Charlie Miller has found new way how to forced a handset to visit websites seeded with attack software. The software on the booby-trapped websites allowed the hacker to look and steal all the data held on a device.
To demonstrate the process of the attack the expert used three separate phones: the Samsung Nexus S, the Google Galaxy Nexus – which both run Android – and the Nokia N9, which runs on the MeeGo system.
To hijack the devices the hacker wrote software to control a reader tag that works with NFC. As its name implies, NFC works when devices are brought close together or are placed near a reader chip, reports BBC.
“Code on the attacker-controlled chip or handset is beamed to the target phone over the air, then opens malicious files or webpages that exploit known vulnerabilities in a document reader or browser, or in some cases in the operating system itself,” explains tech news website Ars Technica.
Using the Nokia phone, Mr Miller showed how to abuse NFC and take total control of a target device, making it send texts or make calls, via the weaknesses exploited by his customised radio tag.
“[NFC] certainly increases the risk that something could go wrong,” Miller told reporters in an interview ahead of his Wednesday presentation. “It opens you up to a lot more than you would think.”
The specialist revealed that to successfully attack the Android-running handset they must support a particular version of the operating system, be unlocked and have their screen active.
“The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal,” said Miller, who has spent five years demonstrating software flaws that allow hackers to take control of Macs, iPhones, and Android phones.
Nokia said it was aware of Miller’s research and added that it was “actively investigating” his claims of success against its N9 phone. It said it was not aware of anyone else abusing loopholes via NFC.
Near Field Communication technology is gaining its popularity as it is used in smartphones as as electronic tickets and digital wallets.
Miller went on, demonstrating how to use Bluetooth connections to access a smartphone’s system, while hacking expert Georg Wicherski attacked Android smartphones through the exploit of security flaw in the system’s browser.
“It’s obvious that hackers will always find new ways to attack your Android phone. But when it comes to security difference between Apple’s iOS and Google’s Android devices, hackers and security experts explain it is the frequency of the updates that is important,” writes The Daily Gossip.
“Google has added some great security features, but nobody has them” said March Maiffret with security firm BeyondTrust. Meanwhile, Apple Inc. provides their users with security updates for iOS based devices as soon as they are released.