For those who own phones equipped with it, NFC (near-field communication) has the ability to offer some cool functionality. The most popular example is allowing you to hover your phone over a device at a checkout in order to pay for your order, but other ideas could include swiping the phone to pick up information from a kiosk or another phone, swap data from one phone to another, and so forth.
Like your cellular wireless, WiFi and Bluetooth, NFC is another form of open communication between your device and another, which means just one thing: it could be vulnerable. And well, it is vulnerable, as an event taking place at the EuSecWest Conference in Amsterdam has proven this week.
Researchers have discovered an exploit that allows someone to install a customized version of Android’s assessment framework, Mercury, which then avails them the ability to procure whatever data they please. At the moment, Samsung’s Galaxy S III is the most popular phone out there equipped with NFC, so should owners be worried? No – not unless you manage to lose your phone and someone understanding this attack happens to find it, and it happens to have no security (NFC requires the phone to be active to operate).
In order for code execution to take place, this particular exploit has to be triggered 185 times. This in effect means that in order for someone to overtake your phone, their phone would need to be, at the very least, set directly beside yours. How long 185 triggers takes, I’m not sure, but I am guessing it’s not that quick.
It is mentioned that this same exploit can be conducted via other methods, such as with a malicious website, but it can be assumed that the 185 triggers are required there as well, which means your likelihood of ever becoming compromised is pretty much unfathomable.
At the same event, researchers also found flaws on the iPhone 4S using Safari in either iOS 5 or 6. This exploit could be a bit more serious as it seems to require only visiting a website once. It doesn’t look like the exploit enables root execution, but it does make it possible to steal data.
Malware scanners for mobile devices are starting to seem more reasonable these days.