Comments on: Attacking NFC Mobile Phones at EUSecWest http://cryptocrats.com/2008/06/10/attacking-nfc-mobile-phones-at-eusecwest/ Administrator Wed, 07 Jan 2009 02:04:28 +0000 http://wordpress.org/?v=2.6.2 By: CRYPTOcrat http://cryptocrats.com/2008/06/10/attacking-nfc-mobile-phones-at-eusecwest/#comment-49 CRYPTOcrat Tue, 10 Jun 2008 02:24:48 +0000 http://cryptocrats.com/2008/06/10/attacking-nfc-mobile-phones-at-eusecwest/#comment-49 Mulliner obviously attacked the weakest link(s) in the system: the way users establish trust in NFC tags. The attack is almost a kind of social engineering or more accurately: a kind of phishing. The attack makes people load a URL that they think to know is trusted, but in fact isn't. (And from there on, all bets are off, of course.) Replacing the way users establish trust in tags (out of habit, past experience) by something based on cryptography is not easy. As with phishing, the problem is not easy to solve. Simple putting a digital signature on the content is not going to work. Who's going to be responsible for these signatures in such a way all phones can verify them? Mulliner also talks about how the phone handles the content of a tag and how the phone interacts with the user. This is specific for one particular phone and apparently Nokia has been contacted and is improving the phone's behavior. I fear that all in all this means that user security (as opposed to system security) in actual NFC devices and applications is something that still has some way to go. Jan Brands -- Jan is a specialist in the areas such as Security: public-key cryptography, protocols, privacy, smart cards, virtualization and particularly in NFC. He is currently serving as a security architect at one of the leading suppliers of NFC chips Mulliner obviously attacked the weakest link(s) in the system: the way users establish trust in NFC tags. The attack is almost a kind of social engineering or more accurately: a kind of phishing. The attack makes people load a URL that they think to know is trusted, but in fact isn’t. (And from there on, all bets are off, of course.) Replacing the way users establish trust in tags (out of habit, past experience) by something based on cryptography is not easy. As with phishing, the problem is not easy to solve. Simple putting a digital
signature on the content is not going to work. Who’s going to be responsible for these signatures in such a way all phones can verify them?
Mulliner also talks about how the phone handles the content of a tag and how the phone interacts with the user. This is specific for one particular phone and apparently Nokia has been contacted and is improving the phone’s behavior. I fear that all in all this means that user security (as opposed to system security) in actual NFC devices and applications is something that still has some way to go.
Jan Brands

Jan is a specialist in the areas such as Security: public-key cryptography, protocols, privacy, smart cards, virtualization and particularly in NFC. He is currently serving as a security architect at one of the leading suppliers of NFC chips

]]>