NFC – or Near Field Communications -has better than even odds to be the “next big thing,” enabling your already-indispensable smartphone to subsume everything from your wallet to your car keys. But when it comes to security the outlook is – as the Magic 8 Ball might say – “not so good.”
NFC is a short-range wireless communication standard that succeeded a slew of earlier contactless communications standards. It has long been talked up as the guts of mobile wallet platforms like Google Wallet, but using NFC at the supermarket checkout line was only the first and most obvious application of the standard (and by no means the easiest). In truth, there are almost limitless ways that NFC might be used.
The latest dispatch concerning our shared NFC future popped up on sites like GigaOm and The Consumerist this week, where it was reported that car maker Hyundai is testing a project called “Connectivity Concept” that would let car owners use NFC-enabled smart phones to lock and unlock their vehicle. Starting in 2015, Hyundai cars will come equipped with the NFC tags on the door. The car’s owner can tap their phone on the tag to unlock the door. And, once in the car, the phone would be docked in a center console, using NFC to sync with the car and load driver-specific settings (radio station preferences, seating positions, etc.) Cool! Other applications of NFC range from a replacement for building access cards to an enabling technology for smart parking meters and smart posters.
No doubt you’ll be shocked…shocked! to learn that these features often come at the cost of security. In just one example, noted mobile security researcher Charlie Miller demonstrated an NFC hack of phones running Google’s Android mobile OS (v 2.3 or “Gingerbread”) at the Black Hat Briefings in July. Miller showed how attackers could use a malicious NFC tag or merely another phone to exploit known vulnerabilities in the Gingerbread OS and take control of NFC functions on the target device. The same method could be used to transmit and open malicious files or web sites on the device, as was done at the Pwn2Own hacking contest at the EuSecWest Conference in September. In that demonstration, researchers from MWR Labs used NFC communications to exploit two vulnerabilities in a Samsung Galaxy S3 phone running Android 4.0.4 OS (Ice Cream Sandwich). By holding two phones close together, the researchers were able to exploit a memory corruption vulnerability in the OS and then use a second privilege escalation vulnerability to escape from the Android application sandbox – effectively taking control of the phone.
As is so often the case, however, the security problems with NFC aren’t really about NFC – but how it’s implemented. As the examples above illustrate: NFC technology is merely a new tool that extends the capabilities of mobile devices and, in doing so, provides a new avenue for malicious content. The security problems stem from how mobile OS makers, handset manufacturers and application developers implement that standard. Too often, they do so without proper regard of security – or any regard whatsoever.
Why is that? For one thing: there are too many powerful players with a vested interest in seeing their vision for NFC triumph and too little interest in cooperating. Just look at mobile payments: the list of vendors competing against each other to dominate that market includes everyone from Mastercard to Verizon to Google to eBay/Paypal. This is one of the biggest reasons that mobile wallets haven’t taken hold: too many incompatible offerings confuse the market and dilute the appeal of any single offering. U.S. paper currency is accepted everywhere in this country. Google Wallet? Not even close.
In the context of security, the lack of a single organization that can act as an arbiter or traffic cop for NFC has translated into slap-dash and insecure implementations of the technology. Back in 2011, Google was forced to patch a NFC security hole in Nexus S Android phones that could have allowed NFC-based denial of service attacks against the devices. The problem: Google’s implementation of NFC failed to take into account the hardware limitations of the Nexus S platform.
Researchers like Charlie Miller have observed that NFC-based interactions often force the loading of web links and other suspect content without user consent. And they note that, even in the absence of NFC bugs, gee-whiz features like Android Beam – designed to leverage NFC so users can transfer business cards and other content – make it a trivial matter to push malicious content to phones.
“So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC,” Miller told Ars Technica in an interview in July.
Move the context from mobile payments and smart posters to NFC-enabled automobiles or medical devices, and the stakes become even higher. If researchers can use NFC to break out of the Android sandbox and run malicious code in 2012, how far off is an attack that enables an assailant to take control of a car’s braking or acceleration, or force a lethal injection? I dont think its a stretch to say that headlong adoption of new technology like NFC without proper consideration of security could have deadly consequences.
Researchers like Colin Mulliner at Technische Universitat in Berlin and Kevin Fu at the University of Michigan have argued that – at its core – the issue comes down to better application development practices. Implementing cool new features like NFC raises the bar on developers to really understand the capabilities and limitations of the new protocols and create applications that both anticipate and account for likely attacks, including man in the middle attacks, snooping, data manipulation and spoofing attacks. Let’s put that on our to do list for 2013.