SECURITY FIRM McAfee has warned of the dangers of paying for goods using near field communications (NFC) following the news that Samsung Galaxy S3 smartphones will be given out to every athlete at the London 2012 Olympics this Summer.
After Google fixed a vulnerability in its Wallet app recently that allowed an attacker to use a free prepaid card to crack PINs on the phone, McAfee said attackers can now "go after the hardware itself".
"One can get excellent results by targeting the OS and its NFC-handling libraries," McAfee mobile security researcher Jimmy Shah said in a blog post today. "Fuzzing the hardware, which involves feeding corrupt or damaged data to an app to discover vulnerabilities, is a good first step."
Shah pointed to research by security experts Charlie Miller and Collin Mulliner that looked at fuzzing NFC tags.
"Recently he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results," Shah explained. "He can programmatically feed crafted or damaged NFC tags to Android's library and then capture any crashes or code-execution opportunities."
Shah warned that an attacker wishing to target a device such as the Galaxy S3 can easily buy one and use Mulliner's research to help find vulnerabilities and eventually develop exploits to steal a victim's credit card.
"The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases," he said.
"The Olympics will also provide a concentrated pool of targets (people and phones) to pilfer from - especially if everyone is busy watching who wins the medals and not worrying about where his or her phone is." µ