http://www.zdnet.com/exploit-beamed-via-nfc-to-hack-samsung-galaxy-s3-android-4-0-4-7000004510/
Looks like my Galaxy Nexus and Nexus 7 are safe.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Samsung Galaxy S3 (et al) hacked via NFC at PWN2OWN
- Thread starter Porshuh944turbo
- Start date
- Sort by reaction score
http://www.zdnet.com/exploit-beamed-via-nfc-to-hack-samsung-galaxy-s3-android-4-0-4-7000004510/
Looks like my Galaxy Nexus and Nexus 7 are safe.
I'm really scared that someone is going to slip their phone into my pocket with its back touching my phones back and running off will all my data. Yea... real scared!
I know you fan boys wanna jump all over NFC but the range is ridiculously small. They literally have to touch their device to your's.
I know you fan boys wanna jump all over NFC but the range is ridiculously small. They literally have to touch their device to your's.
They don't actually have to touch, but the range is only ~4cm, and in many devices (not sure about the S3), the screen must be on and the device unlocked.
I'm not sure why the pro-Apple crowd is in here talking about something they don't use? And yes, if 5he screen is off and in your pocket, nothing will happen.
On the other hand, all you Apple owners walking around with embedded chip credit cards, those carry govt id cards with CAC capability and every US ccitizen with a passport, I can walk up to any one of you and steal you data with my phone, assuming I am right next to you and know where your wallet or id is located on your person. Google wallet and nfc is more secure than what you have right now.
On the other hand, all you Apple owners walking around with embedded chip credit cards, those carry govt id cards with CAC capability and every US ccitizen with a passport, I can walk up to any one of you and steal you data with my phone, assuming I am right next to you and know where your wallet or id is located on your person. Google wallet and nfc is more secure than what you have right now.
http://www.zdnet.com/exploit-beamed-via-nfc-to-hack-samsung-galaxy-s3-android-4-0-4-7000004510/
Looks like my Galaxy Nexus and Nexus 7 are safe.
The vulnerability exists in Jelly Bean as well. Jelly Bean adds PIE to ASLR which iOS already includes. iOS was compromised despite the greater exploit mitigations. So, the exploit would only need to be modified to compensate for PIE despite the specific exploit used in pwn2own not working against Jelly Bean.
The real issue with exploit mitigations with ARM devices is that these devices are only 32-bit. 32-bit runtime security mitigations can be defeated via brute force methods. Android exploit suggests some brute force methodology was used by referring to the vulnerability being triggered 185 times in the exploit.
This is why iOS fell but Safari running on OS X Lion at the non-mobile pwn2own was not compromised.
The issue is that NFC could be used as a means of malware transmission because this exploit works without user intervention and allows malicious apps to be installed that run in the background without the user being aware of the process running in the background.
Basically, NFC provides another vector for malware transmission. You get the malware via google play trojan or drive by install via email or malicious website. Then, pass it to others silently when you bump phones for some legitimate reason.
It is a very poor excuse against NFC considering how this hack has to be carried out. That said though there just isn't the infrastructure of NFC at the moment in the U.S. I would love to be able to use my phone to buy from a vending machine like I can do in Japan, but that is likely years away.
Am I misunderstanding, but you need a "file" on the S3 via NFC so wouldn't you need to accept this file first for the hack to work?
I feel like people are saying, "oh just near it even if its in your pocket". But I don't think nfc is on like that unless there is something I'm missing here...
I feel like people are saying, "oh just near it even if its in your pocket". But I don't think nfc is on like that unless there is something I'm missing here...
If the phone is on, if nfc is on AND if you accept the file or allow for a connection, then yes. NFC is active and requires a user interface, while rfid credit cards/passports are passive and can be read at any time (like when you enter a country via customs) unless there is a barrier to prevent transmission. AndnGoogle Wallet adds another layer of security on top of Android. As I said, more secure than what most people have in their wallet right now.
And I love using Google Wallet. Just used it as a matter of fact. A simple tap and everything is paid for and a digital receipt is auto generated and saved on the phone. Easy.
I think you iPhone users should be worried about yourselves:
http://www.infowars.com/antisec-fbi-laptop-hack-nets-12-million-iphone-users-data/
http://www.infowars.com/antisec-fbi-laptop-hack-nets-12-million-iphone-users-data/
For NFC to work the screen must be on and the device unlocked, then the attacking device would need to get within 2cm (NFC's range).
I'm not worried
I'm not worried
It wasn't the FBI that was hacked. It was a developer, far less than 12 million UDIDs were taken, and very little information was associated with the UDIDs.
For NFC to work the screen must be on and the device unlocked, then the attacking device would need to get within 2cm (NFC's range).
I'm not worried
Given the exploit could be used to install malware with elevated privileges that runs in the background, then this could be used to transmit malware between devices in the background when NFC is used to bump devices for legitimate purposes.