Attacking NFC Mobile Phones at EUSecWest

Posted by Amit | Security | Tuesday 10 June 2008 7:15 am

Near Field Communications is the RFID-based standard being built into mobile phones to allow them greater interaction with the physical world. NFC-enabled handsets can be used to pay for bus or train journeys, replacing existing contact less cards. They can read tags embedded in (Smart) posters that trigger a URL to be loaded or a phone number to be called.

At the recently concluded EUSecWest Conference in London Collin Mulliner demonstrated two most interesting hacks which involved replacing the NFC tag on a vending machine, and spoofing a URI in a Smart Poster to connect the user to somewhere other than they wished.

Sean Comeau conducted this interview with Collin Mulliner. The complete interview is available on this link. I am copying few interesting questions here.

Sean Comeau: What new threats exist against NFC services and phones?

Collin Mulliner: I’ve basically analyzed THE NFC phone available in Europe (the Nokia 6131 NFC) and found that it allows spoofing of RFID tag content. This is quite interesting since some of the European systems exactly use the part that is spoofable. I’ve also done some fuzzing on the Nokia 6131 NFC and found some smaller bugs.

I’ve also conducted a small survey of NFC systems that are in use in Germany and Austria. This should be quite interesting.

Sean Comeau: What kinds of things are possible when you can spoof tags?

Collin Mulliner: All of these attacks are based on the exploitation of the trust the user has in the RFID/NFC tags (e.g. because the user has used the system for some time and he know what to expect – if everything looks ok he will believe it is ok).

So now if an attack can tamper with these tags (there are multiple ways to do this – e.g. through using a sticky tag on top of the original tag or by modifying the original tag) the user can be tricked into doing things that are bad for him.

There are multiple SMS-based services in the field. These can be attacked because we can spoof the phone number so the SMS is send to a other phone number then the user expects (e.g. premium rate number – other attacks are possible too :-).

….

Sean Comeau: Have you been in contact with any members of the NFC member companies regarding these issues and if so what response have you received?

Collin Mulliner: I have extensive contact with Nokia. They already started fixing the spoofing issues. Nokia seems to care a lot about the issues I reported.

Our fellow CRYPTOcrat, Jan Brands, an expert in NFC security has generously provided few comments for this blog. Please find these comments in the “Comments” section below. Jan also sent us the link to the complete presentation about the experiment performed by Mulliner. It seems the experiment much more than the details given in the interview. You can download the presentation from this link.

1 Comment

Please note the views expressed in the comments below are that of the commenter and the owners of this website may not agree with the views expressed.

  1. Comment by CRYPTOcrat — June 10, 2008 @ 7:54 am

    Mulliner obviously attacked the weakest link(s) in the system: the way users establish trust in NFC tags. The attack is almost a kind of social engineering or more accurately: a kind of phishing. The attack makes people load a URL that they think to know is trusted, but in fact isn’t. (And from there on, all bets are off, of course.) Replacing the way users establish trust in tags (out of habit, past experience) by something based on cryptography is not easy. As with phishing, the problem is not easy to solve. Simple putting a digital
    signature on the content is not going to work. Who’s going to be responsible for these signatures in such a way all phones can verify them?
    Mulliner also talks about how the phone handles the content of a tag and how the phone interacts with the user. This is specific for one particular phone and apparently Nokia has been contacted and is improving the phone’s behavior. I fear that all in all this means that user security (as opposed to system security) in actual NFC devices and applications is something that still has some way to go.
    Jan Brands

    Jan is a specialist in the areas such as Security: public-key cryptography, protocols, privacy, smart cards, virtualization and particularly in NFC. He is currently serving as a security architect at one of the leading suppliers of NFC chips

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.