NFC is the newest explosion in the wireless technology scene. At one point, wireless phone usage was a huge deal. Then the years passed by and we saw cool advancements in wireless Internet, then Bluetooth, and more. NFC, which stands for near-field communication, is the next evolution and is already a core feature in some of the newer smartphone models like the Nexus 4 and Samsung Galaxy S4. But as with all technologies, NFC comes with its own set of risks.
If you want to take advantage of NFC, don’t be alarmed. Every piece of technology has inherent risks, especially if that technology is related to networking. However, just because your email can be hacked does not mean you should avoid using email. In the same way, just because NFC isn’t entirely secure doesn’t mean you should shun it. It does mean that you need to be more careful. Here are some security risks you should be looking out for.
How Does NFC Work?
The first thing you need to understand is how NFC works. NFC is a powerful wireless connection between multiple devices that requires an extremely short distance between the devices – in fact, NFC will not work if the devices are farther than a few centimeters apart. Devices must be NFC-compatible, meaning they must be equipped with an NFC chip and antenna.
The extremely short distance might seem useless, but it turns out to have some surprisingly useful functions. In essence, the technology allows you to “bump” your smartphone with other NFC devices – such as parking meters, cash registers, or even other smartphones – for a quick exchange of information in scenarios that require the physical presence of your device. Indeed, there are plenty of useful ways to make use of NFC technology, such as in the form of a digital wallet.
It might seem like it would be impossible for a malicious third-party to interfere with such a close-ranged interaction, but you’d be surprised. If you’d like a deeper explanation of NFC, check out James’s article on NFC and whether or not you should want it.
NFC Risk #1: Data Tampering
A malicious user can tamper with the data being transmitted between two NFC devices if they are within range. The most common form of data tampering is data corruption, also known as data disruption or data destruction.
Data corruption occurs when a third-party attempts to corrupt the data being transmitted between devices. This works by flooding the communication channel with abnormal or invalid information, ultimately blocking the channel and making the original message impossible to read properly. Unfortunately, there is no way to prevent an attempt at destroying NFC data, though it can be detected.
NFC Risk #2: Data Interception
Data interception occurs when a malicious user intercepts the data between two NFC devices. Once the data has been intercepted, the malicious user can either: 1) passively record the data and pass it onto the receiver untampered; 2) relay the information to an unintended receiver; or 3) modify the information so the actual receiver receives incorrect data. The former is also known as “eavesdropping”.
These data interception occurrences are known as man-in-the-middle attacks because there’s an interfering device between two legitimate devices. These types of attacks are frightening because malicious users can steal sensitive data, but man-in-the-middle attacks are difficult to execute due to the short distance requirements for NFC. Encryption and a secure communication channel can help towards mitigating data interception attempts.
NFC Risk #3: Mobile Malware
NFC devices suffer from a risk of downloading malware or otherwise unwanted applications without the device owners knowing. If the NFC device gets close enough to another NFC device, a connection could be made and malware downloaded. This malware could then sniff your device for sensitive data – such as credit card numbers, bank numbers, passwords, etc. – and send them to the attacker over the web or back through the NFC channel if the devices are still within range.
Along similar lines, Android Beam (which, to be clear, is not malware in and of itself) can be used to perform these malware transfers. With Android Beam, devices are not required to confirm transfers. Furthermore, devices will run downloaded applications automatically. This may be changed in the future, but for now, it poses a serious risk for accidental NFC bumps.
As time goes on, NFC technology will continue to evolve. Perhaps some of these risks may be dealt away with completely, or maybe other vulnerabilities will surface as the technology achieves widespread usage. But one thing remains certain: NFC is not free from risk and the best way to protect yourself is to know what those risks are.
Do you use NFC? Have you had an experience with bad NFC security? Please share your thoughts with us in the comments!