Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

nusynergy

macrumors regular
Original poster
Jul 3, 2008
203
20
Kent - UK
h**p://www.bbc.co.uk/news/technology-30036137

Several bugs in Near Field Communication (NFC) payment systems have been found by security experts.

NFC allows people to pay for goods and services by touching their handset to a payment terminal.

But the inclusion of the technology on phones has proved useful to hackers seeking a stealthy way to take over a mobile phone.

In most cases the bugs would give an attacker complete access to a device's data.

The security experts demonstrated the weaknesses in NFC technology at an event in Tokyo organised by Hewlett Packard. Called Mobile Pwn2Own the competition involves researchers and developers using bugs in an attempt to subvert a series of handsets.

A prize pool of $425,000 (£271,000) was available to those who managed to get access to a handset's innards via a bug they had found. Entrants would get a slice of that cash by taking less than 30 minutes to carry out a successful attack via a previously unknown vulnerability.

Eight separate devices, including an Apple iPhone, Blackberry Z30, Amazon Fire phone and Google Nexus 7, were the targets for the security experts.

On the first day of the two-day competition five teams successfully used the bugs they had found to take over five devices. Three of the successes exploited NFC to give the attackers the ability to extract data at will from the phones. The other two attacks compromised a phone via its on-board web browser.

UK security expert Adam Laurie, Japan's Team MBSD and South Africa's MWR InfoSecurity were among the prize winners.

The Apple iPhone 5S, Samsung Galaxy 5, LG Nexus 5 and Amazon Fire Phone were all successfully compromised.

Details of the vulnerabilities have now been shared with the makers of the handsets so that the bugs can be patched and fixed.
 
As with most tech reporting this one raises more questions than it answers.

The most basic one is "what does it do?" and the best they can say is that it allows access to the phone's "innards." What a wonderfully technical term.

Do we have any reporting on this event written by someone who actually understands it?

EDIT: This is better
http://www.securityweek.com/mobile-pwn2own-2014-iphone-5s-galaxy-s5-nexus-5-fire-phone-hacked

...and it actually makes the BBC article look even worse than I had first thought. The iPhone's web browser was compromised but the BBC article makes it sound like its NFC was compromised. That's some sloppy reporting.
 
On the positive side, the security researcher's purchase of the Fire phone probably doubled its previous sales figures... :D

This is also a validation of Apple's decision to initially limit access to NFC by other parts of the phone. It's a new attack vector that should only be opened for other use in a manner that doesn't permit unauthorized access. Like TouchID, I expect that permitted use will expand over time.
 
This thread needs to be titled "hackers exploit nfc". No where does it say that the phone payment technology was hacked.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.