NFC Awareness Press Sheet

The invariable problem with new technologies is the potential for new attack vectors. Near Field Communication (NFC) is gaining momentum as an added feature within smartphones and tablets. NFC is an amazing tool for marketing and advertising because the experience becomes enriched with interactive content. Consumers can be incited with free samples of media delivered using NFC.

The potential risk comes from someone with malicious intent creating or replacing an existing NFC tag with infected content. Malicious intent can vary from collecting unauthorized information about the device to changing the device settings to delivering malicious software to the device for remote access. To demonstrate the risk, we gave out buttons with NFC tags hidden within, as well as placing NFC tagged posters (see below) all around the DEF CON. 

Our theory was if we could convince the most security savvy individuals, at what is known to be the world’s largest hacker conference, the average smart phone user would be at a significant risk. At DEF CON, our theory proved to be correct as we were successfully able to entice approximately 50 attendees to scan our NFC tagged posters and buttons that “could” have been infected. We then gave a controlled live demonstration of what someone with malicious intend could really do to a smartphone user with NFC enabled.

The demonstration was as follows:

Using a brand new fully patched Galaxy S4, we were successfully able to download and install malware by scanning a malicious tag. The malware duplicated all SMS messages from the infected host to a mobile phone of our choosing. After this rather scary demonstration, we then encouraged the crowd to use caution when scanning NFC tags they don’t control.