Description: Updated with Google Wallet and Android 4.0!
As Near Field Communications (NFC) is integrated into our daily lives more and more (credit/debit cards and mobile payments, transit systems, ticketing systems), application developers should understand the risks of implementing NFC in mobile applications. This talk covers several current and proposed NFC implementations with case studies including attacks and mitigations, as well as the hardware basics behind NFC to better help developers and security testers understand the inherent strengths and limitations of NFC. The presentation will cover the ISO 14443 A and B standards, waveform modulation, and propagation across the RF channel. Demo attacks against NFC applications, including misdirecting FourSquare check-ins and malware which can intercept NFC intents to launch rogue applications, will be shown. We will show the data popular NFC enabled applications store including how it could be used to track when and where a device had been used. The presentation includes an in depth look at the NFC Data Exchange Format (NDEF) which is found across devices. Understanding and fuzzing this format can lead to parsers failing and crashing on malformed input as will be demonstrated against Android's Tags application.
Max and Corey began looking at NFC when it was just a speck on the horizon. That is to say, after NFC deployments were widespread in Europe, and when we still thought of National Football Conference in the US of A. Now they examine transit systems, NFC functionality on mobile devices, and the RF protocol behind the magic that is NFC. They find NFC payment systems particularly interesting and plan to commit some sort of wireless credit card-based fraud in the near future if they can agree on something really good to buy.
Latest from the SecurityTube Blog:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.