More Good Than Harm To Come Out Of Exposed NFC Hack
If you’ve been following up on the Black Hat conference going on in Las Vegas, you may have heard about how NFC can be used to execute malicious code on an Android device. While the hack, demonstrated by security researcher Charlie Miller, does expose an issue with the way Android should handle NFC commands, it’s likely to result in more good than it is actual harm.
First off, the security issue with Android lies in Android allowing for NFC to automatically launch the web browser, allowing for malicious code to be launched via web-based exploits. So instead of the traditional “link in an email,” all a hacker needs is to program an NFC tag to send a user to said link automatically.
“Instead of the attack surface being the NFC stack, the attack surface really is the whole web browser and everything a web browser can do. I can reach that through NFC,” Miller told Ars Technica.
What actual harm can come of this? Not much considering known Android browser exploits are only apparent in older versions of Android. For instance, Miller demonstrates the security exploit using a Samsung Nexus S running Gingerbread. Nexus S users should have long since updated to Jelly Bean (or Ice Cream Sandwich at a minimum), in which those exploits have been patched.
Aside from Android 2.3 (which no NFC enabled phones run), the only other possible version of Android susceptible to such an attack would be Android 4.0.1, which most ICS devices have already been updated from. Not to mention the fact that the hacker would have to literally touch your device to send the malicious link. Is it possible? Sure, anything’s possible, but I rate this one as highly improbable.
Now for the good news. This has exposed a basic flaw in the way Android allows for NFC to automatically launch web sites. We should have a check system, allowing for us to be notified that an outside source wishes to launch a web site or task. Now Google can implement such a system, which would then give us the option of allowing said outside source to proceed. Something we should have had in the first place.
So as I’ve already stated, this latest security exploit is actually a positive thing and will result in more good than harm for Android users. Now we’ll have to just wait and see what’s next in the realm of security exploits for Android and hope those too result in updates that will simply improve our amazing Android operating system.
I feel safe using Android, how about you?