h
henyfoxe
Aug 03, 2012

How much of a security vulnerability is created by NFC (Near Field Communications)?

At Black Hat, one thing that came up was security issues related to NFC (near field communications) on mobile devices. This is an area of concern that is new to me. As NFC becomes a standard feature on more devices, how much of a risk does it really pose?

jimlynch
08/06/2012
Here's a good background article on NFC, including the security part of it.

Near field communication
http://en.wikipedia.org/wiki/Near_field_communication

"Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a "tag".[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by Nokia, Philips and Sony, and now has more than 160 members. The Forum also promotes NFC and certifies device compliance.[5]"
j
jack12
08/06/2012

I think comparing NFC to a USB port is a little glib.  To make it more comparable, I would say there is no more risk from NFC than letting a stranger connect to a USB port.  Admittedly, you would probably notice the cable, whereas is it a little harder to get a visual on radio communication.  The short range of NFC does minimize the risk but minimal does not equal zero.  For example, ATMs are relatively safe, but skimmers do exist.  Of course NFC is only an attack vector, but it potentially could allow one to reach the actual attack surface, such as the browser. 

K
Ken Mages
08/04/2012

NFC is merely a transport layer and in and of itself, has NO bearing on security.  It's like asking how much the Apple dock or USB affects security.  Good apps and tamper proof hardware are the only preventions to security breaches. 

Answer this
ASK a question
250