NFC tags; about Tectiles, SmartTags, Tag+, Mifare and much more
You find a ton of information about tags on these pages, and still updating to make it as complete as possible. A mix of tips, tricks, facts, known problems, user feedback.
Tapping a tag isn’t SECURE ?
“SECURITY FLAWS IN NFC” in the headlines after the Black Hat conference L.Vegas 2012. Relax and read here what it is about, do some googling about the details if you’re still concerned about this! Very few authors who write about the important details, a shocking headline to attract visitors is most important.
It’s more about opening URLs and accepting file transfers automatically without any prompt (by design), AND finding/using a vulnerability in the user’s web browser. NFC is used, but not really an exploit in NFC.
C.Miller showed ways in which nfc can be used to force some mobile phones to open Web pages without user approval. Miller chose a web page which exploited a separate vulnerability in Webkit, the browser engine behind Google Chrome and other browsers. The browser exploit then downloaded necessary code and conducted an attack. Miller found some serious vulnerabilities, for a small subset of users, to solve by O.S. developers.
Launching a web page in the browser, or accepting file transfers without warning, without asking user’s permission, is the basis of the problem here. This is something we better avoid, using an app that not skips this extra step.
A link to a malicious web page, in an email is old fashioned. No surprise if soon smart posters appear with a link to a web page with malicious code. “TAP HERE FOR MY NAUGHTY PHOTO .. ” and .. original NFC tags can be replaced with malicious ones. It’s about Common Sense and Security vs Convenience. Using just your own tags, you don’t want and don’t need an extra step in an app, asking your permission before opening the browser and web page.
But more and more smart posters/tags will appear in the wild. IF you tap any tag, AND your app doesn’t show the address first for confirmation AND your browser has vulnerabilities … Then it’s like closing your eyes, pray and click any link.