Well, how about that? Just last week I talked about a newuse for Near Field Communication on your Android smartphone…but now it’semerged that NFC is also a potential security problem. Go figure.
As I noted in the previous column, NFC is a short-rangetechnology that allows users to transfer data between devices – tap themtogether, and you can transfer information, or make a payment at a retailkiosk. While this technology opens up a world of possibility, it’s alsovulnerable to hackers according to Charlie Miller, who demonstrated somehacking scenarios at the Defcon Black Hat hacking conference late last week.
According the New York Time Bits blog, Miller (a securityresearcher at Accuvant) successfully hacked the Samsung Nexus S, the GalaxyNexus and a Nokia N9 live in front of an audience, and was able to take controlof the phones using the NFC exploit.
The implications are a bit troubling, especially for thosewho want to start using their phones to pay for things via Google Wallet. Rightnow there aren’t a lot of places in Canada that accept payment using NFC, butas more phones and tablets integrate the technology, you can expect it to bemore prevalent at retail. And as the technology grows in popularity, so doesthe incentive to find a way to exploit it.
For example, if you tapped your phone against a rogue NFCdevice, it could route your phone’s browser to a compromised site, andultimately send sensitive data on your phone to that site.
If you think it’s unlikely that someone would interact witha rogue payment terminal, just remember how often no-goodniks have been able toswap out debit terminals with hacked terminals. And then remember thephenomenon of USB “dead drops”, where people demonstrated their willingness toconnect their notebooks to random USB connectors left in public places – apretty solid way to spread malware if there ever was one.
It’s important to note that the patch Miller showed off atDefcon has since been patched by Google in the 4.0.1 update to Ice CreamSandwich, so it’s probably a good idea to update to that newer version of theOS if you’re able to. But since there’s still a danger that NFC can be used asan exploit vector using Google Beam – even after patching to 4.0.1 – it’sprobably still worth exercising at least a modicum of caution when whipping thephone out to use NFC.