LAS VEGAS–Do not stand near Charlie Miller. Actually, you might not even want to let him walk past you. It’s not that Miller is a bad person, you understand. The problem is that Miller has figured out a couple of methods that enable him–or an attacker–to use the NFC chip in some phones to exploit vulnerabilities in the phones’ software and force users to visit a Web site or even gain complete control of the phone.
The attacks that Miller developed rely on the NFC (near-field communication) short-range wireless communication protocol that is used for mobile payments, file transfers and other transactions. The range of the NFC chips, which are in some phone models such as the Nexus S and Nokia N9 now and will be in many more in the near future, is quite small, a few centimeters. Miller, best-known for his research on iOS, used funds from the DARPA Cyber Fast Track program to look at the security properties of NFC as it’s implemented in current phones and devices. What he found was that he could place a simple NFC tag next to a Nexus S and force the phone’s browser to open an arbitrary Web site.
The Nexus S runs on Android and Miller used the technique, along with a known vulnerability in an older version of the OS to perform the attack. He demonstrated the technique, along with another attack that leverages NFC, during a talk at the Black Hat conference here Wednesday. He can use that Android attack in order to point the user’s device to a malicious Web site and then gain complete control of the phone.
All of this by just standing close by or bumping into a victim. The bug in Android that Miller exploits in his attack has been fixed in current versions of Android, but many carriers are slow to push new versions to users, who are, in turn, slow to install updates.
In addition to the work on Nexus S, Miller also did some research on the way that the Nokia N9 Meego operating system handles Bluetooth connections. Under the default settings on the device, Miller found that he could force the phone to pair with any device over Bluetooth by presenting the phone with an NFC tag. The attack works even if the user has Bluetooth pairing disabled on the device, because the phone will allow pairing via NFC.
Once the device is paired with the attacker’s phone, the attacker can get complete access to everything on the N9.
NFC is used extensively in Europe and Asia and one of the main applications is for mobile payments. Users with NFC-enabled phones can set up payment accounts linked to the devices and then use them at specially designed point-of-sale terminals or vending machines. The technology hasn’t shown up widely in the United States yet, but that may change soon. There are rumors that the next iPhone will have an NFC chip, a development that would provide a broad user base and incentive for retailers to deploy NFC-enabled terminals.