Near field communication – the security risks

Near field communication (NFC) is a type of contactless, wireless technology used for sending information or making payments. By embedding an NFC chip inside a smartphone, a company can create a virtual wallet where users store credit card information and can pay at a store simply by waving their smartphone over a credit card reader.

NFC is similar to radio-frequency identification or RFID. A small NFC chip inside a smartphone or other device generates an electromagnetic field. This field is received by an NFC tag found in a card reader, a smart poster, or even on an advertisement. The tag contains information and, using the electromagnetic field as its power supply, sends this information to the smartphone.

Since NFC facilitates contactless transfer of information, it is exposed to certain security risks as discussed below. Please note that the risks must be considered in the context that the range of NFC devices is limited – usually a few centimetres. Please do note though that it is still possible for an attacker to retrieve usable signals up to distances, often up to 1 metre away for passive signals, and for active mode distances of up to 10 metres may be at risk.

The first risk that presents itself is eavesdropping. Eavesdropping is when a third party can intercept the transmission and gain access to the data being transmitted. If the data is sensitive, such as credit card data or personal information, then the third party will have full access to this data. A possible and easy mitigation for this risk is to encrypt the data that is being transferred over the NFC channel.

Another security concern is data disruption or corruption. This is basically a denial of service attack where an attacker is disrupting or corrupting the data to block the communication channel. The attacker may try to disrupt the communications by sending data that may be valid, or even blocking the channel so that the legitimate data is corrupted. This type of attack is a little harder to mitigate against. It is possible to pick up this type of attack as the power required for such an attack is significantly higher than that required for normal communications. Further, the data stream could also be encrypted or incorporate some form of data validation controls to prevent against data corruption.

Related to the above is the risk of data manipulation. With this attack the perpetrator attempts to intercept the data, manipulate it and sent it onto the intended receiver. Again, the simplest way to mitigate against this attack is to use a secure communication channel.

NFC channels are also susceptible to man-in-the-middle (MITM) attacks. In this scenario, an attacker successfully intercepts the communication and then acts as a relay, passing the data on either having modified it or simply having read and recorded it. It is particularly difficult to achieve a man-in-the-middle attack on an NFC link due to the short distance capability of the communications. To completely minimise the risk, it is best to use an active-passive communication mode. In this way it would be possible to hear and detect any unwanted third party. Using a secure communication channel is also another viable alternative.

There is also a risk around malicious applications being downloaded onto NFC devices. The application could read any nearby NFC tag and send the data to the attacker. In essence your NFC device could now be sniffing your credit card without your knowledge. Mitigation for this risk requires user awareness. Ensure the user knows what they are downloading and that it has been properly vetted (easier said than done though).

Mobile malware is also starting to become an issue. The malware could easily sniff sensitive information such as credit card data stored or used on the NFC device and forward this to the attacker over an NFC channel or the web. At the moment smartphones provide little financial gain for hackers and they are targeted less. The spread of NFC technology would allow users to store valuable bank account and credit card information on their smartphones, thus making them a target. Mitigation for this risk involves installing an anti-malware program on your device and having the device password/PIN protected so that it could not be easily accessed by an attacker that may have gained physical access to it.

It may also be possible to attack the NFC stack to cause device crashes or find vulnerabilities that enable and attacker to gain full control of the device. Such an attack was demonstrated by Charlie Miller at Blackhat 2012. The mitigation for this no different to any development effort – secure coding and development practices, and appropriate security testing.

Another risk that has emerged recently is ‘Android Beam’. Android Beam can be used to pass information between devices or from a tag to a device. The information that can be passed includes contacts, URLs, applications, etc. There is no confirmation required on the receiving side and the device runs the associated application automatically. This opens a whole new can of worms as you could transfer malicious applications to devices without the user requiring to confirm the transfer. You could also transfer a malicious URL and either trick the user into clicking it or exploit a browser bug to visit the malicious website and download malicious content. The attack scenarios are quite broad in this case. The mitigation in this case is as simple as requiring receiver confirmation before data is transferred to the recipient device.

There is also an issue that is present with NFC enabled Nokia phones. Nokia phones can use NFC to automatically pair Bluetooth devices. There is no requirement to enter a PIN or other confirmation by default. Once paired, an attacker can use tools such as obexfs to gain access to the device. The mitigation here is to require a PIN or other confirmation before Bluetooth pairing is accepted.

Mobile NFC use and uptake is increasing significantly. As with any new technology, there is a security learning curve. Developers and users should equally be aware of these risks and ensure that NFC development occurs in a secure manner and users are educated in its risks and can protect themselves against the threats.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags NFCnear field communication (NFC)

More about CSONFCNokia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ashwin Pal

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place