Practical Analysis on the Security of NFC Enabled Mobile Devices

By Philip Rotoli

Near Field Communication is a communication protocol that allows two devices to establish communication by bringing them within a small distance of each other. It is seen as an emerging technology, expected to be seen in two of every three phones that are released next year. This capability within phones will allow users to take advantage of a number of additional features, using their phone to make payments, take part in targeted marketing, and more. Additionally, NFC enabled mobile devices are projected to see increased usage for enterprise concerns, (such as building access or hour tracking) general use, (ticketing for concerts or flights) and as a vehicle to share and collaborate with others. As NFC becomes more readily available and its usages become more mainstream, the potential security concerns of using such a technology regularly need to be considered.

There are a number of security concerns that are associated with NFC use in general that must be considered. When using NFC for any kind of communication, the risk of a man-in-the- middle attack must be considered. This type of attack takes place when a malicious user intercepts, possibly manipulates, and relays the data back to the receiving device. Similar to MITM attacks, NFC is highly vulnerable to relay attacks. A relay attack takes place when an attacker initiates communications himself, relaying the messages between the two legitimate parties without manipulating them. Additionally, NFC is vulnerable to any kind of eavesdropping. Eavesdropping takes place when an attacker records communications between two legitimate parties. This recorded data can then be used for anything the attacker sees fit; to gain sensitive information or otherwise. In addition to these attacks, NFC can also be used as a vehicle to distribute malware to users who are familiar with the technology but are not thinking of the potential security concerns.

As mentioned earlier, NFC is often used to carry out targeted marketing, encouraging users to scan an NFC to receive a discount, promotional code, free stuff, or otherwise. This common usage can be abused to instead distribute malware to users who believe they are scanning an advertisement or promotional offer. Because of this, as NFC becomes more readily available, the ease and probability of infecting users also increases. The majority of users, because they are not security minded and are used to granting permissions for nearly all applications, may grant permissions when prompted without thinking about the consequences.  These permissions could allow downloaded malware to take full control of the device, further spreading it, (through SMS to friends and family) as well as stealing personal and payment information.

Based on the premises mentioned above, an experiment was conducted to see how often users were willing to scan a promotion without any proof that it was legitimate. The experiment was conducted under the hypothesis that, if NFC usage continues to increase, especially for means of targeted marketing, promotions, and payments, NFC will become a reliable means of distributing malware to the mobile devices of unaware users. In order to carry out the experiment, a number of research tasks needed to be completed.

The first accomplished research task was to create a web server that was able to count visitors to the server. The logic was simple, and was done using JavaScript to call back to a simple Python server whenever a user opened the page. Each of these callbacks was counted and incremented in order to receive a total number of page hits. Because of the implications, no information was saved other than the fact that somebody visited the page. With no device IDs being saved, repeat scans were possible and some logic was included to help note and minimize this occurrence.

The second research task was to purchase and program the NFC tags to redirect to the established web server. NFC tags were purchased off amazon for less than $15, and programmed to visit the malicious domain once scanned. Once scanned, the device would either prompt the user to select a browser to open the link, or directly open the link if only a single browser exists. For obvious reasons, no download was provided in the public facing link, although testing proved that a download prompt pops up when the link redirects to a valid download link. Because promotions often require a download, (such as a free song, or a coupon) it is not expected that a download prompt would deter the average user, and most would allow the download.

The third task was to create a poster that looked semi-legitimate, in order for users to scan the NFC tag without thinking too much about the consequences. In order to do this, a poster that emulated Samsung’s “Free Song” posters was created, but without the trademarks. Instead, generic symbols were inserted to increase the legitimacy.

Once all three tasks were completed, the experiment was conducted in Rochester Institute of Technology’s liberal arts building. The liberal arts building was used as an attempt to avoid the technological bias that may have been provided if conducted in a computing-based building such as Golisano. Three posters were put up throughout the building and remained up for three days before taken down. Once up, the experiment began, and the number of scans as well as potential repeat scans were recorded for each day.

The first day saw potentially eight individual students scanning the poster with two of those students rescanning the poster when they did not receive what they were promised. The second day was a bit more eventful with fifteen students scanning the poster and three of those rescanning. The final day was a bit slow with only five individual students scanning the poster and no rescans detected. In total, 28 students scanned the poster and approximately 5 of those students attempted to rescan the poster to try to take advantage of the promotion after it did not work the first time. While we do not know exactly how many students passed by and did not scan, or the reasons they chose not to scan, the total number of scans is still high when considering the purpose is to distribute malware and not advertise a product.

While the experiment did prove that users would scan a promotion without any proof of legitimacy, it did not prove that users would be willing to provide the malware with the required permissions needed once downloaded. In order to investigate this and come to a conclusion without actually distributing malware, I found and read a research paper that tested the effectiveness of permissions on Android devices.

The paper, “The Effectiveness of Application Permissions” by Adrienne Porter Felt, et al. tested the reliability of permissions on both Chrome extensions and Android devices. In order to conduct their experiment, the authors first sectioned Android permissions into categories, separating out those that provided access to API calls with potentially harmful consequences into the “Dangerous” category. They then surveyed 100 paid and 856 free applications, with 856 of those applications directly from the Android Market’s “most popular” section. In this survey they determined which permissions were commonly requested; and what level of access (how dangerous) those permissions provided. The study found that 93% of free and 82% of paid applications required the user to grant the permissions that were classified as dangerous or had the potential to result in harmful consequences.

Based on the results of the experiment and how often users grant potentially dangerous permissions, I would consider these advertisements as a viable method of distributing malware via NFC and therefore consider the hypothesis to be true. As we see NFC continue to expand as a platform, these advertisements will undoubtedly become more common and the number of scans would see an increase. These findings are significant for a future where NFC is a popular method of communication, as they imply that malware could regularly and reliable be distributed via this method, hiding among promotions and otherwise. In the future, as NFC continues to expand, protections should be put in place to prevent this type of distribution. These protections may come in the form of additional warnings; prohibiting downloads without some sort of trusted signature; or otherwise; but should certainly be implemented before NFC becomes the extremely popular method of communication that it is projected to be.

 Resources:

1. https://people.eecs.berkeley.edu/~daw/papers/perms-webapps11.pdf
2. https://static1.squarespace.com/static/51ba8178e4b0b55963d10050/53adfd2ee4b0c af114eccc7a/53adfd30e4b0410043eb7e0e/1403911487909/NFC_poster_1.png?format=750w
3. http://resources.infosecinstitute.com/near-field-communication-nfc-technology-vulnerabilities-and-principal-attack-schema/
4. https://web.stanford.edu/~pyzhang/papers/MobiSys13-EnGarde.pdf
5. https://android.stackexchange.com/questions/96461/what-happens-when-i-tap-an-nfc-tag-which-contains-a-url
6. https://www.solutionary.com/resource-center/blog/2015/04/risks-of-utilizing-nfc/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s