6

Mobile phones are, increasingly, starting to support NFC. NFC can be used for a rich set of applications (including mobile payments, identity, and file sharing).

What are primary security risks associated with NFC? Are there any research papers, white papers, or other technical resources available that analyze the security risks of NFC? Are there any good technical resources on securing NFC-enabled applications?

Iszi
  • 26,997
  • 18
  • 98
  • 163
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    Related: [How secure is NFC on mobile devices?](http://security.stackexchange.com/questions/19302/how-secure-is-nfc-on-mobile-devices) and [What are the vulnerabilities of using NFC on my SGS3?](http://security.stackexchange.com/questions/17551/what-are-the-vulnerabilities-of-using-nfc-on-my-samsung-sgs3) – Polynomial Sep 22 '12 at 09:23
  • I have to downvote this question because of the lack of research, the author did, on this subject. There are tons of articles of real world exploits against NFC, and even a very similar technology called `Chip and Pin` (aka EMV a global standard for inter-operation of integrated circuit cards )used by banks in Europe. In other words the risk involved with using NFC and `Chip and Pin` have been discussed in great detail. – Ramhound Sep 24 '12 at 12:57
  • Also see this question -- http://security.stackexchange.com/q/66590/140 – atdre May 20 '15 at 17:11

1 Answers1

7

You can check this paper : http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf

It's from a talk given by Charlie Miller at BlackHat 2012 :

Near Field Communication (NFC) has been used in mobile devices in some countries for a while and is now emerging on devices in use in the United States. This technology allows NFC enabled devices to communicate with each other within close range, typically a few centimeters. It is being rolled out as a way to make payments, by using the mobile device to communicate credit card information to an NFC enabled terminal. It is a new, cool, technology. But as with the introduction of any new technology, the question must be asked what kind of impact the inclusion of this new functionality has on the attack surface of mobile devices. In this paper, we explore this question by introducing NFC and its associated protocols.

Next we describe how to fuzz the NFC protocol stack for two devices as well as our results. Then we see for these devices what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. So next time you present your phone to pay for your cab, be aware you might have just gotten owned.

There is a tons of links at the end.

null
  • 1,193
  • 6
  • 16