Featured: Security Loophole discovered in NFC powered Android Beam, but it’s still Secure

July 28, 2012 - Written By Alexander Maxham

According to principal research Analyst at Accuvant, Charlie Miller, there is a potential security loophole in the way NFC uses Android Beam found in Android devices running Android 4.0 or later. Basically Android Beam allows a phone’s NFC chip to automatically access a phone or tablet web browser. But before you start to freak out too much, NFC is still very secure, and uncompromised.

It could turn into a serious problem because hackers could simply create a NFC sticker and place it over a legitimate sticker. That sticker could send code to a device when swiped allowing web page oriented exploits to be auto activated. It doesn’t even have to be a sticker either, just a discreet chip placed somewhere that NFC phones are likely to be in use, such as an NFC-enabled cash register, where you would use Google Wallet to pay.

Charlie Miller clarified by saying:

What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to. So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.

Miller also went on to inform Ars Technica that this security loophole appears on other devices not running Android, including the Nokia N9. But there are currently many Android devices on the market that apply to this Security loophole found with Android Beam including the Samsung Galaxy S3, Samsung Galaxy Nexus, HTC EVO LTE, HTC One X and Sony’s Xperia S just to name a few. All of these devices are top sellers around the world.

As Charlie Miller said, NFC on your favorite Android device is still very secure, and uncompromised. But in theory it could be very easy to hack. How often do you use the NFC capabilities in your phone (Google Wallet, Android Beam, etc.)?

[Source: Ars Technica]