Chester Wisniewski, writing over at Naked Security, reports on Charlie Miller's talk at the current Black Hat security conference:
...Charlie decided to look into the attack surface of NFC. He began by probing the drivers, hardware and program stack on both a Nokia Meego and Google Android phone. While he was able to find some flaws using classic fuzzing techniques, nothing major was discovered. Although Charlie did find a vulnerability in Android that affects all "Gingerbread" devices and "Ice Cream Sandwich" devices lower than version 4.0.1, the most interesting findings were at the application layer. There can be many programs loaded onto a phone that will accept instructions or input from NFC. This is where the real bugs are found.
Consider the ability for Android phones with the Android Beam app to simply touch another NFC enabled Android and have it automatically load a webpage of the "toucher's" choosing. This widens the attack surface from just the NFC driver and kernel stack to include HTML, JavaScript, PNG, JPG, GIF, mp3, mp4 and just about any other thing that can be loaded into a browser. Creating a malicious webpage is far easier than trying to find device specific bugs.
The Nokia N9 with Meego suffers from the same type of trouble. The Nokia Content Sharing app will allow a user to compel another persons phone to load a web page without any user interaction. This despite an option on the phone called "Confirm sharing and connecting" being enabled. Even worse the Nokia device is configured to automatically pair with Bluetooth devices when tapping NFC tags. Even if your Bluetooth is disabled it will turn it on and pair without your permission (unless Confirm sharing and connecting is enabled).
...The onus is on Google, Nokia and other operating system manufacturers to build in better security controls and to never allow an action to occur without the ability to prompt the recipient that they wish to proceed. While it might be convenient to tap a speaker with my phone and have my music start playing, I'm OK with a prompt on my handset that says "Bluetooth pair for Logitech BlueBlast speakers?".
All of this does apply, to an extent, to existing Symbian NFC-equipped handsets and upcoming Windows Phone devices, but there's little need to panic yet. For example, tapping an NFC tag on Symbian brings up (by default) a 'Open this link?' prompt. It's true that the actual URL is often obfuscated on tags, but you can still make an informed decision as to whether to proceed based on what you thought you were tapping on and how much you trust the tag's location (e.g. in a shop or museum).
Plus, writing NFC tags isn't that difficult or expensive, but it is non-trvial, you'd have to be pretty unlucky to come across a tag that had been maliciously put in place purely to take advantage of a browser vulnerability in your phone's mobile OS. There's no such prompt when pairing with a Bluetooth accessory, but creating a maliciously constructed piece of hardware is several orders of magnitude harder again.
But the article is a timely warning for the future that NFC's convenience could potentially come at a security price. 'Could'. It's very early days for NFC in terms of protocols and 'how should this work?' functionality, and I suspect that more people are working on making things secure than are currently scheming to subvert the technology.
PS. You can follow Charlie Miller here on Twitter.
PPS. See also my Near Field Communications primer here on AAS. Ditto, my NFC primer on AAWP.
PPPS. Bonus link across to Sophos' excellent PDF-format Threatsaurus, also published today - it's IT generic and not mobile-related, but it's free to download and worth a place on anyone's hard disk or memory card.