Near field communication (NFC) is a type of contactless, wireless technology used for sending information or making payments. By embedding an NFC chip inside a smartphone, a company can create a virtual wallet where users store credit card information and can pay at a store simply by waving their smartphone over a credit card reader.
NFC is similar to radio-frequency identification or RFID. A small NFC chip inside a smartphone or other device generates an electromagnetic field. This field is received by an NFC tag found in a card reader, a smart poster, or even on an advertisement. The tag contains information and, using the electromagnetic field as its power supply, sends this information to the smartphone.
Since NFC facilitates contactless transfer of information, it is exposed to certain security risks as discussed below. Please note that the risks must be considered in the context that the range of NFC devices is limited – usually a few centimetres. Please do note though that it is still possible for an attacker to retrieve usable signals up to distances, often up to 1 metre away for passive signals, and for active mode distances of up to 10 metres may be at risk.
The first risk that presents itself is eavesdropping. Eavesdropping is when a third party can intercept the transmission and gain access to the data being transmitted. If the data is sensitive, such as credit card data or personal information, then the third party will have full access to this data. A possible and easy mitigation for this risk is to encrypt the data that is being transferred over the NFC channel.
Another security concern is data disruption or corruption. This is basically a denial of service attack where an attacker is disrupting or corrupting the data to block the communication channel. The attacker may try to disrupt the communications by sending data that may be valid, or even blocking the channel so that the legitimate data is corrupted. This type of attack is a little harder to mitigate against. It is possible to pick up this type of attack as the power required for such an attack is significantly higher than that required for normal communications. Further, the data stream could also be encrypted or incorporate some form of data validation controls to prevent against data corruption.
Related to the above is the risk of data manipulation. With this attack the perpetrator attempts to intercept the data, manipulate it and sent it onto the intended receiver. Again, the simplest way to mitigate against this attack is to use a secure communication channel.
NFC channels are also susceptible to man-in-the-middle (MITM) attacks. In this scenario, an attacker successfully intercepts the communication and then acts as a relay, passing the data on either having modified it or simply having read and recorded it. It is particularly difficult to achieve a man-in-the-middle attack on an NFC link due to the short distance capability of the communications. To completely minimise the risk, it is best to use an active-passive communication mode. In this way it would be possible to hear and detect any unwanted third party. Using a secure communication channel is also another viable alternative.
There is also a risk around malicious applications being downloaded onto NFC devices. The application could read any nearby NFC tag and send the data to the attacker. In essence your NFC device could now be sniffing your credit card without your knowledge. Mitigation for this risk requires user awareness. Ensure the user knows what they are downloading and that it has been properly vetted (easier said than done though).
Mobile malware is also starting to become an issue. The malware could easily sniff sensitive information such as credit card data stored or used on the NFC device and forward this to the attacker over an NFC channel or the web. At the moment smartphones provide little financial gain for hackers and they are targeted less. The spread of NFC technology would allow users to store valuable bank account and credit card information on their smartphones, thus making them a target. Mitigation for this risk involves installing an anti-malware program on your device and having the device password/PIN protected so that it could not be easily accessed by an attacker that may have gained physical access to it.
It may also be possible to attack the NFC stack to cause device crashes or find vulnerabilities that enable and attacker to gain full control of the device. Such an attack was demonstrated by Charlie Miller at Blackhat 2012. The mitigation for this no different to any development effort – secure coding and development practices, and appropriate security testing.
Another risk that has emerged recently is ‘Android Beam’. Android Beam can be used to pass information between devices or from a tag to a device. The information that can be passed includes contacts, URLs, applications, etc. There is no confirmation required on the receiving side and the device runs the associated application automatically. This opens a whole new can of worms as you could transfer malicious applications to devices without the user requiring to confirm the transfer. You could also transfer a malicious URL and either trick the user into clicking it or exploit a browser bug to visit the malicious website and download malicious content. The attack scenarios are quite broad in this case. The mitigation in this case is as simple as requiring receiver confirmation before data is transferred to the recipient device.
There is also an issue that is present with NFC enabled Nokia phones. Nokia phones can use NFC to automatically pair Bluetooth devices. There is no requirement to enter a PIN or other confirmation by default. Once paired, an attacker can use tools such as obexfs to gain access to the device. The mitigation here is to require a PIN or other confirmation before Bluetooth pairing is accepted.
Mobile NFC use and uptake is increasing significantly. As with any new technology, there is a security learning curve. Developers and users should equally be aware of these risks and ensure that NFC development occurs in a secure manner and users are educated in its risks and can protect themselves against the threats.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.