[Dave Birch] A bit of a “dog bites man” story coming from the Black Hat lot out in Las Vegas naturally caught my eye because it mentioned NFC. The story is, essentially, that you can hijack an Android handset (well, certain kinds of Android handset) by combining NFC tag reading with some known vulnerabilities of the operating system.
Android Beam, Google’s souped-up version of NFC’s peer-to-peer communication feature in its Android 4.0 operating system, could enable a hacker to induce a victim’s phone to visit a malicious Web site
Under certain condition, the malicious web site can take over the handset. What is puzzling to me about this story is that not only is this vulnerability well-known, but the countermeasure is similarly well-known yet completely ignored. Note, however, that the vulnerability is an instance of a much wider set of problems. It’s not limited to NFC and it’s not limited to Android.
The problem we see in both of the examples–the QR code scanning by the iPhone and the NFC tag reading by the Samsung smartphone–is that the software which interacts with the code/tag proceeds to act on the data in the code/tag without asking permission.
For the purposes of customer convenience and usability, you want people to be able to tap and go. Yet if they think they’re tapping a “get me more information about this excellent credit card offer from a reputable bank” link at the bus stop but are actually tapping a “please hack my phone and steal valuable data” link (or, for that matter, a porn link) things will go wrong. So everyone is vulnerable, except in the case where the security protocol for NFC has been implemented correctly so that the device (e.g., the phone) can read and validate the digital signature on the data. I’m not aware of a similar standard for QR codes, although there are companies (e.g., Ensygnia in the UK) who have developed secure versions of QR codes. So, the generalised countermeasure is that the obvious way to stop phones from automagically visiting dodgy links is to tell the phones to respond only to digitally-signed links. In the case of NFC, the Black Hat example that kicked off this post, the security protocol mentioned above has been around for ages.
There’s an easy way to guard against such scams in the NFC world, because the NFC specifications already include the ability to add digital signatures
The specification I refer to here is nearly three years old but is still, to the best of my knowledge, not implemented in any of the handsets that are out in the market.
The NFC Forum, (http://www.nfc-forum.org), a non-profit industry association that advances the use of Near Field Communication (NFC) technology, today announced the adoption and release of the Logical Link Control Protocol (LLCP) specification, which supports bi-directional communications between NFC-compliant devices. The organization also announced the new NFC Signature Record Type Definition (RTD) candidate specification, which defines how to digitally sign data records in NFC Data Exchange Format (NDEF) messages. Both specifications are available to the public for download at no charge at: http://www.nfc-forum.org/specs/.
The reason that I said I find this “puzzling” is that, as we discussed with many clients a couple of years ago, this particular standard provides the elements of a business model as well as a technical solution to a technical problem. Suppose you are, say, putting adverts in a shopping mall. You want shoppers to tap the ads to get info about special offers. Then you will need to add a digital signature to the tags. In order to do this, you will need to get a key that will be recognised by the shoppers’ handsets. Where do you get this key from? Clearly you are going to have to buy it from somebody. If the operators had any sense, they would have already organised this service so that advertisers and other would have a one-stop shop. YOu can imagine how this might work: I’m running a campaign so I got to the operators shop and buy a certificate that is valid for, say, a month. That certificate is signed by a key that is recognised by all of the operators’ handsets.
Of course I could always, as an advertiser, put out unsigned tags. But customers would have to specifically check the “please make me vulnerable to hacking” box on their handset, otherwise the handset would simply ignore all tags without a digital signature that it can resolve.
Simple. And great place for operators to get together and create an actual win-win proposition that advertisers will pay for and consumers will like. And, in fact, I’ve been involved in a number of discussions around this opportunity with operators and not much has happened. But why not? I’m beginning to imagine the gulf between business and technology in mobile operators to be an insurmountable barrier, and that I’m not capable of bridging it.
I say “digital signatures are an opportunity to develop a business model around tags and tagging while simultaneously enhancing safety and security for customers.”
The marketing guys hear “digital signatures blah blah blah”. Remember, they don’t know what a digital signature is.
The accounting guys say “how much incremental ARPU in years one to five?”.
I tell them that I haven’t the slightest idea. It’s an entirely new service. Advertisers have never known which actual advert customers looked at before and bad guys weren’t able to hijack peoples’ eyes before. So it’s new territory.
Then they say no thanks. Someone else will build this business (Apple? They seem to be getting all sorts of NFC-related patents at the moment) and then the operators will once again complain about being pipes. Is Tom Noyes right to say that
No one can orchestrate value in NFC. What is truly ironic is that as the carriers spend hundreds of millions of dollars on NFC and their walled garden strategy to “force control”, Apple and Google will be further ahead in coordinating value in new networks. This value delivery outside of the mobile network will further cement carriers roles as dumb pipes
What can we do to break the logjam! Are the operators doomed to hand digital identity over to OTT players without a fight!
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers