Fact: programmers can't write secure code (we've had 50 years to get it right, and people still can't)
Fact: it will be exploited

lazard
Sep 19, 2012, 10:01 PM
NFC's range is something like touching to 4 inches. At that distance you could just steal the phone.

actually the NFC range is 4cm.

----------

NFC is retarded.


They're making all the same mistakes the desktop world went through in the late 90s.

Unauthenticated, unencrypted traffic, sent to my device?

Sure, come right in, i'll process that!


Fact: programmers can't write secure code (we've had 50 years to get it right, and people still can't)
Fact: it will be exploited

the information sent via NFC is encrypted and sent over a secured channel.

cotak
Sep 19, 2012, 10:07 PM
NFC is retarded.


They're making all the same mistakes the desktop world went through in the late 90s.

Unauthenticated, unencrypted traffic, sent to my device?

Sure, come right in, i'll process that!


Fact: programmers can't write secure code (we've had 50 years to get it right, and people still can't)
Fact: it will be exploited

You realize that SMS is also unauthenticate, unencrypted traffic send to anyone's phone and any phone just process it? Should we all abandon SMS?

For that matter how is any instance messengering app any better? Or email? Might as well just put on the tin foil hat at this point.

It's not that programmers cannot write secure code. It's that there's not enough pressure for that to be the prime objective.

kdarling
Sep 19, 2012, 10:53 PM
Reading the article, it's not really about NFC, since that's just one possible delivery vector.

It's more about a security hole in a popular document reader app that allows a downloaded page to install code.

blackhand1001
Sep 20, 2012, 09:06 AM
The problem is how NFC is implemented right now and how it automatically opens something it's sent. That will be rectified I am sure.

It's not a reason to be for or against NFC. If you think like that you'd be mistaking a bad design decision with a useful technology. Vast majority of us have NFC in our lives already be it the paypass in your credit card or the badge you open doors with at your office.
The issue is only related to the s3. The galaxy nexus only enables NFC polling once the device is unlocked. Samsung can easily change the s3 to work this way as well.

Mac.World
Sep 20, 2012, 09:26 AM
NFC shouldn't make or break a phone. It's a stupid feature that can be easily reproduced in many different, more secure ways.

Really? Must be why credit card companies and government ag3ncies use the tech. :rolleyes:

To hack NFC, you must be literally within an inch of the phones chip. Not the phone, the chip. And if you believe someone is trying to do this thing to you, knows exactly where you keep your phone, etc... there is an easy way to stop them. Put your phone in your pocket with the screen facing outward. Done. Or stick a metal cover over th3 back. Or real carbon fiber.

This is such a non issue.

flameproof
Sep 20, 2012, 09:44 AM
Anything except Blackberries. Did you know the President has a Blackberry? It's nearly impossible to hack into those phones. That's still one of the reasons why the Blackberry still exists today.

...and they are very unlikely to get stolen too.

ChazUK
Sep 20, 2012, 10:00 AM
Although the vulnerability exists as zero-day across all Android platforms, including version 4.1, Nils said the exploit won't work on Jelly Bean because of the improved mitigations.

http://www.zdnet.com/exploit-beamed-via-nfc-to-hack-samsung-galaxy-s3-android-4-0-4-7000004510/

Looks like my Galaxy Nexus and Nexus 7 are safe. :D

TheHateMachine
Sep 20, 2012, 10:23 AM
I'm really scared that someone is going to slip their phone into my pocket with its back touching my phones back and running off will all my data. Yea... real scared!

I know you fan boys wanna jump all over NFC but the range is ridiculously small. They literally have to touch their device to your's.

r.j.s
Sep 20, 2012, 10:29 AM
I know you fan boys wanna jump all over NFC but the range is ridiculously small. They literally have to touch their device to your's.

They don't actually have to touch, but the range is only ~4cm, and in many devices (not sure about the S3), the screen must be on and the device unlocked.

Mac.World
Sep 20, 2012, 10:54 AM
I'm not sure why the pro-Apple crowd is in here talking about something they don't use? And yes, if 5he screen is off and in your pocket, nothing will happen.

On the other hand, all you Apple owners walking around with embedded chip credit cards, those carry govt id cards with CAC capability and every US ccitizen with a passport, I can walk up to any one of you and steal you data with my phone, assuming I am right next to you and know where your wallet or id is located on your person. Google wallet and nfc is more secure than what you have right now.

munkery
Sep 20, 2012, 01:53 PM
http://www.zdnet.com/exploit-beamed-via-nfc-to-hack-samsung-galaxy-s3-android-4-0-4-7000004510/

Looks like my Galaxy Nexus and Nexus 7 are safe. :D

The vulnerability exists in Jelly Bean as well. Jelly Bean adds PIE to ASLR which iOS already includes. iOS was compromised despite the greater exploit mitigations. So, the exploit would only need to be modified to compensate for PIE despite the specific exploit used in pwn2own not working against Jelly Bean.

The real issue with exploit mitigations with ARM devices is that these devices are only 32-bit. 32-bit runtime security mitigations can be defeated via brute force methods. Android exploit suggests some brute force methodology was used by referring to the vulnerability being triggered 185 times in the exploit.

This is why iOS fell but Safari running on OS X Lion at the non-mobile pwn2own was not compromised.

I'm really scared that someone is going to slip their phone into my pocket with its back touching my phones back and running off will all my data. Yea... real scared!

I know you fan boys wanna jump all over NFC but the range is ridiculously small. They literally have to touch their device to your's.

The issue is that NFC could be used as a means of malware transmission because this exploit works without user intervention and allows malicious apps to be installed that run in the background without the user being aware of the process running in the background.

Basically, NFC provides another vector for malware transmission. You get the malware via google play trojan or drive by install via email or malicious website. Then, pass it to others silently when you bump phones for some legitimate reason.

lixuelai
Sep 20, 2012, 02:19 PM
It is a very poor excuse against NFC considering how this hack has to be carried out. That said though there just isn't the infrastructure of NFC at the moment in the U.S. I would love to be able to use my phone to buy from a vending machine like I can do in Japan, but that is likely years away.

cynics
Sep 20, 2012, 04:35 PM
Am I misunderstanding, but you need a "file" on the S3 via NFC so wouldn't you need to accept this file first for the hack to work?

I feel like people are saying, "oh just near it even if its in your pocket". But I don't think nfc is on like that unless there is something I'm missing here...

Mac.World
Sep 20, 2012, 07:27 PM
Am I misunderstanding, but you need a "file" on the S3 via NFC so wouldn't you need to accept this file first for the hack to work?

I feel like people are saying, "oh just near it even if its in your pocket". But I don't think nfc is on like that unless there is something I'm missing here...

If the phone is on, if nfc is on AND if you accept the file or allow for a connection, then yes. NFC is active and requires a user interface, while rfid credit cards/passports are passive and can be read at any time (like when you enter a country via customs) unless there is a barrier to prevent transmission. AndnGoogle Wallet adds another layer of security on top of Android. As I said, more secure than what most people have in their wallet right now.

And I love using Google Wallet. Just used it as a matter of fact. A simple tap and everything is paid for and a digital receipt is auto generated and saved on the phone. Easy.

oBMTo
Sep 20, 2012, 10:51 PM
I think you iPhone users should be worried about yourselves:

http://www.infowars.com/antisec-fbi-laptop-hack-nets-12-million-iphone-users-data/

matttye
Sep 21, 2012, 01:32 AM
For NFC to work the screen must be on and the device unlocked, then the attacking device would need to get within 2cm (NFC's range).

I'm not worried :)

munkery
Sep 21, 2012, 02:11 AM
I think you iPhone users should be worried about yourselves:

http://www.infowars.com/antisec-fbi-laptop-hack-nets-12-million-iphone-users-data/

It wasn't the FBI that was hacked. It was a developer, far less than 12 million UDIDs were taken, and very little information was associated with the UDIDs.

For NFC to work the screen must be on and the device unlocked, then the attacking device would need to get within 2cm (NFC's range).

I'm not worried :)

Given the exploit could be used to install malware with elevated privileges that runs in the background, then this could be used to transmit malware between devices in the background when NFC is used to bump devices for legitimate purposes.