May 16, 2008
Near Field Communication (NFC)
|
You might not be carrying around an NFC phone right now. You might not have even heard of Near Field Communication, but Trifinite's Collin Mulliner is working quietly behind the scenes to make it safer by the time it is widespread. Read on to find out what's going on. |
Sean Comeau: For years we've been told that if we write our applications in scripting languages such as Perl and Python that we are safe from buffer overflows. How much truth is there to this belief?
Sean Comeau: Most people have never heard of NFC. What is it?
Collin Mulliner: NFC is a proximity coupling technology that allows bidirectional data transfer. In short it is RFID system build into your mobile phone. NFC phones can operate in three different ways 1) the can act as an Proximity Coupling Device (PCD) a RFID reader/writer 2) they can act as a Proximity Inductive Coupling Card (PICC) an therefore emulate a smart card/RFID tag 3) they can do Point-to-Point communication.
I'm only going to talk about the RFID reader/writer part since the other two are not really used by any service at the moment.
Sean Comeau: I've heard from Japanese friends that it's now possible to pay for things with your cell phone. Is that the same NFC standard you are talking about?
Collin Mulliner: If this is the system that uses "Felica", then yes. I only looked at the European stuff - which seems less sophisticated then the Japanese system.
Sean Comeau: What new threats exist against NFC services and phones?
Collin Mulliner: I've basically analyzed THE NFC phone available in Europe (the Nokia 6131 NFC) and found that it allows spoofing of RFID tag content. This is quite interesting since some of the European systems exactly use the part that is spoofable. I've also done some fuzzing on the Nokia 6131 NFC and found some smaller bugs.
I've also conducted a small survey of NFC systems that are in use in Germany and Austria. This should be quite interesting.
Sean Comeau: What kinds of things are possible when you can spoof tags?
Collin Mulliner: All of these attacks are based on the exploitation of the trust the user has in the RFID/NFC tags (e.g. because the user has used the system for some time and he know what to expect - if everything looks ok he will believe it is ok).
So now if an attack can tamper with these tags (there are multiple ways to do this - e.g. through using a sticky tag on top of the original tag or by modifying the original tag) the user can be tricked into doing things that are bad for him.
There are multiple SMS-based services in the field. These can be attacked because we can spoof the phone number so the SMS is send to a other phone number then the user expects (e.g. premium rate number - other attacks are possible too :-).
Sean Comeau: For non-European readers, what is a premium rate number? Is this like a 1-900 number that bills by caller by the minute?
Collin Mulliner: Yes, something like 1-900 (in Germany it is 0900)
Sean Comeau: There has been widespread abuse of dial-up modems, in the past when they were more common, where malware would make phone calls to toll numbers controlled by the attacker for his financial gain. Can the same attack be mounted by gangs of fraudsters walking about the streets with NFC devices, or do these attacks require some kind of social interaction with the victim?
Collin Mulliner: The victim needs to read a tag (NFC part of the phone is switched off while the phone is folded). Since the user needs to read a tag by himself the NFC services are the point of interest for an attacker since these spots are the only places he has a chance to attack his victim.
To close the knowledge gap, there is a special NFC message that will initiate an SMS as soon as the phone reads the tag (the user has to confirm - therefore we need spoofing in order to get the user to confirm). An SMS send request looks like:
sms:090012345678?body=you got owned
Sean Comeau: What else?
Collin Mulliner: A url can point to MIDlet (java application for mobile phones). There is a corner case in which the phone just downloads and installs an application and then asks the user to run it. Through this and another feature (app. autostart on tag read - we can kind of build a worm).
Sean Comeau: Sounds similar to how PDAs can copy applications between them. Are the warnings adequate to warn users of the danger of accepting an application from an untrusted source or at a time when such an installation is not expected?
Collin Mulliner: There are no warnings! the problem is that you can download the .jar file directly (this is the file that contains the code) you don't get a warning (highly possible this is specific to the Nokia 6313 NFC). The user will get a warning if he downloads a .JAD file (app. descriptor and installer with app download URL to the .jar file).
Sean Comeau: Any thoughts on how attackers might utilize phishing tactics?
Collin Mulliner: If you have something like a web-based ticketing system (looks like Vienna has one - unfortunately it seems to be switch off at the moment) you can do a man in the middle attack and steal the user credentials. This is possible because again you can spoof the URL displayed to the user so he will load another URL that plays proxy). I'll actually have a WAP/WML proxy to show.
Sean Comeau: Have you been in contact with any members of the NFC member companies regarding these issues and if so what response have you received?
Collin Mulliner: I have extensive contact with Nokia. They already started fixing the spoofing issues. Nokia seems to care a lot about the issues I reported.
Sean Comeau: Good to hear Nokia is looking out for its customers. Thanks Collin.
Collin Mulliner will be speaking about this and more at EUSecWest.
