“The NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security,” says the industry standards body. “Mr Miller’s demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.”
A presentation at last week’s Black Hat USA 2012 event in Las Vegas has caused quite a stir, with the tech press and even the BBC reporting that NFC could be used to “hijack” consumers’ mobile phones.
As so often with NFC, however, things are rather more complex than they initially appear and the NFC Forum has now responded to the findings outlined by respected security researcher Charlie Miller in his presentation “Don’t stand so close to me: An analysis of the NFC attack surface.”
In the presentation, Miller detailed his research work “fuzzing” NFC devices as he assessed the “attack surface” that NFC presents — in security terms, an attack surface is all the code in a system that can be run by unauthorised users. He discovered bugs in particular operating system implementations of NFC, as well as security weaknesses in certain NFC implementations such as Android Beam and Nokia’s content sharing and Bluetooth pairing.
These, coupled with the fact that data received via NFC can in certain circumstances be automatically and silently passed to apps or system libraries containing known exploits mean that, while there is no inherent flaw with NFC, determined hackers may be able to find new ways into devices until the implementation issues are addressed. Miller points out, for example, that the operating system level handler for .png graphics files on the Nokia N9 contains known vulnerabilities.
Miller concluded that NFC stacks are hard to test and recommended that all devices should offer an option to seek user confirmation before data received via NFC is passed to applications, and that this should be enabled by default.
Debbie Arnold, director of the NFC Forum, tells NFC World:
The NFC Forum recognizes that NFC security is of utmost importance and supports an active, dedicated Security Working Group to address security issues and opportunities.
Our role is to develop interface specifications to enable the use of NFC in a wide range of applications, rather than to define the requirements (including security) of the applications that use the NFC interface.
However, the NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security. These tools include: (a) Signature RTD (NDEF Signing), a specification the NFC Forum has released to digitally sign messages transmitted between devices and tags; (b) ISO/IEC 13157, a data link security standard to complement higher-layer security, originally developed by the standardization body Ecma International; (c) application security (end-to-end encryption) defined by the service provider; and (d) additional security layers in service providers’ respective back-end systems.
All of these activities and mechanisms work hand-in-hand. NFC solution providers may add security measures to their applications as they see fit, including both required and optional user actions to enable or disable functions.
Mr Miller’s demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.
We at the NFC Forum continue to push for security measures that effectively safeguard confidential user data and welcome all interested parties who seek further information or wish to contribute to our efforts to visit us at www.nfc-forum.org.
NFC World also spoke with Miller about his findings, following his presentation. The key issue, he explained, is that the user is not necessarily aware when they have interacted with NFC, unlike when someone consciously clicks on a URL — such as a shortened link in a Twitter message — which may take them to a malicious website. If NFC is not configured to inform the user each time an interaction is made via tag reading or P2P, then the user’s phone can be made to download and execute a malicious payload without the user even knowing an interaction has taken place. Android’s peer-to-peer Beam functionality is vulnerable in this way, points out Miller, because it requires no confirmation from the receiving device when information is sent.
“Every time you make things very very simple to use, it’s an opportunity for hackers,” he warns. “I’m hoping in the future they make some changes so the user has some choices.” His message for companies developing NFC applications? “Consider that this is a new way that could potentially be problematic… keep security in mind.”