By the end of the year, roughly 100 million smartphones will be equipped with NFC chips. In London, contactless payment with NFC was tested at the Olympic Games, and various pilot projects are under way in Austria. In addition to companies like Visa and MasterCard, the IT giants are also experimenting with the wallet on the mobile phone. Google introduced an app for android smartphones on the US market, Google Wallet, which conveniently turns the phone into a virtual payment tool. But how secure is NFC on the mobile phone? An Austrian security researcher at the Hagenberg University of Applied Sciences recently found a flaw in Google Wallet. This made it possible for someone else to use the mobile credit card to make a payment over the Internet.
Michael Roland, an employee at the NFC Research Lab, developed a device for this that emulates a chip card. "All queries that come from the reader are transmitted to a mobile phone over the Internet in real time. Spyware is installed on the phone that forwards the query to the credit card. The reply is then sent from the credit card back to the reader in real time using the card emulator," said Roland, explaining the exact method of his hack, which an attacker could – theoretically – use to pay with someone else`s credit card. In reality, Roland made no payments with someone else`s credit card, but reported the flaw directly to Google.
Inducted into the Google "Hall of Fame"
"At first, I had trouble finding the right contact person at Google. But once I was directed to the right people, Google reacted quickly and fixed the flaw," explained Roland in an interview with futurezone at the NFC Congress in Hagenberg. So now, it is no longer possible to access someone else`s Google Wallet over the Internet, provided that the smartphone is updated regularly. The flaw has already been repaired in all new installations of Google Wallet. Because the researcher from Hagenberg also played a major role in developing the remedy for the flaw, he was inducted into the Google "Hall of Fame" for security. This is a "huge honor" for the researcher. Roland has not published his research in a blog, however. "I`m not a Web 2.0 user," he said, smiling.
But this has not solved all security problems. Google has already had problems with the security of Wallet in the past, and was forced to temporarily suspend the ability to pay with prepaid cards because it was relatively easy to access the credit on a smartphone without a display lock. When you reset the Wallet data, you could assign a new PIN without entering the old PIN and then access the credit. This flaw has also already been corrected. But such security problems do not inspire a great deal of confidence, even if they can be corrected relatively quickly, and could slow acceptance on the market.
"The phone is also a weakness"
"The mobile phone is simply another weak point," explained Roland. "It was assumed that the microchips are secure and protected against manipulation. Even if you actually open the chip, you cannot access any of the data. But when you install a chip in an NFC telephone and can access it through an app or externally, this opens up a series of new possibilities for an attacker," said the researcher, who is investigating the security risks of NFC smartphones for his dissertation.
Conventional credit cards with the NFC function (for example from Visa and MasterCard) are "fairly secure", unlike NFC smartphones, Roland said. "But they have the problem that the credit card number and expiration date can be read out. This information is unfortunately enough to make purchases on some online shops, without entering the card security code", noted Roland. This can be remedied with special NFC protective films, which prevent the card from being read by unauthorized parties.
Security standard for NFC tags in the works
Security flaws turn up with NFC smartphones time and again even aside from Google Wallet. At the Black Hat in Las Vegas, for example, security expert Charlie Miller showed how hacked NFC tags can be employed to infect smartphones with malicious code without the phone user taking any action, using both Android and Nokia smartphones ( futurezone reported ). Roland is also researching this subject at the NFC Research Lab. "The NFC Forum issued a standard that can be used to protect NFC tags against manipulation. But it included an error that made the standard completely ineffective. That was what motivated me to focus on the security aspect in my work. I was interested in developing a solution for this problem," explained Roland.
This modified standard with Roland`s solution for protecting smartphones against the manipulation of NFC tags is currently in the "academic realm," but as soon as the specification is actually published, Roland claims "there will definitely be mobile phone manufacturers that implement the standard on their devices." The first will be Research In Motion, said Roland, because the BlackBerry manufacturer is active in the NFC Forum.
Reusing public transportation tickets
Last week, the researchers Corey Benninger and Max Sobell from the USA revealed another security flaw that allows used public transportation tickets in New Jersey and San Francisco to be reloaded with an NFC-capable Android smartphone. The public transportation system saves the information specifying how many trips can still be taken after the ticket is used directly on the NFC chip. With an app that they programmed, the researchers can restore the original state on the chip after a ticket has been used. This made it possible to use the ticket again. The flaw has not yet been fixed.
"Security is not static, but changes constantly. So you have to look for detailed solutions for each problem individually," said Roland. The University of Applied Sciences Upper Austria has initiated a research project that will deal solely with security for NFC smartphones. "There is certainly still much to be done here."