Google is working on a fix for a newly discovered vulnerability affecting Nexus S Android phones that could cause applications on the phone to crash using incorrectly formated Near Field Communications (NFC) transactions.
The issue, which will be discussed at an upcoming technical conference on wireless security, could result in denial of service attacks on Nexus S applications. It isn’t considered serious, but it is one of the first publicly disclosed vulnerabilities concerning the NFC features of the Nexus S, and could be the first of many related to NFC -a powerful communications protocol that phone makers, carriers and merchants hope to use for everything from mobile phone payments to information kiosks, experts warn.
The vulnerability was among a handful discovered by Collin Mulliner, a doctoral student at the Technische Universitaet Berlin and a well-known researcher on mobile device security. Mulliner said that vulnerability was one that could allow a malicious NFC tag to send incorrect information to a Nexus S phone. For example: a rogue or misconfigured smart tag could request a memory allocation from a NFC-enabled phone that is in excess of the amount of memory on the phone itself. That could cause the NFC service on Nexus S phones to crash unexpectedly, he said.
Mulliner characterized the problem as a “stupid software bug” that he has reported to Google. A Google spokesman said the company was aware of the issue, but doesn’t know of any security implications attached the hole.
“Its a situation where, if an NFC lies to the phone and tries to spoof the phone, it causes the application to crash,” the spokesman wrote in an e-mail. Google has developed a fix for the issue and is currently testing it. The spokesman could not confirm when the fix would be released.
However, Mulliner said that the NFC denial of service bug, though tame, may be the first of many such security holes that will be discovered in coming years, as phone makers rush to implement NFC technology and services.
NFC is a promising wireless technology that is seen as a complement to Bluetooth, and one that is better suited for certain kinds of transactions. The technology relies on NFC communications technology built into mobile phones and a wide range of wireless smart tags, akin to RFID tags, that can store a wide range of information and interact wirelessly with NFC-enabled phones. Applications for NFC technology include mobile payments, in which phone users could transmit credit card or banking information wirelessly from their phone to a check out device, as well as ticketing. So-called “smart posters” have already been deployed in some cities and contain smart tags with direction and even information that can be wirelessly transmitted when NFC phones are brought in proximity to the phone.
Mulliner said the vulnerability he found was the result of a loose implementation of the NFC standard on the Nexus S. That standard called for a data type, in this case referring to the allocation of a chunk of the phone’s memory, ranging in length between one and four bytes. However, no effort was made to prevent a tag from sending a number that used the full four byte length, regardless of whether the phone in question could accommodate that request.
“(Google) just implemented the standard without thinking about what they were implementing…There was no checking,” Mulliner said in a phone interview with Threatpost.
NFC vulnerabilities will be on the agenda at the 7th annual RFIDSec Conference on wireless security and privacy, held at the University of Massachusetts, Amherst. Mulliner’s talk, ““Hacking your NFC phone and service: the good news and the bad news” will address weak points in current NFC implementations.
Its a topic that is likely to get more attention in the years ahead, as more phones equipped with NFC readers hit the market. Apple is rumored to be working on a version of the iPhone that can interact with NFC chips, and more Google Android phones and tablets that support NFC will hit the market in the months ahead.
Unlike Bluetooth, NFC communications happen over extremely short distances – 5 centimeters or less. That means sniffing out NFC communications may be difficult. However, the smart tags present a potential source of attack and compromise.
One example is so-called “SmartPoster” – tags that can be placed on posters or kiosks and that transmit information to the phone. Currently, the few NFC enabled phones typically act on data received from a tag automatically. That could include commands to load a Web site, send an SMS message or initiate a phone call.
In a paper presented in February, 2011, at the NFC Congress 2011 in Hagenberg, Austria, two researchers, Roel Verdult and Francois Kooman of The Netherlands, demonstrated how malicious smart tags could be used to enable Bluetooth on NFC-capable phones and upload a malicious application to the phone over that connection, all without requiring any user interaction.
One problem facing the industry is that most of the attention to security with NFC has focused on securing the radio frequency wireless communications to prevent man in the middle or sniffing attacks. Hardly any attention has been paid to the limitations or applications of NFC, however, Mulliner said.
“All the application logic and protocols seems very weak,” he said.
The other problem is that there is no central authority governing the implementation of NFC, according to Kevin Fu, an assistant professor in the Department of Computer Science at the University of Massachusetts and one of the RFIDSec conference organizers.
Software companies like Google and Apple, telecommunications companies, phone makers, application developers, the government as well as merchants and consumers all have a stake in the security of mobile transactions. Most recently, Google introduced a Wallet product that sets the stage for mobile purchasing. But no one of them is actually charged with making sure security is built in.
“There’s this diffusion of responsibility, and you need security at every level. But I’m not aware of any single or any majority authority,” Fu told Threatpost.
Mulliner said that practical attacks using NFC could be no more than two years off.
That’s especially true if Apple releases NFC-capable iPhones and iPads and adoption spikes, said Fu.
“If Apple releases an NFC phone, it could seriously change the way payments are done because you’d have such a large number of people using the technology,” he said.
A Google spokesman said that the company was “always looking” for ways to improve the security of its platform and to make it more stable across a wide range of features. “Our platform (Android) is constantly evolving and NFC is part of the platform. So its reasonable to assume that it will be evoling too,” he told Threatpost.