NFC Security Awareness Project
Warning Messasge
http://www.wallofsheep.com/pages/05c28a34e2eeeefaeeca2e6796a06ae572f4814e3c5c592652468da5a9c2a55e
The invariable problem with new technologies is the potential for new attack vectors. Near Field Communication (NFC) is gaining momentum as an added feature within smartphones and tablets.
NFC is an amazing tool for marketing and advertising because the experience becomes enriched with interactive content. Consumers can be incited with free samples of media delivered using NFC.
The potential risk comes from someone with malicious intent creating or replacing an existing NFC tag with infected content.
Malicious intent can vary from collecting unauthorized information about the device to changing the device settings to delivering malicious software to the device for remote access.
To demonstrate the risk, we gave out buttons with NFC tags hidden within, as well as placing NFC tagged posters (see below) all around the DEF CON.
Our theory was if we could convince the most security savvy individuals, at what is known to be the world’s largest hacker conference, the average smart phone user would be at a significant risk.
At DEF CON, our theory proved to be correct as we were successfully able to entice approximately 50 attendees to scan our NFC tagged posters and buttons that “could” have been infected.
We then gave a controlled live demonstration of what someone with malicious intend could really do to a smartphone user with NFC enabled.
The demonstration was as follows:
Using a brand new fully patched Galaxy S4, we were successfully able to download and install malware by scanning a malicious tag. The malware duplicated all SMS messages from the infected host to a mobile phone of our choosing.
After this rather scary demonstration, we then encouraged the crowd to use caution when scanning NFC tags they don’t control.
NFC Awareness Project - Poster
Exclusive Poster Code - Music
http://www.wallofsheep.com/pages/50a6b99d195ca35513c9bc5dc39da7b267ec82e8a15557fc81d912ad2f1fee4b
Rick Roll'd
http://www.wallofsheep.com/pages/12af61c70e2355fdb1127542af44aea0131ce464bf6372b565c9a58a6511b011
Example Button
Malware Device Access
Example of the Fake Security Suite
CREDIT
David Schwartzberg
Brian Markus
Joseph Mlodzianowski
Robert Scott
Additional Research Used
Charles Miller
https://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf&ei=bTEHUcrPOaigyAHRxYDAAQ&usg=AFQjCNGGIHCKVpXSfkHTj9BOdVrL2sUzjg&bvm=bv.41524429,d.aWc