Exploit beamed via NFC to hack Samsung Galaxy S3 (Android 4.0.4)

Exploit beamed via NFC to hack Samsung Galaxy S3 (Android 4.0.4)

Summary: Using a pair of zero day vulnerabilities, a team of security researchers from U.K.-based MWR Labs hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via NFC.

SHARE:
TOPICS: Security
32
mwr_pwn2own
The MWR Labs hacking team.  L-R: Nils, Jon Butler, Tyrone Erasmus and Jacques Louw.

AMSTERDAM -- Using a pair of zero day vulnerabilities, a team of security researchers from U.K.-based MWR Labs hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via NFC (Near Field Communications).

The team -- Tyrone Erasmus, Jacques Louw, Jon Butler and Nils (yes, that Nils) -- carted off a $30,000 cash prize as part of the EuSecWest mobile Pwn2Own hacker contest.

According to Erasmus, the exploit was delivered via NFC, the short-range wireless technology allows the sharing of small payloads of data between an NFC tag and an Android-powered device.   The hackers exploited a weakness in the way NFC is implemented in the Galaxy S3 to deliver a malicious file that was automatically opened by the Android document viewer.

Once the file opened, the team exploited a zero-day flaw in the document viewer to launch a code execution attack.  A second Android privilege escalation vulnerability, also zero-day, was then used to get full rights on the device.

[ SEE: Mobile Pwn2Own: iPhone 4S hacked by Dutch team]

With escalated rights, the team had access to all the data on the Samsung S3, including the e-mail and SMS databases, the address book, the photo gallery and access to third-party app data.

"We can do anything on the phone with our Trojan running in the background," Erasmus said in an interview after the successful hack.  "The user is oblivious to it because NFC allows us to open the malicious document without any user interaction."

Although the MWR team used NFC to deliver the exploit, Erasmus warned that the same vulnerability could be exploited in drive-by downloads via malicious websites or via rigged e-mail attachments. 

He said the winning exploited bypassed several Android security mitigations including the limited ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).   Once the mitigations were bypassed, Erasmus and his team installed a customized version of an Android pen-testing framework called Mercury.

With Mercury, this is the mobile equivalent of Metasploit, the team could sent exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases,  placing a call to a premium rate number or even taking snapshots with the phone's camera.

According to Nils, who is best known for his work hacking into IE, Safari and Firefox at Pwn2Own 2009, the anti-exploit mitigations built into Android 4.0.4 are somewhat trivial to bypass.  He specifically pointed to the "incomplete" ASLR implemention that doesn't cover the Android linker and another process that is responsible for starting applications on the device.

He said ther protections which would make exploitation harder were missing.   Nils said Google is due to beef up the mitigations in Android 4.1, codenamed Jelly Bean.

Although the vulnerability exists as zero-day across all Android platforms, including version 4.1, Nils said the exploit won't work on Jelly Bean because of the improved mitigations. 

MWR Labs plans to release a public version of the customized Mercury app in the next release.  The team will also release fuzzing modules to help researchers pinpoing vulnerablities in the Android code.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • Wait!

    NFC is the hot piece of tech to have - all of the bloggers say so! Why that's the reason why some of them would never consider an iPhone 5!
    athynz
    • Hardly surprising you would be the first to comment

      According to your logic, Apple should get rid of wifi because there are wifi exploits.

      PS http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/

      Now yes, you might come back with "but they said iPhone security is great" and you would be right. Still, there ARE exploits that CAN penetrate iOS but iPhone is STILL the "hot piece of tech to have - all of the bloggers say so", right? NFC is the hot piece of tech to have AND it has zero day exploits, these are not mutually exclusive concepts.
      toddbottom3
      • However

        Nice link, I hadn't seen that yet. Good stuff.

        However, I point to this paragraph:

        "We really wanted to show that it is possible, limited time, with limited resources, to exploit the hardest target. That's the big message. No one should be doing anything of value on their mobile phone," Pol said

        The message, that no one should be doing anything of value on their mobile. I guess in that case if you use NFC for anything other then payments (or any kind of transaction you wish to be secure), thats fine… I would definitely consider payments as something of value. And I believe thats what everyone is so hyped on NFC for, mostly at least. Right?
        tk_77
        • I didn't say I agreed with their conclusion

          And I don't, I don't agree that consumers shouldn't do anything of "value" on their mobile phones. I think corporations should be much more careful because the dollar amounts are much bigger but I think that using a smartphone on a personal level is as safe as using giving your credit card to the waitress, having her take it away, and then bringing it back with a bill for you to sign. And yes, I use that example PRECISELY because some people refuse to do that, as is their privilege. I'm not paranoid, which doesn't mean I won't be hit, it only means that I'm not going to expend the energy required to be paranoid about something that has a very small chance of happening and where I have a pretty big chance of getting my money back if something does happen.

          If Apple didn't include NFC for safety reasons, they wouldn't have included Passbook. Apple doesn't care about our safety, Apple just wants to leave NFC out of the iPhone 5 so when they release the iPhone 5S, they can say "WOW NOW WITH NFC THIS IS THE BEST FEATURE EVER AND APPLE INVENTED IT".
          toddbottom3
          • Typical Toddy!

            His credit card analogy falls far short as usual. He uses the example PRECISELY because it's easy in his twisted world. The better analogy is to have a random stranger at some point during the week steal your identity, credit cards, debit card, savings account, address book, stocks, and perhaps your retirement without your knowledge. With that type of incentive, the likelihood of it happening is far greater than he could ever realize. I just hope that it happens to him . . .

            Don't be an idiot like Toddy, don't use your phone for anything that you value!
            Gr8Music
          • Do you have stats? I do

            http://www.lifelockblog.com/archive/the-main-causes-of-identity-theft-and-some-important-identity-theft-protection-tips/

            I found this one interesting:
            "About half of all identity fraud is committed by people close to the victim. Friends, family members, relatives, employees, and caregivers all have access to private information like personnel records, employment details, insurance policies and account numbers."

            So what Gr8Music is telling us is to be truly safe, one needs to get rid of all their friends and family. You know, to be truly safe.

            The intelligent person does a risk / benefit analysis and concludes "I'm comfortable with x amount of risk since it brings me x+n amount of benefit". You don't eliminate all things with risk greater than 0.
            toddbottom3
          • RE: "...to be truly safe, one needs to get rid of all their friends and fam

            You must be extremely safe then :-)
            non-biased
      • Hardy surprising you would be the first to comment on the first comment

        Your logic came to a screeching halt once I saw the toddbottom3 monicker...
        Jouten
    • Just because its been hacked, doesn't mean it will happen to you

      There is a higher chance of you getting hit by lightning than getting hacked via the NFC. No "hacker" is going to walk around a busy shopping mall beaming away exploits to other peoples smartphones.

      Windows, and MAC OS have both been hacked several times by hackers. Does not mean we are going to stop using them?

      Stop trolling.
      Ray07
      • Of course not...

        Because nobody walks around busy shopping malls getting close enough to people to do something malicious, you know, like pickpockets or all the pervs who do the upskirt photos do. I guess that's just too risky to ever consider doing. Certainly, the phrase evil twin was created not because hackers setup imposter hotspots, but just so the act would have a name in case anybody ever did.

        In all seriousness, who says a hacker has to be walking around. Take the convenience store example. Currently at my local convenience store, they have credit card and touch displays at the check out counter, surrounded by boxes Slim Jims and candy bars. How hard would it be to slip a phone in one of those boxes and let it beam away all day long?

        I'm not suggesting to throw the baby out with the bath water here, nor am I picking on NFC/Samsung/Android, as all platforms have been proven to have vulnerabilities. What I am saying is there are bad people in this world who will try to leverage any exploit available to them, whether it be NFC, Bluetooth, WiFi, etc. NFC is no exception, and will become more of a target as it becomes more commonplace, as with any technology. Is there a high probability of you personally being hacked via NFC? Probably not, but that doesn't mean users shouldn't be aware of the risks and be vigilant.

        Personally, I can see NFC being exploited specifically for targeted attacks. Paparazzi wants to get some scoop on this week's version of Paris Hilton? What better way than to hack their phone? Text messages, personal pics and videos, e-mails, contacts, calendars, etc. are a gold mine to the paparazzi. These guys get close access to celebs as it is, so which is easier, getting close enough to beam an exploit or trying to get them to download a malicious app or visit a malicious website? And let's face it, these guys aren't the most upstanding individuals in the world.
        TroyMcClure
    • It's true

      If the other person has NFC on, and you're less than 8 inches away from them, you can beam them a package that will allow you to hack their phone. Actually, that's the max range.. I doubt most phones are going to implement that. Can somebody figure out what the range of the S3 is when it comes to NFC.

      I know that the Galaxy Nexus has an effective range of roughly 2cm (or less than an inch).
      Michael Alan Goff
      • Edit

        I was wrong, apparently it can be up to 4cm away!

        Yep, so easy to exploit.
        Michael Alan Goff
        • Whats to stop

          the merchant end from abusing it - huh?
          12312332123
          • What's to stop a guy from abusing your credit card?

            Pretty much nothing, for both.
            Michael Alan Goff
          • Credit cards

            have an additional security code check. It either chip+pin, cvv code, or online it is challenge authentication. In addition they have fraud protection built into the service charges. NFC is just 'bump' and you're paid. Big difference.
            12312332123
          • Wait, you're talking online?

            Every time I use my credit card, or more accurately when I did, here's what I did in the real world. I signed my name.

            Here's what you have to do to use somebody's Google Wallet account. 1) Unlock their phone. This is harder if they have a passcode or facial unlock 2) Know their pin 3) Bump.

            It's hardly just bump and win.
            Michael Alan Goff
        • Easier than you think...

          Again, how close does a pickpocket have to get to pull a wallet our of a purse or your pocket? They actually have to make physical contact. Yet, pickpockets exist, and so will NFC hacking in the wild as NFC becomes more common.
          TroyMcClure
    • You can turn NFC off on S3

      how do you turn NFC off on iphone5?
      oh wait, you can't even turn it ON!
      warboat
    • The idea of using

      my mobile phone to make payments is to me as crazy as - the cloud, as the domination of plaything mobile operating systems, the facebook IPO, reality tv, the top 40, 'social' media, etc.

      Let's face it, the world is just nuts at the moment.....
      12312332123
      • Funny thing about everyone defending Apple's NFC decision

        There are 400 million credit cards on file at Apple HQ, many of those people using a mobile device to make payments for things.

        Nuts.
        toddbottom3