-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Security Research - Hacking NFC
- Thread starter XplosiV
- Start date
9to5cynic
Android Expert
Yeah, NFC isn't really secure. A couple of years back in one of my security classes I looked into the NFC's being used by a library. In that article, the author's 'friend' bought a writer/reader for NFC for like, <$50... this means that he could change the value of the books that they checked out..
{ so lending The Great Gatsby would be registered as lending A Moveable Feast }
... He was also able to disable write mode... so the tag would become useless after he meddled with it. Obviously, the implications are a lot worse for people using things like Google Wallet or pay pass (whatever that service is called).
Interesting none the less.
Now as far as this is concerned, I like. It's always nice from an attack perspective to find a very niche audience. Really, it's almost exclusively Android devices that this could happen.... right now. Apple's iPhone has no NFC (that I'm aware of) and I've never seen a Meego IRL....
It reminds me a lot of the QR code attack from a few months ago (google curiosity pwned the cat if interested)....
It's nice because this is how NFC works. This is what it is supposed to do. Like in the G3 demo video that Sprint stores play - it shows someone NFC'ing a facebook 'like'. This one is just a website. Perfect. The attack vector is very concise. You likely won't be having IE hit any NFC transferred sites.
It's really a cool attack. I can't wait to hear all the cool stuff the Defcon folks came up with!
infosec is fun.
{ so lending The Great Gatsby would be registered as lending A Moveable Feast }
... He was also able to disable write mode... so the tag would become useless after he meddled with it. Obviously, the implications are a lot worse for people using things like Google Wallet or pay pass (whatever that service is called).
Interesting none the less.
Now as far as this is concerned, I like. It's always nice from an attack perspective to find a very niche audience. Really, it's almost exclusively Android devices that this could happen.... right now. Apple's iPhone has no NFC (that I'm aware of) and I've never seen a Meego IRL....
It reminds me a lot of the QR code attack from a few months ago (google curiosity pwned the cat if interested)....
It's nice because this is how NFC works. This is what it is supposed to do. Like in the G3 demo video that Sprint stores play - it shows someone NFC'ing a facebook 'like'. This one is just a website. Perfect. The attack vector is very concise. You likely won't be having IE hit any NFC transferred sites.
It's really a cool attack. I can't wait to hear all the cool stuff the Defcon folks came up with!
infosec is fun.
breadnatty08
pain rustique
Interesting stuff 9-5. 
I'm still not hip to the Google Wallet stuff yet even though I have two devices capable of it. And, Beam is just such a novelty. If I could use my phone in place of my apartment key and card for the bus/metro, hell yeah I would. But, I think with security (esp. in a city like DC) it may be a far way off.
I'm still not hip to the Google Wallet stuff yet even though I have two devices capable of it. And, Beam is just such a novelty. If I could use my phone in place of my apartment key and card for the bus/metro, hell yeah I would. But, I think with security (esp. in a city like DC) it may be a far way off.
9to5cynic
Android Expert
Yeah, my phone does the NFC / beam stuff too, to me though it's just a gimmick. I'm not gonna use it with a credit card... not really my style. 
Also, using it for metro passes and a door lock would be cool. Or if it could replace security badges for any number of things... I'm sure they are all using the same technology [assumption]. Though, it would make smartphones an even greater thing for crooks to be after. It would not only contain personal info, but possibly your credit cards and the key to your home ... o__0
All that being said, I still like the tech.
Also, using it for metro passes and a door lock would be cool. Or if it could replace security badges for any number of things... I'm sure they are all using the same technology [assumption]. Though, it would make smartphones an even greater thing for crooks to be after. It would not only contain personal info, but possibly your credit cards and the key to your home ... o__0
All that being said, I still like the tech.