NFC Security Flaws In Android And Nokia N9 Phones

Notable security researcher Charlie Miller has found flaws in Near Field Communication ( NFC) security that could allow hackers to beam code over to Android and Nokia devices to carry out attacks.

NFC can be used for various processes, including contactless payments and wirelessly interacting with other nearby devices. Showing off his skills at the Black Hat security conference in Las Vegas, Miller, principal research consultant at security firm Accuvant, showed how his attack method could be used against NFC deployments in the Samsung Galaxy Nexus S, the Galaxy Nexus and the Nokia N9.

Miller created a tag that would help him take over the application “daemon” that controls NFC on a Nexus S running Gingerbread, or Android 2.3. From there, he said he could upload malicious code to the device.

Using the Android “Beam” feature that Google added to Ice Cream Sandwich, Miller could also make a handset browser visit any website he wanted. That could be a site that uploads malware to a user’s device.

Nokia N9 NFC security fail?

Miller also found NFC security is weak on Nokia’s N9 device which, when NFC is switched on, automatically accepts all connection requests without telling the user. He showed how by just using a MacBook and connecting it to an N9, he could force it to make calls, send texts or even steal contacts.

Users can change their N9 phones to make sure they are notified of NFC requests, but the phones still accept file transfers without notification. According to Ars Technica, Miller found a vulnerability in a Microsoft Word-compatible reader that could be used to launch an attack by sending over a malicious file.

In most NFC security issues scenarios showcased by Miller, the victim’s phone has to have its screen active and be unlocked. In all of them, the attacker has to get close to their target.

Nokia said it was aware of Miller’s research and was investigating the claims over the N9, which uses the MeeGo OS.

At the time of publication, neither Google nor Samsung had responded to a request for comment on Miller’s findings.

Meanwhile, security companies are rushing to protect Android-based devices. Yesterday saw the launch of the Android Security Evaluation Framework from Qualys, which takes users’ applications and migrates them to a test suite, where they are checked inside a pre-configured Android Virtual Device (AVD) to see if they are doing anything malicious.

It is similar to BitDefender’s Cluful application for iOS, which was thrown out of the App Store last month, it emerged last week.

Are you a privacy pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

BNP Paribas Joins JP Morgan Blockchain Trading Network

French bank BNP Paribas becomes first European bank to join JP Morgan's blockchain-based Onyx Digital…

5 hours ago

SEC Held Off Elon Musk Enforcement ‘Due To Court Fears’

US securities regulators may have refrained from enforcement actions against Elon Musk due to discouraging…

6 hours ago

Snap Earnings Warning Triggers Tech Sell-Off

Investors spooked after Snap warns of deteriorating economic conditions, says earnings now 'below the low…

7 hours ago

Russian Operator Discounts Smartphones As Sanctions Bite

Biggest Russian mobile operator MTS begins selling discounted and second-hand smartphones as Russians hit by…

8 hours ago

Clearview AI Fined £7.5m Over Facial Recognition Data

UK Information Commissioner's Office orders controversial facial recognition firm Clearview AI to delete data it…

9 hours ago

Airbnb To Pull Out Of China Amidst ‘Pandemic Challenges’

Airbnb to pull out of China as ongoing zero-Covid policy places severe restrictions on domestic…

10 hours ago