LAS VEGAS -- Charlie Miller has an intellectual curiosity that leads him away from ho-hum browser bugs and other run-of-the-mill hacks. That curiosity has led to several "firsts" on his resume: first to hack the iPhone and first to hack a G1 Android device. And Wednesday he added another item to that list: the first exploit of Near Field Communications (NFC) to pwn a mobile device.
The bigger story is that in a couple of years, if every phone has [Near Field Communications], then it's going to be a bigger issue.
Miller culminated nine months of research into NFC security issues this week at the 2012 Black Hat Briefings conference with a presentation explaining how he was able to exploit NFC to compromise two Android-based Nokia N9 and Nexus S Samsung smartphones.
"I always think I'm going to break it, but sometimes that doesn't work out," Miller said. "I always think there will be problems, especially with a new technology."
NFC readers and tags enable smartphones within centimeters of each other to exchange data or conduct transactions. Miller's work, however, wasn't about stealing data such as payment information, but instead focused on gaining full control over another phone via NFC. His goal was to show how an attacker could, for example, force the pwned phone to launch a browser and navigate to a malicious website.
"This is all about the attack surface the phone introduces," Miller said. "NFC strictly reads 100 bytes-per-second. It's totally possible to write code that securely parses 100 bytes. It's well within our engineering abilities as a group. But I was surprised to know it opened up this huge other attack surface, like opening browsers or parse documents or images. It was like this little beachhead into the code of the phone. I think that is interesting; I like to run code on other people's devices."
Miller initially believed he would find enough security vulnerabilities to work with on the lower levels of the NFC code stack, but he struck gold with the higher-level protocol layers. It's there where initialization and activation take place; where command sets -- such as read and write -- are located; where files and data are found, and the area where peer-to-peer exchanges take place.
Miller spent six of the nine months on the project writing a fuzzer that would look for bugs in the code that would cause crashes and other potential security problems.
More from Black Hat 2012
For all the news, analysis, commentary and video interviews from Las Vegas, visit SearchSecurity.com's Black Hat 2012 special coverage page.
The end result was a variety of exploits on both the Nokia and Samsung versions of Android phones, as well as the MeeGo open source mobile operating system. Some of the more dangerous NFC hacks included an attack crafted by Miller and Josh Drake of consultancy Accuvant Inc. and Georg Wicherski of incident response startup CrowdStrike Inc. that opened a command shell just by bringing the phones within proximity of one another.
Also, Miller said, holes in Nokia Content Sharing and Android Beam enable a variety of illicit content sharing between devices, including productivity applications, images and browser pages. Another attack could turn Bluetooth on and off surreptitiously, even if a target device has Bluetooth turned off.
With rumblings that the next versions of Apple Inc.'s iPhone and Microsoft's Windows 8 mobile operating system will include NFC, Miller's work may prove especially timely. He has shared his paper with Google Inc. and Nokia, which he said acknowledged they'd received it, but no mention of a fix was imminent.
"The bigger story is that in a couple of years, if every phone has it, then it's going to be a bigger issue," Miller said. "The risk is pretty small right now. It's a critical mass thing. If I could pay everywhere with NFC, I would want the phone, but at least where I live, there's no way I can pay with NFC, so why would I want it?"