Samsung Galaxy S3 (et al) hacked via NFC at PWN2OWN

[Porshuh944turbo]

Uh oh.....

The Samsung Galaxy S3 can be hacked via NFC, allowing attackers to download all data from the Android smartphone, security researchers demonstrated during the Mobile Pwn2Own contest in Amsterdam on Wednesday.

Still want NFC?

Using this technique, a file is loaded on the targeted S3. The file is then automatically opened and gets full permissions, meaning that the attacker has full control over the phone, explained Tyrone Erasmus, security researcher at MWR. The app runs in the background so the victim is unaware of the attack, he added.

The attacker, for instance, gets access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

http://www.networkworld.com/news/2012/091912-galaxy-s3-hacked-via-nfc-262590.html?hpg1=bn

EDIT:
To please some of you accusing me of not being fair -- yes, the iPhone 4S was hacked via a similar exploit, but obviously not via NFC, which I believe is the news here. The iPhone exploit was made possible through a website. The iPhone 5 is believed to be vulnerable, though this is unconfirmed. The exploit was used on iOS 5.1.1 and a developer version of iOS 6 on an iPhone 4S handset.

When a user visits a website where the code is running; the security mechanisms in Safari are circumvented

 

[jaysen]

Uh oh.....



Still want NFC?



http://www.networkworld.com/news/2012/091912-galaxy-s3-hacked-via-nfc-262590.html?hpg1=bn

If you're going to troll, be fair about it - sheesh;

It should be noted though, that the vulnerability can also be exploited in other ways, the researchers said. The payload data can for instance be attached to an email message and have the same effect when downloaded, they said.

"We used the NFC method for showmanship,"

Oh no, lets remove email from the iphone...

 

[Cozmo85]

NFC's range is something like touching to 4 inches. At that distance you could just steal the phone.

 

[Porshuh944turbo]

Most people can spot a phishing email a mile away (if it even makes it through your mail server's spam filter). Walk around a shopping mall and see how many people get close enough to your phone that is in your pocket. It takes very little time to establish an NFC connection. Once the payload is uploaded, according to the article, a hacker could connect via WiFi to your phone and access anything and everything.

I can think of numerous places a hacker could exploit this with ease:

a crowded bar
a concert
checkout line at the grocery store
checkout line just about anywhere
at the workplace where people often leave their phone on their desk

it's not about stealing a phone.. the NFC hack works without the owner's knowledge.




troll? lol.. been here since 2003, bud

 

[Interstella5555]

Most people can spot a phishing email a mile away (if it even makes it through your mail server's spam filter). Walk around a shopping mall and see how many people get close enough to your phone that is in your pocket. It takes very little time to establish an NFC connection. Once the payload is uploaded, according to the article, a hacker could connect via WiFi to your phone and access anything and everything.

I can think of numerous places a hacker could exploit this with ease:

a crowded bar
a concert
checkout line at the grocery store
checkout line just about anywhere
at the workplace where people often leave their phone on their desk

it's not about stealing a phone.. the NFC hack works without the owner's knowledge.




troll? lol.. been here since 2003, bud

If you were really being fair you would mention the 5 has also been hacked instead of just saying "et al". I agree though, NFC is a terrible idea.

 

[Porshuh944turbo]

the 5 wasn't hacked.. a 4S was and the team responsible believes the 5 is also vulnerable (unconfirmed). However, I think the news here is that NFC was used. Email and website hacks have been around for a while now (and are indeed a threat that should be patched).

If you can show me an iPhone 5 hacked via NFC, then you got me.

 

[JohnnyAndre]

You lose again, Samsung. Give up.

 

[munkery]

It should also be noted that the Android exploit included privilege escalation.

This allowed the installation of an app, which could have been malware, and the comprise of protected data, such as SMS and emails.

Privilege escalation was not achieved in iOS. So, malicious apps couldn't be installed and protected data was not compromised.

Mobile pwn2own 2012 details:

http://dvlabs.tippingpoint.com/blog/2012/07/20/mobile-pwn2own-2012

Android exploited including privilege escalation via NFC

http://labs.mwrinfosecurity.com/blog/2012/09/19/mobile-pwn2own-at-eusecwest-2012/

Android hack details:

The first vulnerability was a memory corruption that allowed us to gain limited control over the phone. We triggered this vulnerability 185 times in our exploit code in order to overcome some of the limitations placed on us by the vulnerability.

We used the second vulnerability to escalate our privileges on the device and undermine the application sandbox model. We used this to install a customised version of Mercury, our Android assessment framework. We could then use Mercury’s capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number.

iPhone browser exploited but privilege escalation not achieved

http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/

iPhone hack details:

Although the successful attack exposed the entire address book, photo/video database and browsing history, Pol and Keuper said they did not have access to the SMS or e-mail database. "Those are not accessible and they're also encrypted," Keuper explained.

Despite obliterating the security in Apple's most prized product, Pol and Keuper insists that the iPhone is the most secure mobile device available on the market. "It just shows how much you should trust valuable data on a mobile device. It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security."

"Even the BlackBerry doesn't have all the security features that the iPhone has. For example, BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said matter-of-factly.

He reckons that the Android platform is also "much better" than BlackBerry and said the decision to go after iPhone 4S at Pwn2Own was simply aimed at going after the harder target.

 

[jaysen]

Most people can spot a phishing email a mile away (if it even makes it through your mail server's spam filter). Walk around a shopping mall and see how many people get close enough to your phone that is in your pocket. It takes very little time to establish an NFC connection. Once the payload is uploaded, according to the article, a hacker could connect via WiFi to your phone and access anything and everything.

I can think of numerous places a hacker could exploit this with ease:

a crowded bar
a concert
checkout line at the grocery store
checkout line just about anywhere
at the workplace where people often leave their phone on their desk

it's not about stealing a phone.. the NFC hack works without the owner's knowledge.




troll? lol.. been here since 2003, bud

Most tech-savvy people can spot a phishing email a mile away, yet millions of people still fall victim to phishing scam/emails a year - go figure.

You're absolutely right in terms of the many of opportunities someone can become close enough to "exploit" this hack, yet you forget the attacker would still need to know the persons phone location to get within "4 inches" of it... I can only see this as being valid if the person has their phone swinging from their hands as they take strides...

In regards to my troll comment, I was referring to you bashing "Samsung" for including a technology that Nokia, Phillips, and Sony developed YET, the article clearly states ANYONE is vulnerable.

You also fail to realize, the team purposely used NFC for "showmanship" again failing to note this could probably be done using WiFi or bluetooth. Also note, in the GSIII, Galaxy Nexus, HTC One X, all have the capability of turning NFC on/off.

Good article nonetheless, but to say "Still want NFC" as if it's the future doomsday technology, is unfair and bias - hence my troll comment.

 

[JohnnyAndre]

NFC shouldn't make or break a phone. It's a stupid feature that can be easily reproduced in many different, more secure ways.

 

[lordofthereef]

While I agree that this is a concern, it is being overblown here by the OP. Someone walking by you at the mall? NFC on the phone isn't an always on type of thing. You don't just brush up against a person and steal their information. NFC actually has to be activated. The risk of something getting stolen would be similar to the risk of your card info being stolen by means of a skimmer (look it up for those who don't know what that is). Granted, getting the entire contents of your phone stolen is a bigger deal than a single credit card's info, which is why I am not dismissing this as nothing, but it certainly is getting way more heat than it deserves.

 

[chakraj]

Hackers show the world how to steal an iPhone’s pictures, address book and browser history

TechWorld reports that the hackers created a Webkit browser exploit that circumvents Safari’s security protocols if a user happens to be on a page where the malicious code is running.

The hackers told TechWorld that the browser exploit “works on iOS 5.1.1 and the developer release of iOS 6, and probably also works on the iPhone 5,” so it’s not as though upgrading to the new iPhone will deliver instant protection.

http://www.bgr.com/2012/09/19/iphone-browser-hack-pictures-address-book-browser-history-targeted/

 

[JetBlack7]

The next big thing is here...along with the possibility to be hacked.

 

[shawnwich]

Yes, yes I still want NFC.

Anything can be hacked.

 

[RotaryP7]

Anything except Blackberries. Did you know the President has a Blackberry? It's nearly impossible to hack into those phones. That's still one of the reasons why the Blackberry still exists today.

 

[Oppressed]

Hard to promote something like this for public use if the public has to be afraid if they are going to be hacked.

Anything except Blackberries. Did you know the President has a Blackberry? It's nearly impossible to hack into those phones. That's still one of the reasons why the Blackberry still exists today.

"Even the BlackBerry doesn't have all the security features that the iPhone has. For example, BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said matter-of-factly.

 

[munkery]

Hackers show the world how to steal an iPhone’s pictures, address book and browser history

...

See my post above. The Android exploit was worse because it included privilege escalation which allows the installation of malicious apps and the compromise of SMS and emails.

The iPhone exploit didn't allow app install and protected data wasn't compromised. The data accessed with the iPhone exploit is only data available via legitimate APIs. Despite the exploit working in iOS 6, I suspect that even this limited data access may be mitigated by the new security and privacy features of iOS 6.

In terms of security, the android exploit is much more severe.

 

[cotak]

The problem is how NFC is implemented right now and how it automatically opens something it's sent. That will be rectified I am sure.

It's not a reason to be for or against NFC. If you think like that you'd be mistaking a bad design decision with a useful technology. Vast majority of us have NFC in our lives already be it the paypass in your credit card or the badge you open doors with at your office.

 

[throAU]

NFC is retarded.


They're making all the same mistakes the desktop world went through in the late 90s.

Unauthenticated, unencrypted traffic, sent to my device?

Sure, come right in, i'll process that!


Fact: programmers can't write secure code (we've had 50 years to get it right, and people still can't)
Fact: it will be exploited

 

[lazard]

NFC's range is something like touching to 4 inches. At that distance you could just steal the phone.

actually the NFC range is 4cm.

----------

NFC is retarded.


They're making all the same mistakes the desktop world went through in the late 90s.

Unauthenticated, unencrypted traffic, sent to my device?

Sure, come right in, i'll process that!


Fact: programmers can't write secure code (we've had 50 years to get it right, and people still can't)
Fact: it will be exploited

the information sent via NFC is encrypted and sent over a secured channel.

 

[cotak]

NFC is retarded.


They're making all the same mistakes the desktop world went through in the late 90s.

Unauthenticated, unencrypted traffic, sent to my device?

Sure, come right in, i'll process that!


Fact: programmers can't write secure code (we've had 50 years to get it right, and people still can't)
Fact: it will be exploited

You realize that SMS is also unauthenticate, unencrypted traffic send to anyone's phone and any phone just process it? Should we all abandon SMS?

For that matter how is any instance messengering app any better? Or email? Might as well just put on the tin foil hat at this point.

It's not that programmers cannot write secure code. It's that there's not enough pressure for that to be the prime objective.

 

[kdarling]

Reading the article, it's not really about NFC, since that's just one possible delivery vector.

It's more about a security hole in a popular document reader app that allows a downloaded page to install code.

 

[blackhand1001]

The problem is how NFC is implemented right now and how it automatically opens something it's sent. That will be rectified I am sure.

It's not a reason to be for or against NFC. If you think like that you'd be mistaking a bad design decision with a useful technology. Vast majority of us have NFC in our lives already be it the paypass in your credit card or the badge you open doors with at your office.

The issue is only related to the s3. The galaxy nexus only enables NFC polling once the device is unlocked. Samsung can easily change the s3 to work this way as well.

 

[Mac.World]

NFC shouldn't make or break a phone. It's a stupid feature that can be easily reproduced in many different, more secure ways.

Really? Must be why credit card companies and government ag3ncies use the tech.

To hack NFC, you must be literally within an inch of the phones chip. Not the phone, the chip. And if you believe someone is trying to do this thing to you, knows exactly where you keep your phone, etc... there is an easy way to stop them. Put your phone in your pocket with the screen facing outward. Done. Or stick a metal cover over th3 back. Or real carbon fiber.

This is such a non issue.

 

[flameproof]

Anything except Blackberries. Did you know the President has a Blackberry? It's nearly impossible to hack into those phones. That's still one of the reasons why the Blackberry still exists today.

...and they are very unlikely to get stolen too.