Imagine the hack in the following scenario: a pickpocket walking around with a phone loaded with an attack file bumps into you. The malicious phone comes in close proximity with your phone and easy as that, the criminal has full control over all the information stored on the device.
That's more or less what a team of researchers from MWR Labs demonstrated when they beamed an exploit over a near field communication (NFC) connection from one Samsung Galaxy S III phone to another during the Mobile Pwn2Own competition in Amsterdam on Wednesday. When the targeted phone opened the file, it allowed the researchers to download all data from the Android smartphone, including text messages, pictures, emails and contacts. They were also able to place a call to a premium rate number or take photos with the phone's camera after the compromise.
"Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation," MWR Labs wrote on the company blog.
Zero-Days in Samsung Galaxy DevicesResearchers launched the attack by holding two Galaxy S IIIs next to each other and causing a file to be loaded onto the targeted device from the other phone. Opening the file gives the remote attacker full control over the phone, according to the team.
The exploit took advantage of two zero-day vulnerabilities, which bypassed several Android security mitigations including the limited ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). The first vulnerability was a memory corruption that gave the team "limited control over the phone," the team wrote. The second vulnerability escalated the attacker's privileges on the device and undermined the application sandbox model.
The attack took advantage of a document viewer application installed by default on Samsung Galaxy S II, S III, and some HTC devices. MWR Labs said the attack succeeded because the implementation of various security technologies was "incomplete" in Android version 4.0.4, codenamed Ice Cream Sandwich. The security implementation is much improved in Jelly Bean, or Android 4.1, so even though the zero-day vulnerabilities are still present in the newer Android version, the exploit does not succeed.
The vulnerability can be triggered by other methods, not just NFC. The file can be loaded onto the user device by sending it as an email attachment, for example.
NFC Attacks
The fact that the Galaxy S III was compromised over NFC has scary implications, as it means attackers can load the malicious file just by walking past or bumping into their victims. The phones must be very close to each other to make the NFC connection, but the connection itself can be for a short period of time. One the file has been loaded, the attacker can establish a Wi-Fi connection to download information.
This NFC attack is remniscent of this year's Black Hat demonstration by Charlie Miller, a former Accuvant Labs researcher who recently joined Twitter. Miller showed attendees how he could use NFC to open up images, contacts and Web pages on the targeted device, all without notifying the user.
Data can be sent over short distances using NFC, and vendors are experimenting with the technology for mobile payments. The protocol would allow users to use their phones equipped with an NFC chip to pay at the register. Google Wallet is one of the better known mobile payment applications, but researchers uncovered some security flaws with Wallet earlier this year.
No comments:
Post a Comment