The NFC 'Exploit'


I have a quick thread on Twitter for this - LINK … But if you want the condensed version:

So my understanding of the NFC exploit is that… NFC does what it has always done. Very high level I know but NFC has always been about doing something to a touch, when programmable tags came out I would use them as ‘check-in’ spots for 4square.

The fact this ‘programmability’ has been left mostly untouched for years isn’t so much a CVE as it is just lazy working. Some people adopted ‘NFC’ and love it, others aren’t too fussed about it, and that’s fine. The effective range of an attack is centimetres.

It was never going to be an all-powerful source of hacking. I used it to read my bus ticket back in the day and could have given myself free travel forever using it. Same as the card readers at laundromats where you could give yourself free washing for life.

An aspect of what makes NFC interesting is that whole ‘you can program it to run whatever you want’.. again it’s always been there it’s just we used apps on our phones to program them, and now we can use better readers to do it from a computer.

As time has gone on it was only a matter of time before someone discovered that running ‘shortcut’ code for Androids was possible. ADB would need to be enabled on the device you are attacking through as the command to wipe is; ‘adb shell; recovery –wipe_data’ or similar.

That’s not a lot of code for what it’s doing which is factory resetting your device. It’s not a bug per-say it’s more of an annoyance for the person you are attacking because now they have to sit through phone setup and restore from the cloud or whatever.

All I can say with my limited Android faffing (read: I helped root the HTC Dream back in the day and rooted every droid I have owned since) is that I am surprised it took this long. To me, it’s on the same level as the dude who got the CVE for default creds on Raspberry Pi.

Yeah, it’s a pretty glaringly obvious thing, but it’s not something that affects everyone and in this case, it requires a very specific set of circumstances to trigger i.e. ADB enabled phone, NFC being turned on, practically close enough to lick the device etc.

I don’t have any sponsors or anything but if you enjoy my work, or feel sympathy for my wife, then I have set up a Ko-Fi account as well as a BuyMeACoffee people can donate to.