Galaxy S III hacked using NFC at Mobile Pwn2Own hacking contest

Posted Sep 19, 2012 at 12:39 pm in Threads > Smartphones & Tablets

http://www.computerworlduk.com/news/security/3382231/galaxy-s-iii-hacked-using-nfc-at-mobile-pwn2own-hacking-contest/

“Attackers can take full control of a Samsung Galaxy S III smartphone just by holding devices close together, researchers demonstrated”

  • Mix

    As long as you don’t accept hugs or inappropriate butt to butt touching from random strangers or download fishy files you should be fine…lol

    Still that is kind of crazy that they can pretty much take over your phone through NFC and they said that the phone need only touch for a brief second, still, wouldn’t one need to accept the transfer before accepting the file?

    I have never used NFC.

    • http://androidandme.com Taylor Wimberly

      NFC actually works without touching devices. I have tested this with the two Galaxy S IIIs and you can make a connection with the devices about an inch apart.

      • 4n1m4l

        And the screen has to be on, which most aren’t when in pocket.

    • http://ArtisticAbode.com BetterWithRoot

      I imagine this to be done by placing the phone in your pocket and going into a crowded area. If you bump into someone you got their data. craziness. No one is going to notice a little brush of bodies when so tightly packed. A concert would be a good place to exploit this attack. You know who has a phone and what kind from the pictures and video they take of the venue. They slide their GS3/2 back into their pocket and voila, bump and go. Just like a wallet swipe. Hell you could even say something like, “Is that a GS3? I love mine. Phone high-five” *phones touch;data captured*

      Awesome link by the way Taylor! I love reading about securities.

      • Mix

        So you don’t need to accept something or allow for data to be transferred between phones? They just have to be close to each other with one person initiating the file transfer?

        That is kind of sketchy.

        • http://ArtisticAbode.com BetterWithRoot

          My guess is that it’s because NFC is turned on by default or something along those lines. I am not sure how this trickery works exactly.

          • Alexander drzfr3shboialex

            You need to send on the current phone and accept in the other, its not as insecure as you think :)

          • Teebor

            NFC is off by default as I have never interacted with any NFC options on my S3 until yesterday and I found that I both had to turn on NFC AND download an app to make it work.. Also I had to enable S Beam seperately

        • herbivore83

          You can enable/disable NFC, so if you leave it on you are vulnerable to attack!

  • jim

    Well.looking at the mwr site they used nfc to drop a malicious file. So it could be Emailed also…cant it??

    • koorsr

      In one of the links I remember reading that they choose NFC for showmanship. It could happen through email or be downloaded through the Internet.

  • iPhone Guy

    SucK it u moron fandroids i hope viruses kill all ur phones

    • NexusUser

      Oh iPhone Guy :D Are you jealous oft NFC? :P

  • txbluesman

    IPhone guy, how did you get to this site, Apple Maps?

  • http://www.jaxidian.org/update/ jaxidian

    My understanding is that this attack has absolutely nothing to do with NFC itself. I think this attack vector requires you to purposefully accept an NFC file transfer and then run that file (an apk?) before you can be infected. Much like you would have to download an apk then run it or be emailed an apk then run it. There isn’t necessarily an NFC vulnerability here. They’re just saying you can download an infected file via NFC. Perhaps the other person’s system could already be infected and they think they’re sending you CoolWallpapers.apk (or HotChick.jpg) when in fact they really send you DirtyLittleVirus.apk. Once you run DirtyLittleVirus.apk, it uses OTHER vulnerabilities to essentially gain Root access and do big bad nasty things.

    Long story short, I think “NFC” was just thrown into this story for no reason other than to get more media attention as “The First NFC Infection” or whatever.

  • tom

    How you guys doing androidandme.com is a great website. anyone ells like hacking?
    come visit http://www.meltdownsoftware.com best website ever

  • bill

    Nice website androidandme.com is a good site. hope there are alot of girls on here.
    stop by http://www.meltdownsoftware.com one of the fastest groving forums

  • TrufelOne

    I agree