A vulnerability has been found by hacker Charlie Miller at the Black Hat USA hacking conference that reveals how select Android and Nokia phones can be hijacked by someone in close proximity to the devices. On more recent Android OS versions, NFC has been used not only for digital wallet and mobile payments through services like Google Wallet, but also to check in to places, command phones using smart tags to alter device settings or launch apps. In a report by Ars Technica, the hack works in a way where if the NFC radio is enabled, all a hacker has to do is walk by a person with an Android smartphone to hijack the phone.
They allow Miller—using nothing more than a specially designed tag—to take control of the application “daemon” that controls NFC functions. With additional work, he said the tag could be modified to execute malicious code on the device. Some, but possibly not all of those bugs were fixed in the Ice Cream Sandwich (4.0) version of Android, so the attacks may also work against that release and Jelly Bean (4.1) as well.
“What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,” Miller said. “So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.”
As Android Beam, a popular feature of more recent Android OSes, is present on many newer phones today to enable easy sharing of information when two devices are tapped together back-to-back, NFC is enabled by the OS by default, which would make users who do not know this more exposed.
Miller says that the feature would allow hackers can program NFC smart tags to launch websites. Then, they can walk up to a user’s NFC-enabled smartphone, tap the tag to the phone without the user’s consent or knowledge, and have the phone launch malicious websites or download malicious contents.