Dont Stand So Close To Me: An Analysis of the NFC Attack Surface presented at DEF CON 20

by Charlie Miller,

Tags: Security

Summary : Near Field Communication (NFC) has been used
in mobile devices in some countries for a while and
is now emerging on devices in use in the United
States. This technology allows NFC enabled
devices to communicate with each other within
close range, typically a few centimeters. It is being
rolled out as a way to make payments, by using
the mobile device to communicate credit card
information to an NFC enabled terminal. It is a new,
cool, technology. But as with the introduction of
any new technology, the question must be asked
what kind of impact the inclusion of this new
functionality has on the attack surface of mobile
devices. In this paper, we explore this question
by introducing NFC and its associated protocols.
Next we describe how to fuzz the NFC protocol
stack for two devices as well as our results. Then
we see for these devices what software is built on
top of the NFC stack. It turns out that through NFC,
using technologies like Android Beam or NDEF
content sharing, one can make some phones parse
images, videos, contacts, office documents, even
open up web pages in the browser, all without user
interaction. In some cases, it is even possible to
completely take over control of the phone via NFC,
including stealing photos, contacts, even sending
text messages and making phone calls. So next
time you present your phone to pay for your cab,
be aware you might have just gotten owned.