Yesterday, at the Web 2.0 Summit, Google’s CEO Eric Schmidt presented the Nexus S. This wasn’t just about a new phone, he also talked about how Gingerbread (Android OS Version 2.3) would have support for NFC (Near Field Communications) built in. In light of the mobile-phone hotel-key (NFC-based) trial going on at the Clarion hotel in Sweden and questions raised during the conversation at the Summit, it’s time to take another look at the state of NFC security.
Unlike the J2ME-based Samsung S5230 used in the hotel-key trial, the Nexus S (also by Samsung) is running the newest version of Android. This gives you a more powerful OS and more flexibility. Schmidt mentions that NFC will play a big part in mobile transactions in the near future. You can use your phone to pay for goods or to transfer money to others with a “bump.”
The more your mobile phone is used for payments (as a “wallet in your phone”) the more it becomes a target for attackers. Last week we discussed attacks that target NFC-enabled phones. The attacks are:
- Ghost and Leech, using an RFID reader to steal or transmit the victim’s credentials to a fake RFID card. This is an attack that extends the range (normally a few centimeters) of a “tap and pay” transaction, letting an attacker basically pick your virtual pocket. Attackers can buy used RFID readers to assist in pulling off this attack.
- Collin Mulliner’s Python NDEF library, tools for reading and writing NFC tags. Mulliner has demonstrated phishing, fuzzing, and spoofing attacks against mobile phones with NFC. The library was developed for use against a specific NFC-enabled phone, but the greater availability of new Android-based NFC phones will make it easier to update in the future.
It’s interesting to note that Mulliner today retweeted a message about Google and Mobile payments. Perhaps we’ll see an update to the NDEF library in the near future.
Gingerbread (Android OS 2.3)
Schmidt spoke on the inherent security of NFC and how it provides a “secure element” for mobile payments. Because we’ve seen attacks against the security provided by the NFC hardware (the phone itself), he was likely referring to the security provided by Gingerbread. The Android security protections can provide protection against misuse and possibly even abuse of the NFC features of the phone, but these protections depend on an OS with no holes.
A few weeks ago software security and code analysis firm Coverity discovered a large number of potential vulnerabilities in the Android source code. Although not all of these will be exploitable, a number were found in driver code, and others provided potential privilege escalation. Essentially it may be possible for an attacker to create a malicious web page that when visited by an Android phone lets the attacker gain root access. At this point, an attacker can intercept or bypass any security protections guarding sensitive information, such as the contents of your NFC “wallet.”
Security researcher Eric Monti demonstrated a similar attack on an iPhone at Toorcon last month. He used a modified version of the Jailbreakme.com exploit to silently install a rootkit on the phone. Once it was installed, he logged in and spied on a debit card transaction being handled by a popular credit card processing app. Regardless of the security of the app or the underlying OS, all the criminals need is one unpatched vulnerability to bypass the protections.
The factors that influence whether attacks are updated or if attackers expend resources on a given platform are increasing. Prior to the announcement that upcoming Android phones would support NFC, an attacker would have needed to borrow, steal, or clone one of the rare Samsung S5230 phones. Support for NFC from Google also means that vendors will be taking NFC payments. If you can spend your money in more places, so can an attacker. The bright side is that as long as security researchers are looking into new attacks, they’ll also look into new defenses. So keep an eye on your (phone) wallet but don’t worry too much.