Mobile security is becoming a big deal for companies as more users bring in their own personal smartphones and tablets. A presentation at the recent Black Hat security conference detailed the latest threat those mobile devices might face.
In a presentation at Black Hat 2012, Accuvant Labs researcher Charlie Miller demonstrated how Near Field Communication (NFC) chips in smartphones can be exploited to steal data or take control of a device.
NFC is becoming a common feature in smartphones to enable support for mobile payments. The technology allows data transfers between two NFC-equipped devices in close proximity.
And, as Miller’s presentation showed, the technology can be used for malicious purposes.
Miller demonstrated two different attacks targeting two smartphones: the Android-powered Samsung/Google Nexus S, and the Nokia N9, which runs the MeeGo operating system.
For the Android-based phones, Miller demonstrated a way to use a custom-built NFC device to execute malicious code on a near-by phone. That’s done by exploiting multiple memory corruption bugs in the Gingerbread version of Android, which is the most commonly installed version of the OS.
The newer version of Android, Ice Cream Sandwich, is also vulnerable to NFC-based mobile security attacks, Miller said, because of a new feature that will let the phone open a URL without permission from the user. That means an NFC device can force near-by phones to open a malicious website and download malware.
For the N9, Miller was able to use NFC to create a Bluetooth connection between the phone and his computer. From there, he was able to take control of the phone and force it to send text messages and make calls, or download files from the device.
Attacks like this won’t be common just yet, Miller said, but they might be in a few years when NFC is commonplace — if these and other vulnerabilities aren’t fixed before then.
Other mobile security threats highlighted
As mobile security is becoming a bigger issue, the topic got a lot of attention in other Black Hat presentations.
In addition to the growing threat of mobile malware, legitimate applications can also pose security risks, according to research presented at the conference by mobile security vendor Appthority.
For example, 70% of iOS apps available can access the device’s location data, while 52% can access a user’s contact list. While in most cases, that information isn’t collected for malicious purposes, that level of access does increase the risk that the information will fall into the wrong hands.
Researchers are also discovering new ways to get malicious software onto smartphones. In another Black Hat presentation, Security firm Trustwave demonstrated the method it used to sneak malware past Google Bouncer, the technology used to keep suspicious apps off of the official Android app store.
Prepare for the new risks
Beyond the new mobile security threats discussed at Black Hat, organizations are also finding themselves vulnerable to a growing number of risks, ranging from users accidentally downloading mobile malware to devices holding sensitive corporate data getting lost or stolen.
To minimize those risks, IT departments should come up with a mobile security plan and make sure:
- All company-owned smartphones and personal devices used for work are encrypted
- Policies blocking unapproved application downloads are enforced on devices that access the company’s network or data
- Devices are properly configured before they’re used for work, and
- Users are trained to avoid downloading suspicious or malicious apps.
For more information, read about the other security threats that made headlines at Black Hat 2012.