How Does A Drive-By NFC Hack Work?

Joel Lee 19-08-2014

Remember the security dangers of using your phone’s NFC features Using NFC? 3 Security Risks To Be Aware Of NFC, which stands for near-field communication, is the next evolution and is already a core feature in some of the newer smartphone models like the Nexus 4 and Samsung Galaxy S4. But as with all... Read More ? It’s been a few years since NFC gained in popularity and Android phone makers, especially Samsung, continue to push the technology with each new model. Yes, there are many wonderful uses for NFC Feel Like a Billionaire With the Latest Uses for Android NFC Technology Did you know Near Field Communication technology powers Bill Gates's techno-utopian Xanadu 2.0 mansion? Visitors to the Gates' estate receive a wearable NFC tag, which comes programmed with the visitors' climatic and aural preferences. Upon... Read More , but they all come with a price. Consider the drive-by mobile attack. Are you at risk? Have you been compromised? It’s possible if you use NFC regularly.


For those who are unfamiliar, NFC stands for near-field communication. It’s a newer type of wireless communication utilized mostly by smartphones in order to perform quick data transfers between NFC-tagged devices. Coloquially, phones are “bumped” or “swiped” together. As the name indicates, it’s an extremely short-range wireless band so devices need to be within centimeters of each other to establish a connection.

The required closeness of devices might make NFC seem safe to use, but the drive-by NFC hack proves that close proximity isn’t enough to protect against the malicious.

NFC Is NOT Secure

NFC was designed to be a connection of convenience, not security. How so? Well, NFC requires you to bump, tap, or swipe an NFC-capable device (e.g., phone) against an NFC-capable reader (e.g., another phone). As long as both devices are NFC-capable and that they are within the NFC wireless range, the connection is valid. As far as the NFC protocol is concerned, the close distance is all that’s necessary for a valid transfer.


Can you see the weakness? No password or credential requirements! NFC connections are established automatically and do not require any form of login or password entry in the way that WiFi does. This has the potential for some real problems since anyone can establish an NFC connection with your device as long as they get close enough. Imagine if you bumped up against a virus-infected NFC device? It would only take one bump for you to catch it.

NFC can be made secure at the application layer by implementing secure channels or by requiring credentials, but NFC as a protocol itself is not secure at all. And despite the close-proximity requirements for an NFC connection to trigger, unwanted bumps do occur. Sometimes, even a well-intentioned bump (such as when paying with Google Wallet) can result in a disaster.

Basics of An NFC Hack

What is an NFC hack, anyway? Why is this particular form of wireless connection so vulnerable?

It has to do with the way that NFC is implemented on particular devices. Because NFC is a connection based on convenience, and because there aren’t many security checks in place, a bump could end up uploading a virus or malware or some other malicious file to the bumped device. And if the NFC implementation is insecure, that file could be automatically opened by the device.

Imagine if your computer automatically opened any file that it downloaded off the Internet. All it would take is one mistaken click on a bad link for your computer to auto-install malware. The concept is similar for NFC.


With these malicious apps running in the background, your phone could be secretly forwarding bank PINs and credit card numbers to an unauthorized person somewhere across the world. A virus might open up other vulnerabilities, allowing the malicious user full privileges to your device to read your email, texts, photos, and third-party app data.

The crux of the issue is that NFC transfers can be executed without the user even knowing a transfer is in progress. If someone could figure out a way to hide NFC tags in inconspicuous places where phones are likely to bump up against, they could upload malicious data onto NFC-enabled devices without people even realizing it. Hacker group, Wall of Sheep, proved this with NFC-tagged posters and buttons.

Or think about the next time you bump your phone to make a payment using NFC. In the same way that ATM security can be compromised How to Spot a Compromised ATM & What You Should Do Next Read More , it’s possible for an NFC payment reader to be tampered with in such a way as to upload malicious data every time someone makes payment.

Think about the next time you’re in a crowded place, e.g., public transportation station, street performances, amusement parks. Instead of someone physically picking your pocket, they could simply bump up against you with their malicious NFC device.

How to Protect Yourself Against NFC Hacks

Keeping yourself protected against NFC vulnerabilities is easy: don’t use NFC until more testing is done and experts figure out how to patch security holes. However, if you really love NFC and want to adopt it right away, there are a few steps you can take to safeguard yourself.

Compartmentalize your sensitive accounts. If you use your NFC device for, say, quickly making payments through Google Wallet, then one way to stay safe is to have a separate account just for NFC. That way, if your phone is ever compromised and your Google Wallet information is stolen, it will be the dummy account that’s stolen rather than your main account.


Turn off NFC when you aren’t using it. This prevents accidental bumps from delivering unwanted programs and malware to your device. You may not think your phone gets within bump-range of many devices throughout the day, but you’d be surprised, especially if you find yourself in crowds a lot.

Routinely check your device for malware, especially after you’ve used NFC. It may or may not be possible to fully prevent NFC hacks, but if you catch them before they do much damage, that will be better than not catching them at all. If you find anything suspicious, change your important passwords and security credentials right away.

Final Thoughts

NFC is a new technology and NFC hack attacks are just the tip of the iceberg. But here’s the bottom line: yes, the technology that drives NFC has some risks, but so do all technologies. The proper response to this fact is to research those risks, weigh those risks against the rewards, learn how to protect yourself against a risk-turned-disaster, and then decide whether or not the technology is worth the effort of using it.

What do you think of NFC? Is it just a gimmick? Is it revolutionary? Have you been hacked by using it before? Share your thoughts with us in the comments!

Image Credit: Password Via Shutterstock, NFC Transfer Via Shutterstock, NFC Hold Via Shutterstock

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. F U
    August 13, 2017 at 2:19 am

    Funny this website is claiming to assist in getting rid of unwanted BS advertisements yet this whole site and article are laden with them... Great work people.... Hacks.

  2. Scott
    October 19, 2016 at 6:09 pm

    How about all those damned websites that use javascript popups to beg for your email address. SIGN UP FOR OUR NEWSLETTER!!!! PLEASE!!! PLEASE!! SIGN UUUUUUPPPPP!!!!!!!!

    It's the modern day plague of the internet, worse than SPAM.

  3. Justin Goldberg
    October 13, 2016 at 3:30 pm

    This is all theoretical. Have there been any actual hacks?

  4. Jana
    May 21, 2015 at 9:45 pm

    I recently began dating a great guy who is tech savvy. Me, not so much,
    I only talk and text, no google or such. After our first weekend, I noticed my data was on. I don't use that either. Then after our next visit, I had a weird icon I'd never seen. It is the NFC thingy. I understand the world of phone sneakiness , but what is he able to see and read and steal from me. And how far apart do we need to be when it stops reading my phone. Thanks for any help you can share

    • Christopher Bettis
      December 11, 2017 at 2:54 am

      Your concern would be if he used it to pass "spyware" which it sounds like what you are concerned with. "incognito" is the app you should install and scan regularly. Generally NFC requires a bump or two from another device. Then again with a rooted Droid and a slight modification he could pass spyware roughly up to 10 feet away. There are other forms of trickery designed to pass the spyware via NFC. INCOGNITO will secure piece of mind either way. Ask him if he roots his Android that will be an indicator he is capable of such an incident. That's all the advice I have. ;)


      • Mick Philpp
        June 30, 2018 at 6:09 pm

        C'mon ; ( 'just ask him of he "roots" his Android.?') . come on guys, WHAT a Tip ?

  5. Alex T
    August 31, 2014 at 7:40 pm

    It is a shame that little research has been done into this article. It seems as though someone has found out what it is and immediately assumed a flaw in it. It is not possible to transfer files if the screen is off and just uploading a virus is rather difficult due to security measures that actually are already in place

  6. Rafael
    August 24, 2014 at 7:24 am

    This article sounds like an "Apple Expert" giving the reasons of why they haven't implemented NFC on their devices. As a user of NFC enabled devices (Nokia 701 & Lumia 1020), if the device is locked, the NFC does not work, and always ask for confirmation before anything, you really must be dumb for accepting things that you don't recognize.

  7. anupam tiwaru
    August 21, 2014 at 9:34 am

    its jusrt fucking n sucking ke4ep doing it

  8. anupam tiwaru
    August 21, 2014 at 9:33 am

    is it good i dnt break your heart
    for more vulnerabilities keep continue

  9. Shawn D
    August 20, 2014 at 3:53 pm

    This article is complete FUD as far as NFC in smartphones goes! As a heavy user of NFC technology in not less than 4 different Android devices (and was a user on a Blackberry) you obviously haven't tried it. First and foremost, NFC is disabled until you turn on your screen (and unlock first if you have a lock screen enabled). So you would have to have the actual device in your hand first and unlocked for it to even work. I would think you would notice someone coming along an trying to tap your phone. Once the device is on then the only way you can recieve a file from other device is by accepting it. It's part of how Android beam (or S-Beam in some Samsung phones) works. You have to tap to accept the transfer while the phones are held together. NFC tags can be programmed with one of two kinds of information. First are things that are static like a link, text or contact info. When you tap a tag with this, you are prompted again if you want to open it, and in the case of weblinks, it shows you the address it is presenting. The second thing a tag can be programmed with is some code, but that code is only understood by the program that wrote it. For instance I have tags that turn on or off WiFi for me. If I don't have the program that wrote it loaded, then my phone beeps and does nothing at all. NFC tags generally do not store more than 1 kilobyte of instructions, so it would be hard to transfer any type of program through the tag itself. Sure a link to a bad site could be programmed in one, but again the user has to accept to open the link. It is not automatic. So if you set your phone down on top of a random malicious tag, still nothing is going to happen unless you are dumb and click the promt that pops up to open the link. I also use Google Wallet tap-n-pay, and again it does not work with the phone off and you have to unlock that app (via a pin#) to proceed with the checkout. So NFC in smartphones/tablets is very secure by it's design (in Android anyways). NFC chips exist in some credit cards and these are vulnerable to drive-by attacts from card readers. You can get metal lined sleeves for these to protect yourself. Now Bluetooth, which far more people leave on and of course open WiFi hotspots are far more vulnerable since those radios do operate with the screen turned off. Get your facts straight before making up some dumb stuff to scare folks.

  10. Sanuja R
    August 20, 2014 at 12:38 pm

    NFC hacking reminds me of BadUSB. Both are vulnerabilities of convenience. However NFC uses have the option to switch it off. I highly Recommend doing that when not in use because prevention is better than cure. If you aren't using it, why burn battery and get malware?

    Until NFC technology becomes secure enough, we will be seeing a lot of use of Credit Cards etc... in the near future.

  11. dragonmouth
    August 19, 2014 at 12:26 pm

    Lack of security is the price we pay for convenience. We want our phones to replace numerous other electronic devices. While those devices individually can be adequately secured from hacking, the process of integrating them into one (a smartphone) opens up security holes. We are our own worst enemies.