Skip to Content
Uncategorized

Mobile Payment Chips Could Let Hackers into Your Phone

Near-field communication chips may let smartphones replace cash and credit cards—but they could also offer opportunities to hackers.
July 26, 2012

In a packed room at the Black Hat computer security conference in Las Vegas yesterday, an Android smartphone was tapped with a white plastic card, and within seconds it was running malicious code that allowed an attacker to remotely access the device.

The demonstration was given by high-profile hacker Charlie Miller, who was the first person to demonstrate a way to seize control of the iPhone, in 2007, and who has demonstrated many novel attacks on Apple devices since. He outlined a number of reasons why the contactless near-field communication, or NFC, chips appearing in smartphones will bring new security worries as well as convenient new features—a talk that was the result of nine months of research. “There’s going to be a lot of phones coming out with this technology, and so it would be nice to know if there’s any security problems in it,” said Miller.

A smartphone with an NFC chip can be used to pay for items when tapped on a reader (see “A New Kind of Smartphone Connection”). The device uses weak radio waves to communicate either with another NFC device in close range or with passive tags such as those used by some mass transit payment cards.

Google is positioning NFC as a major feature of its Android operating system, in support of its Google Wallet payments service (see “Google Wallet: Who’ll Buy In?”). Several Android phones with NFC are already available; Nokia has released some models and has plans for more; and Apple is rumored to be adding NFC to future iPhones.

Miller believes the influx of NFC devices could bring problems. “NFC is cool [for hackers] because you don’t need to have the user do anything,” said Miller. In contrast, in order to compromise a computer or non-NFC phone, criminals typically have to trick users into doing something out of the ordinary, such as opening a Web page or e-mail attachment they shouldn’t.

Miller’s Android NFC hack was made possible by a feature called Android Beam, which allows phones with NFC chips to exchange photos and other data. An NFC-equipped phone can send a URL to another when the two are tapped together, and the receiving device will open the page without offering the user a chance to decline. Miller created a passive NFC tag that mimicked a phone using Android Beam to send a Web address, and made use of a bug in Google’s browser previously discovered by researchers at security startup CrowdStrike to gain control (see “How a Web Link Can Take Control of Your Phone”).

NFC interactions typically require being within four centimeters of a phone, says Miller, so using such attacks against a person in the street would be difficult. “A more realistic attack is replacing an NFC reader [for accepting payments], in a cab or somewhere else, with a malicious one,” he said. Passive NFC tags are increasingly being used in posters and other marketing materials and could be used for such attacks, too.

Miller also presented evidence that sending a corrupt NFC signal to a contactless phone could cause it to access and run malicious code. He probed for weaknesses in Nokia and Google’s NFC software by sending tens of thousands of slightly modified signals to see if any would cause problems. Miller said that he has found several promising bugs that could allow the execution of code to steal data or take control of a device.

Keep Reading

Most Popular

Workers disinfect the street outside Shijiazhuang Railway Station
Workers disinfect the street outside Shijiazhuang Railway Station

Why China is still obsessed with disinfecting everything

Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.