Near Field Comunication (NFC) is fast gaining in popularity. There is a strong possibility that very soon people could be using this technology on a regular basis to read tags or pay electronically using their smart phones.
With every new technology comes security vulnerabilities, and NFC is no different. Security researcher Charlie Miller of Accuvant Labs has demonstrated that enterprising cyber criminals may use NFC to take control of the Android phone.
Flaws in Android Gingerbread (version 2.3) and Ice Cream Sandwich (Version 4) in popular phones such as Samsung and Nokia allow hackers to launch server side attacks without user interaction.
Placing a NFC powered fuzzer within a few centimeter of a NFC enabled smart phone allows sharing of information between the smart phones and the related device. This is how users pay cab bills, read tags or do a host of other useful activities using NFC. However, the enterprising cyber criminal may exploit the bug in the Webkit browser and use the vulnerability to gain shell access to the smart phone. NFC works only when a smart phone is awake, but an attacker could “wake it up” with a text message.
Google has fixed this specific Android vulnerability, but most Android users have not yet upgraded to the fixed version. In any case, the researcher has also found bugs in PowerPoint and PDF that allow hackers to commit the same exploit, and such bugs are yet to be patched. There would undoubtedly be many more such bugs.
Such bugs underscore the fact that more complex the device, more the potential risks. The only reason such attacks have not occurred so far is because NFC still remains a sparsely used technology. However, it does come enabled out of the box in Android devices and such devices always remain exposed. The saving grace however is that users have the option to turn NFC off, and this is what most users should be doing now.
In the meantime, nipping such vulnerabilities in the bud before the technology takes off would do a world of good for network security.
JUL
