NFC security: 3 ways to avoid being hacked

More than a billion phones will be equipped with near-field communications technology in 2015, opening up new vectors for attack.

The number of NFC-enabled phones is expected to surpass 1 billion by 2016.

The number of NFC-enabled phones is expected to surpass 1 billion by 2016.

Here's what to keep in mind as near-field communications (NFC), the technology that allows Apple iPhone users to tap and pay, takes off. By the end of 2015, more than a billion phones will have the capability to use the wireless protocol to exchange data, and applications beyond payments will become common.

The technology promises greater security, but individual smartphone makers' implementations of the technology are not perfect. In an annual hacking competition of mobile devices in 2012 and 2014, security researchers used previously unknown flaws in the NFC functionality of smartphones to compromise devices.

As smartphones' NFC capabilities are used for more than mobile payments, researchers and attackers alike will focus more on the security and privacy of NFC, and such vulnerabilities could become more common. "Most users may not be aware of the expanded attack surface they expose to adversaries when applications use NFC to transport data between mobile devices," says Brian Gorenc, vulnerability research manager and head of HP's Zero Day Initiative, which runs the Pwn2Own competition.

NFC, based on contactless smartcard technology, allows secure data exchange by using encryption and a special processor. In addition, the wireless technology limits communication to within a short distance, reducing the opportunities for an attacker to eavesdrop on communications and adding security and privacy. Yet, while the NFC Forum claims a read range of a few centimeters (an inch or so), academic researchers have extended that to about 80 centimeters (about 31 inches)--a much greater distance for attackers to play with.

Already, home automation aficionados have used NFC tags--small devices capable of storing and transmitting data--to allow location-dependent phone settings. Does a guest want to use your wireless router? Tap a tag on the router to configure their phone automatically. Location-based marketers have started deploying NFC tags to give consumers who tap additional information.

Yet, the most interesting uses are by businesses, says David Shalaby, co-founder and president of TapTrack, an NFC systems vendor. Contactless conference badges are a common use. The smart card technology on which NFC is based means the data on the badge is secure, and the close proximity required to read the card usually satisfies any requirements for the user to opt in. At amusement parks or on cruise ships, NFC can be used to manage access to rides, venues or other attractions.

"If you implement it correctly with the proper technology and the proper software development, it is secure," Shalaby says.

A few simple steps will help you get started safely with NFC.

1. Read the fine print for NFC-enabled applications

With a credit card transaction, most people understand that a handful of companies--the store, card processor, issuing bank and credit card company--will get some information on their buying habits. With NFC, however, the picture is less clear. The application developer and the service provider may also get information.

Consumers should read up on any application's data usage policy to protect their privacy.

2. Monitor NFC updates and patch your device promptly

The NFC vulnerabilities used to compromise devices in the Pwn2Own competition have been fixed, but manufacturers are typically slow to release patches for vulnerabilities in smartphones.

They're getting better, however, leaving consumers as the primary hurdle for locking down phones.

"Consumers should be less concerned about whether or not another vulnerability will be discovered," HP's Gorenc says. "They should be concerned with how fast mobile device vendors can fix the issue and deploy the patch."

3. If you're not using NFC, turn it off

NFC is new, and many consumers have yet to adopt the technology. Unless you've started using Google Wallet or Apple Pay, turn NFC off.

"The average mobile user has asked, What does this do for me?'" TapTrack's Shalaby says. "On the consumer-facing side, most people turn their NFC off."

Aside from saving some power, turning off unused networking features is a good rule of thumb to limit exposure to attackers.

Join the CSO newsletter!

Error: Please check your email address.

Tags NFCHPApplesecurity

More about AppleGoogleHPNFC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts