It's not limited to NFC (email or website can be used as attack vectors), but the researchers apparently decided to show off the NFC method as it's a relatively new medium for malware (though of course not a very practical one).
> the NFC method as it's a relatively new medium for malware (though of course not a very practical one).
Why not? Ever since I heard of the idea of trying to replace QR codes with passive always on NFC I've thought that this will be one of the first methods for massive infections of smartphones. Just put one in a public place(public transportation, store, etc.)
I doubt it -- the range of NFC seems to be very bad. Unless the malware can turn up the gain, you have to hold the phones back-to-back within about a centimeter of each other.
Is this true? My understanding is that the range issue of NFC has more to do with the non-powered nature of NFC chip, thus having very limited broadcasting range. If I had a powered device that broadcasted NFC responses over a much greater range, wouldn't the phone happily accepting this as an NFC chip response?
It's just a feature of this particular hack that it was two phones. The real-world manifestation would probably be an NFC skimmer, like ATM skimmers [1]. Slam the virus in, then proxy the original request (or vice versa, depends on the timing), use the network on the phone to connect to the malware hub control, owned phone.
Note you only have to slam a shim in; the shim can then download an arbitrary payload.
The vector is the same as for QR codes, paste a different tag overtop of a legitimate tag that takes the user to a URI with a browser or other application exploit. Or physical world version of phishing. Again it is the application that is the root of the vulnerability. NFC would be no worse than a QR code or even a malicious URL printed in plain english on a poster.
The only unique theoretical option would be to hack a very highpowered antenna and transmitter to try and pick up blast out RFID-compatible signals to/from the very weak NFC radios of handsets from further away.
People have been hacking ATMs for years by installing gear on those ATMs. With NFC, such skimming might be much easier, as the gear you need to install can be _tiny_, and you only need to be in the vicinity of the target, making it easier to camouflage.
And attacks doesn't need to come from cots phones, with your own higher gain NFC device, you can interact with with ordinary NFC devices from greater distances.
Not only is it low-range (~2" in my experience), at least in Android the phone has to be on+unlocked before NFC is on. The only realistic route for this attack is a compromised NFC device (such as a payment terminal) that your victim would be using anyway. For that sort of effort, compromising a Wi-Fi hotspot would likely be more effective in terms of reach.
The magnetic strip and chip duplication technology in gas stations and convenience stores are already a point of frustration for insurers, financial services and consumers. Exploiting NFC which is intended to be a generally-accepted payment method in the near future does not give me the warm-and-fuzzies
It looks to me like the same vector Charlie Miller showed off a couple of months ago. The NFC Forum responded at the time along the lines of "It's not an NFC thing," and said his demonstration "underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences"
With a Galaxy Nexus it takes a 1-3 seconds for the NFC interface to ping another source, receive/process a tag, and then "ding" to confirm NFC contact.
The implication is that this isn't really related to NFC. They're hitting a vulnerability in some content handler or another (thus the "also be abused via [...] malicious websites or email attachments" bit). So this has to be fixed regardless. It's not really a problem with NFC per se.
The use of NFC for the demo was showmanship, basically. It gets them attention, and also serves to point out that a comparatively-little-known feature of the phone can be an attack vector too.
- Android 4.1+ (JB and above) include full ASLR which will mitigate this vulnerability somewhat
- From my own Android experience, the screen must be active for the NFC receiver to active. This means the phone can't be exploited while it sits in your pocket.
