Android, Nokia smartphone security toppled by Near Field Communication hack
By exploiting multiple security weakness in the industry standard known as Near Field Communication, smartphone hacker Charlie Miller can take control of handsets made by Samsung and Nokia. The attack works by putting the phone a few centimeters away from a quarter-sized chip, or touching it to another NFC-enabled phone. Code on the attacker-controlled chip or handset is beamed to the target phone over the air, then opens malicious files or webpages that exploit known vulnerabilities in a document reader or browser, or in some cases in the operating system itself.
NFC is already widely available in some countries and is slowly being rolled out in handsets marketed in the United States. It allows devices to establish radio communications when they are gently bumped together or pass within close proximity of special chips. The feature allows people to share business cards and Web links on the fly or to effortlessly establish a Bluetooth connection with PCs, speakers or other devices. It can also be used to zap payment-card data to point-of-sale terminals. It's already built into smartphones running the Android and MeeGo mobile OSes and has been rumored to be a part of future Windows Phone and iOS devices.
...
Insecure by default
The Nexus S—when running the Gingerbread (2.3), by far the most dominant Android installation—contains multiple memory-corruption bugs. They allow Miller—using nothing more than a specially designed tag—to take control of the application "daemon" that controls NFC functions. With additional work, he said the tag could be modified to execute malicious code on the device. Some, but possibly not all of those bugs were fixed in the Ice Cream Sandwich (4.0) version of Android, so the attacks may also work against that release and Jelly Bean (4.1) as well.
But even if there are no exploitable bugs in the NFC code itself, a feature known as Android Beam, which Google developers added to Ice Cream Sandwich, allows Miller to force a handset browser to open and visit any website he chooses—without first getting permission of the end user.
"What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to," Miller said. "So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC."
Surprisingly, when NFC and Android Beam are enabled—as they are by default—devices will automatically download any file or Web link sent through the service. There's no way for end users to selectively approve or reject a specific transfer initiated by another handset. "The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal," Miller said in a noted understatement.
Making a malicious hacker's job easier, older Android versions contain known security vulnerabilities that often remain unpatched for months or even years. Miller's Black Hat demonstration includes an attack that exploits a browser bug that ships with every phone running 4.0.1 or earlier of the operating system. Using NFC and Android Beam, he can force the phone to visit a booby-trapped website that allows him to run arbitrary commands as the Web browser, including viewing files stored on the device. He said other documented security bugs in the WebKit browser engine, which is included in Android, can be exploited in the same manner.
...
Article in full
cheers ...
By exploiting multiple security weakness in the industry standard known as Near Field Communication, smartphone hacker Charlie Miller can take control of handsets made by Samsung and Nokia. The attack works by putting the phone a few centimeters away from a quarter-sized chip, or touching it to another NFC-enabled phone. Code on the attacker-controlled chip or handset is beamed to the target phone over the air, then opens malicious files or webpages that exploit known vulnerabilities in a document reader or browser, or in some cases in the operating system itself.
NFC is already widely available in some countries and is slowly being rolled out in handsets marketed in the United States. It allows devices to establish radio communications when they are gently bumped together or pass within close proximity of special chips. The feature allows people to share business cards and Web links on the fly or to effortlessly establish a Bluetooth connection with PCs, speakers or other devices. It can also be used to zap payment-card data to point-of-sale terminals. It's already built into smartphones running the Android and MeeGo mobile OSes and has been rumored to be a part of future Windows Phone and iOS devices.
...
Insecure by default
The Nexus S—when running the Gingerbread (2.3), by far the most dominant Android installation—contains multiple memory-corruption bugs. They allow Miller—using nothing more than a specially designed tag—to take control of the application "daemon" that controls NFC functions. With additional work, he said the tag could be modified to execute malicious code on the device. Some, but possibly not all of those bugs were fixed in the Ice Cream Sandwich (4.0) version of Android, so the attacks may also work against that release and Jelly Bean (4.1) as well.
But even if there are no exploitable bugs in the NFC code itself, a feature known as Android Beam, which Google developers added to Ice Cream Sandwich, allows Miller to force a handset browser to open and visit any website he chooses—without first getting permission of the end user.
"What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to," Miller said. "So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC."
Surprisingly, when NFC and Android Beam are enabled—as they are by default—devices will automatically download any file or Web link sent through the service. There's no way for end users to selectively approve or reject a specific transfer initiated by another handset. "The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal," Miller said in a noted understatement.
Making a malicious hacker's job easier, older Android versions contain known security vulnerabilities that often remain unpatched for months or even years. Miller's Black Hat demonstration includes an attack that exploits a browser bug that ships with every phone running 4.0.1 or earlier of the operating system. Using NFC and Android Beam, he can force the phone to visit a booby-trapped website that allows him to run arbitrary commands as the Web browser, including viewing files stored on the device. He said other documented security bugs in the WebKit browser engine, which is included in Android, can be exploited in the same manner.
...
Article in full
cheers ...
