NFC - or Near Field Communications -has better than even odds to be the “next big thing,” enabling your already-indispensable smartphone to subsume everything from your wallet to your car keys. But when it comes to security the outlook is - as the Magic 8 Ball might say - “not so good.”

NFC is a short-range wireless communication standard that succeeded a slew of earlier contactless communications standards. It has long been talked up as the guts of mobile wallet platforms like Google Wallet, but using NFC at the supermarket checkout line was only the first and most obvious application of the standard (and by no means the easiest). In truth, there are almost limitless ways that NFC might be used.

The latest dispatch concerning our shared NFC future popped up on sites like GigaOm and The Consumerist this week, where it was reported that car maker Hyundai is testing a project called “Connectivity Concept” that would let car owners use NFC-enabled smart phones to lock and unlock their vehicle. Starting in 2015, Hyundai cars will come equipped with the NFC tags on the door. The car’s owner can tap their phone on the tag to unlock the door. And, once in the car, the phone would be docked in a center console, using NFC to sync with the car and load driver-specific settings (radio station preferences, seating positions, etc.) Cool! Other applications of NFC range from a replacement for building access cards to an enabling technology for smart parking meters and smart posters.

No doubt you’ll be shocked...shocked! to learn that these features often come at the cost of security. In just one example, noted mobile security researcher Charlie Miller demonstrated an NFC hack of phones running Google’s Android mobile OS (v 2.3 or “Gingerbread”) at the Black Hat Briefings in July. Miller showed how attackers could use a malicious NFC tag or merely another phone to exploit known vulnerabilities in the Gingerbread OS and take control of NFC functions on the target device. The same method could be used to transmit and open malicious files or web sites on the device, as was done at the Pwn2Own hacking contest at the EuSecWest Conference in September. In that demonstration, researchers from MWR Labs used NFC communications to exploit two vulnerabilities in a Samsung Galaxy S3 phone running Android 4.0.4 OS (Ice Cream Sandwich). By holding two phones close together, the researchers were able to exploit a memory corruption vulnerability in the OS and then use a second privilege escalation vulnerability to escape from the Android application sandbox - effectively taking control of the phone.

As is so often the case, however, the security problems with NFC aren’t really about NFC - but how it’s implemented. As the examples above illustrate: NFC technology is merely a new tool that extends the capabilities of mobile devices and, in doing so, provides a new avenue for malicious content. The security problems stem from how mobile OS makers, handset manufacturers and application developers implement that standard. Too often, they do so without proper regard of security - or any regard whatsoever.

Why is that? For one thing: there are too many powerful players with a vested interest in seeing their vision for NFC triumph and too little interest in cooperating. Just look at mobile payments: the list of vendors competing against each other to dominate that market includes everyone from Mastercard to Verizon to Google to eBay/Paypal. This is one of the biggest reasons that mobile wallets haven’t taken hold: too many incompatible offerings confuse the market and dilute the appeal of any single offering. U.S. paper currency is accepted everywhere in this country. Google Wallet? Not even close.

In the context of security, the lack of a single organization that can act as an arbiter or traffic cop for NFC has translated into slap-dash and insecure implementations of the technology. Back in 2011, Google was forced to patch a NFC security hole in Nexus S Android phones that could have allowed NFC-based denial of service attacks against the devices. The problem: Google’s implementation of NFC failed to take into account the hardware limitations of the Nexus S platform.

Researchers like Charlie Miller have observed that NFC-based interactions often force the loading of web links and other suspect content without user consent. And they note that, even in the absence of NFC bugs, gee-whiz features like Android Beam - designed to leverage NFC so users can transfer business cards and other content - make it a trivial matter to push malicious content to phones.

"So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC,” Miller told Ars Technica in an interview in July.

Move the context from mobile payments and smart posters to NFC-enabled automobiles or medical devices, and the stakes become even higher. If researchers can use NFC to break out of the Android sandbox and run malicious code in 2012, how far off is an attack that enables an assailant to take control of a car’s braking or acceleration, or force a lethal injection? I dont think its a stretch to say that headlong adoption of new technology like NFC without proper consideration of security could have deadly consequences.

Researchers like Colin Mulliner at Technische Universitat in Berlin and Kevin Fu at the University of Michigan have argued that - at its core - the issue comes down to better application development practices. Implementing cool new features like NFC raises the bar on developers to really understand the capabilities and limitations of the new protocols and create applications that both anticipate and account for likely attacks, including man in the middle attacks, snooping, data manipulation and spoofing attacks. Let’s put that on our to do list for 2013.

About Paul Roberts

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Comments (2)

Dan | January 3, 2013 11:14 pm

Please consider the following:

1. Most NFC access control and payment solutions out there rely on the secure element - the OS and the apps aren't really involved in these transactions, particularly from a security perspective. If you read up on secure element hardware (part of SIM or NFC chipset), you'll find that it is quite secure - in fact, far more secure than what we're using for these transactions today. Big banks and issuers wouldn't be investing as heavily as they are in NFC and contactless (think Visa contactless campaign at Olympics) if it weren't far more secure than what we have today. For them, it's more about reducing fraudent payments for which they're typically liable. It's a different story of course for those who control the secure element (typically MNOs) where it is more about monetization.

2. The Black Hat vulnerability stems from opening a URL that is stored in an NFC tag that points to a malicious website. It's fundamentally an issue with browser security. Yes, this is still bad. However, your phone needs to be unlocked to read an NFC tag and thus likely in your hand so it's unlikely you'd accidentally tap a malicious tag given the range of NFC. It's far more likely that the average consumer would open a phishing email that points to the same malicious website than accidentally tapping a malicious NFC tag. And effectively overlaying a malicious NFC tag on top of an existing smartposter is not trivial given the nature of RF.

3. EMVCo is coming to the US and with it a whole host of requirements for retailers. Many will be upgrading POS terminals to meet a 2015 deadline (else they face unpleasant credit card fraud liability). Most new POS terminals support the global contactless EMVCo standard so contactless (credit cards and NFC-enabled phones) will be accepted just about everywhere within the coming years.

Yes, there are some esoteric vulnerabilities that will get flushed out but I don't think it's nearly as dire as you may suggest in this article.

Joao | January 5, 2013 9:02 am

Good article, explains exactly how it is.
However, "Miller showed how attackers could use a malicious NFC tag", confuses readers.
Better; A tag with a link to a malicious webpage.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.