Today, I continue to blog from the Black Hat Convention.
One of the things I heard a lot about at the conference was how NFC will soon be coming to a phone near me… complete with all the wonders of mobile payments, data exchanges and simplified Wi-FI.
It all sounded pretty good until Charlie Miller, a very well-known security expert, demonstrated a way to use NFC to hijack an Android smartphone.
But what are the implications of an NFC attack? Will it throw a monkey wrench into mobile payment plans? How practical is it for hackers?
NFC is RFID-based—the same kind of technology used in contactless hotel card keys—which means it requires close proximity (i.e., 10 centimeters) to work, and data rates are slow. But, when the whole point of NFC is the willful exchange of information with the wave of your phone, you start to realize the potential for widespread damage. Mr. Miller showed how this could be (and was in a live demo) done by placing an NFC tag to an otherwise legitimate NFC device. The tag instructed the mobile device to switch on Bluetooth, resulting in the unauthorized sending of data via the mobile phone to a nearby PC. The ease with which Mr. Miller was able to do this was rather unsettling, especially when he then demonstrated making a call from the PC and sending an SMS using the bluetooth connection.
If there’s anything Mr. Miller reminds us, it’s the ease with which hackers have a way of exploiting certain technologies meant for good… for bad. Android Beam, for instance, allows users to instantly share information with each other just by touching phones. But hackers could use that same wireless conduit to emit an attack. As its only the sender that is required to confirm the exchange, the receiving phone could then be instructed to do things that gives the sender control.
While Mr. Miller makes me wonder if NFC is truly ready for prime time, my money’s on the good guys in the long run. Perhaps the solution is as simple as requiring the user to confirm the connection and the sending/receiving of data. Perhaps it’s users becoming more sophisticated in their own use of NFC as they become better acquainted with the technology.
Time will tell.