Ever since NFC appeared, I been waiting for it to be used as the basis of an attack. I’m not particularly delighted to report that my concerns have been vindicated: Security researchers at the EuSecWest Conference in Amsterdam demonstrated an attack which allowed them to install any file onto a Samsung Galaxy S3 via NFC. The good news is that the vulnerability sounds pretty complex to exploit and had to be run 185 times before they were able to gain control of the device! Once they had control, they uploaded a version of the Mercury exploitation framework on the the device which allowed them to perform a wide range of activities on the device including making premium rate calls and access SMS databases. You can read more of this attack at http://labs.mwrinfosecurity.com.nyud.net:8080/blog/2012/09/19/mobile-pwn2own-at-eusecwest-2012/
The Mercury assessment framework consists of a server component which is an Android APK which must be installed onto the target device (they used the NFC exploit to install it). Once installed, the server component can be driven from the Mercury client. The client, written in Python provides a suite of tools to examine and potentially exploit an Android device.
Mercury provides tools to discover and interact with actives, services, broadcast receivers and content providers. Which, is pretty much every component of an Android application. In addition, there is a modules section which contains a set of extension modules to perform (amongst other things) a set of known exploits and a set of scanners for things such as SQL injection vulnerabilities. If all that is not enough, you can gain shell access. The client can connect to the server via either IP of the USB cable so there is no requirement for the client to have direct access to the device.
It’s worth playing with this tool for a few hours just to see how much control an attacker could gain over your device. In it’s vanilla form, they would either have to craft a clever attack such as the one demonstrated over NFC or use social engineering to get the Mercury server installed on a device. What however if they were just to embed the code in a popular free game? Every time the game was loaded, the attacker would have a chance to take control of the device!
To keep things balanced, it was not just Android exploits demonstrated at the conference. A group called Certified Secure managed to attack iPhone 4. They used a malicious webpage to send the iPhone 4S’ address book, browsing history, photos, and videos to a server of their choice. The attack did not require any action on the user’s part, just that they visit the hostile Web page. The site does not crash the site so the user would be completely unaware of the attack. The exploit is based on a flaw in the Web Kit browser (Safari) and is assumed to be in iOS 6 as well!
There seems little doubt that attacks on mobile devices are going to be a big problem over the coming years. If you are interested in learning how to mitigate the risk of these attacks, why not attend Learning Tree’s new course on the topic: Mobile Application and Device Security: Hands-On