Nowadays we are defined by our phones. When you buy a smartphone, you automatically become a convert, defending the benefits of your particular brand over others. Some users become part of the Apple faithful, flocking to their exclusive stores to buy designer iPhones. Others are Google fanatics, with alerts set in their Nexus 5 to warn of the imminent arrival of Nexus 6. Compulsive Amazon shoppers click away on their Fire Phone cart, while traditionalists continue to trust in the numerous and much-lauded features of Samsung Galaxy.
Unless you are one of those who has joined the retro phone trend and have renounced WhatsApp forever, we are sorry to inform you that your smartphone -whatever the make- has a security flaw. Specifically, in the use of NFC (‘Near Field Communication’), a wireless communications system that lets you transfer data at high frequency over short distances, at a range of 10 centimeters. In fact, NFC is a subset of RFID (Radio-frequency identification) systems that have been used for years now to identify pets (microchips). So if dogs can be recognized through this system, why not phones?
In smartphones, NFC allows data to be exchanged between devices, although a more interesting use for this technology is that it allows our phones to be used as credit cards.
You can already use your NFC to pay for things thanks to Google and its PassWallet app. Apple, not wanting to be left behind, has introduced the Apple Pay system with iPhone 6. And now banks are getting on the mobile payment technology bandwagon. In the future, we will even be able to use phones as subway tickets or door keys. NFC offers the potential for all-in-one devices with myriad uses.
If you weren’t previously aware of this technology, then you must be marveling at the thought of not having to rummage around drawers looking for your wallet or keys. Well, it’s true, but don’t get too excited. Even though the system operates over very short distances, it still has security flaws. In the recent Pw20wn Mobile 2014 competition in Tokyo, where there was a reward of US$150,000 (€120,000) for the sharpest hackers on the planet, security flaws were detected in the NFC systems of many top-of-the-range phones.
Two separate groups of experts demonstrated during the competition different ways of compromising the NFC technology on Samsung Galaxy S5. These hackers are two-nil up on one of the most prestigious smartphones on the market.
Even the all-powerful Google has been unable to keep its precious Nexus 5 free from security problems. In the Pw20wn Mobile 2014 competition, a third NFC attack forced the pairing of devices thanks to a combination of two malicious programs.
And it’s not the first time that an NFC security hole has been uncovered in Google’s device. Charlie Miller, an ‘ethical hacker’, was able to communicate with a Nexus S through a chip placed near the device, as he demonstrated at Black Hat 2012 in Las Vegas. After this he forced the phone to enter a malicious website, from where he took complete control of the phone by exploiting the NFC vulnerability. The Nokia N9 was also subject to the same attack on this occasion.
Although there can be no doubt that the detection of these flaws improves the security of our smartphones, perhaps for the moment at least we all feel a little safer keeping our money and the keys to our houses in our pockets, handbags or under a pile of papers on our desks. Even the sharpest hacker would find it difficult to exploit a security hole there.
Nevertheless, your NFC could still be useful for many things. And no doubt it will gradually become more secure. For the moment, fans of Nexus 6 are looking forward to getting their hands on it, and plans are afoot to unlock the phone automatically with the help of an NFC ring on the user’s finger. Could the phone’s PIN also be hacked? Let’s see.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
