While the rest of the world is touting “near field communications” as a way of ending the need for a wallet, it appears that hackers might be rubbing their hands with joy.
At the Black Hat security conference, Apple and Android hacker Charlie Miller showed a method that a virtual pickpocket might nick cash or any data they like from your phone using the near-field communications function.
According to the New York Times, Miller said that all you need to take complete control of Android and Nokia phones is simply by bringing another device or just a chip within a few inches of the target gadget.
Miller works for security firm Accuvant and gets funds from the Pentagon’s research arm, the Defense Advanced Research Projects Agency (DARPA_.
He has worked out that all you need to do is flash an (NFC) tag containing a chip next to an Android Nexus S phone and you can load a malicious url in the phone’s browser through a feature that Google calls Android Beam.
From there you can hit another vulnerability in the phone’s browser to take complete control of the device through the rigged website.
Then it is a simple matter to nick any information stored on the phones SD card. If you like you could install software to monitor its communications or movements.
It is just a matter of brushing up against someone in a crowded room.
Miller said that Android Beam was designed so that you can share a game you’re playing or a web page or something on Maps. But it is a huge security hole.
The browser vulnerability that Miller used has been fixed in Android’s version 4.01 but many people have not updated. Indeed, 90 percent of Android users have not even upgraded to the latest version of the operating system.
Miller was rather busy. He also used the Nokia N9′s NFC content sharing feature to send it a maliciously-crafted Word document that takes advantage of vulnerabilities in the phone’s word processor to take control of the device.
All up, not a good day to put your trust in mobile devices.