Don’t Stand So Close To Me
NFC [ Near Field Communication ] is a clever outgrowth from RFID. This group of short-range wireless communication standards will enable all kinds of conveniences previously un-attainable with our so-called mobile devices. Mostly phones, but practically any un-wired NFC-capable device, eventually, will be able to communicate witho other NFC-capable devices, giving the consumers a wide range of features for commerce, information exchange and ad-hoc authentication. Unfortunately, NFC continues in the trend where design for security came in as an after-thought, rather than a primary focus, going in. Perhaps it’s not fair to place the security burden on NFC, after all, it’s merely a low-level transport mechanism. What’s the worst that could happen?
As it turns out, as if there weren’t enough vectors of attack already — SMTP, the web, SMS — we now must add NFC as the latest avenue of entry for those with malicious intent. And more importantly, in addition to simply being a conduit, NFC is smart and may contain configuration or configuration-change type of payload [ an example is that NFC may be leverage to set up Bluetooth, or modify WiFi ] and couple that with the usual carelessness by software developers, lack of familiarity from being the new things, and general un-awareness because people simply do not consider security over ease of use… NFC may become a far scarier technology than the original intention. Some people will clamor for SSL, somewhat mis-applying channel encryption and not realizing it simply takes away the opacity of the traffic, but not the problematic traffic itself.
All non-wired solutions suffer greatly from eavesdropping and leakage. To some degree, even hard wires may be tapped, but any/all wireless transmission makes it a little easier to inject into the stream. Now, a potential attack only needs to be close[r] — while standing in a line, perhaps, or sitting next to you on the train, in a theater… or simply pacing you as you walk through some type of controlled environment, and voila NFC brings the evil of the world to your
door pocket. Am I simply beating a dead horse and rattling off paranoia? Sadly, no. Within a few weeks, we will see some Real Life attacks, where malicious, targeted code will be pushed onto the NFC device, and then forced to execute and then ultimately compromise the NFC device itself. Good thing it’s just a little ol’ NFC device… not like we keep money, access credentials, intimate details of our lives, or anything important on those things anyway.