BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

DARPA-Funded Researcher Can Take Over Android And Nokia Phones By Merely Waving Another Device Near Them

This article is more than 10 years old.

Smartphones' growing adoption of so-called "near field communications" promises to let the device in your pocket wirelessly make payments, beam info to other phones, and seamlessly sync with nearby computers. It might also let an artful hacker pickpocket your private information right through your clothes.

At the Black Hat security conference Wednesday, serial Apple and Android hacker Charlie Miller plans to present a grab bag of new tricks that allow him to take complete control of Android and Nokia phones simply by bringing another device or just a chip within a few inches of the target gadget.

Miller, who works for security firm Accuvant but whose research was also funded in part by the Pentagon's research arm the Defense Advanced Research Projects Agency, found that he could simply flash a near-field-communications (NFC) tag containing a chip next to an Android Nexus S phone to load a malicious url in the phone's browser through a feature that Google calls Android Beam. From there, he was able to exploit a second, older vulnerability in the phone's browser to take complete control of the device through the rigged website, accessing any information stored on its SD card or potentially installing software to monitor its communications.

In other words, by merely brushing up against someone in a crowded room, Miller could hijack his or her handset. "The whole idea of Android Beam is that if you both have Android phones, you can share a game you're playing or a web page or something on Maps," says Miller.  "But the scary thing is that with just an NFC tag I can make your browser open a web page and completely own your phone."

Here's a video that shows Miller gaining control of a phone through Android Beam:

Though the browser vulnerability that Miller used has been fixed in Android's version 4.01, Miller says that most users likely haven't implemented the patch; He points to Android version statistics that show that 90% of users have yet to upgrade to the latest version of the operating system, and close to two-thirds continue to use a version that's two generations out of date.

In a separate attack on a Nokia N9, Miller found that unless the user changes the phone's settings, the company's Meego operating system enables Bluetooth pairing with any device that requests a connection via its NFC reader, even if its Bluetooth pairing is turned off. That simple security flaw could allow an attacker to flash the phone with a tag or another phone, pair it with his device, then gain complete access to its data and contacts.

Here's a video of that Bluetooth pairing trick in action:

In the Nokia case, users can fix the problem by turning off Bluetooth pairing through NFC, but phones are shipped with the vulnerable capabilities turned on by default.

In a third attack, Miller used the N9's NFC content sharing feature to send it a maliciously-crafted Word document that takes advantage of vulnerabilities in the phone's word processor to take control of the device, as he shows in this video:

Update: As Ars Technica points out, Miller's tricks require phones' screens to be active, and in the case of the Nokia phones or Android phones running Ice Cream Sandwich or newer versions of the operating system, unlocked as well. In those cases, Miller imagines an attack scenario where an NFC tag is placed near another device where users expect to use NFC for legitimate purposes such as a point-of-sale terminal.

Miller began his research by scouring both the Nokia and Android devices' NFC code for vulnerabilities, using a technique called "fuzzing" that repeatedly throws random data at the devices until they crash, which indicates a potentially exploitable bug. Using that method, he found two flaws in the NFC code that might allow him to execute commands on Android phones. But as he began to discover the more easily exploited vulnerabilities in the implementation of NFC shown in the videos above, he didn't bother to try exploiting the bugs in the NFC code itself, which would likely have been more difficult.

"Once you realize NFC opens the gateway to the browser and other big attacks surfaces, I thought, why waste time exploiting these NFC bugs," he says. "As an attacker I wouldn’t look for NFC bugs but instead focus on other applications that you can get to run using NFC."

Miller says he alerted both Nokia and Google in the weeks before his talk. I reached out to both Google and Nokia for comment, and while Google declined to comment, Nokia responded in a statement that it's "aware of the NFC-research done by Charlie Miller and [is] actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing."

"Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities,” the company added.

Though the low-level NFC bugs he found through fuzzing need to be patched, Miller says there's a simple way for Google and Nokia to solve the vast majority of their more severe NFC vulnerabilities: Require users to give their permission before a piece of content sent over NFC is automatically rendered on their phone.

For years, all but the least security-savvy users have known that they shouldn't open emailed file attachments from strangers. It seems like a no-brainer for Google and Nokia to require that even fancy new wireless communications protocols follow the same rule.