Black Hat: Hacking guru reveals NFC smartphone hacking tricks

Researcher Charlie Miller outlines process for compromising handsets

LAS VEGAS: Infamous security researcher Charlie Miller has demonstrated how near-field communication (NFC) - an increasingly popular technology in handsets like Samsung's Galaxy S3 - leaves an open door for attackers.

The Accuvant Labs research consultant showed attendees at the Black Hat conference a pair of demonstrations in which an attacking device could access a targeted handset and remotely execute files via NFC connections, such as those used by Samsung's S Beam.

In his demonstrations, Miller showed an Android handset being compromised by way of the Beam filing-sharing feature.

By way of initiating a peer-to-peer NFC session, typically initiated by tapping two handsets together, Miller was able to access a targeted handset and run code which allows an attacker to load an attack page without any notification or permissions.

In the second demonstration, Miller was able to exploit connections between NFC devices and Bluetooth components on the Nokia N9 to activate a handset, install and then execute files including a Powerpoint presentation.

The presentation was the result of several months of research in which Miller analysed the NFC format from its most basic radio communications system to the high-level components which link NFC hardware to third-party applications.

The report noted that in most cases the range was limited to contact in which the attacking device was a few inches away or touching the targeted device. Miller commented that attacks from long distances were highly unlikely.

Miller's conclusion was that in most cases, the weakest link in NFC was at the higher levels of the stack where more vulnerabilities could be exploited.

"The real attack surface is the browser, and that is pretty screwed up," Miller commented.

The presentation was also part of an effort by Miller to pique the interest of researchers and developers in NFC security. He noted that in the case of his demonstrations, possible attacks could be spotted simply by enabling NFC connection alerts and permissions as default on handset.

"Before you push a web page to me," Miller quipped, "for God's sake give me the option to say no."

Miller has a history of high-profile security presentations and discoveries. Between 2009 and 2011 he won a string of three consecutive Pwn2Own hacking contests and in 2011 the discovery of flaws in iOS lead to ouster from Apple's developer programme.