NFC security: 3 ways to avoid being hacked

More than a billion phones will be equipped with near-field communications technology in 2015, potentially opening up new vectors for attack.

mcdonalds apple pay

Apple Pay is used at McDonald's.

Credit: McDonald's

Here's what to keep in mind as near-field communications (NFC), the technology that allows Apple iPhone users to tap and pay, takes off. By the end of 2015, more than a billion phones will have the capability to use the wireless protocol to exchange data, and applications beyond payments will become common.

The technology promises greater security, but individual smartphone makers’ implementations of the technology are not perfect. In an annual hacking competition of mobile devices in 2012 and 2014, security researchers used previously unknown flaws in the NFC functionality of smartphones to compromise devices.

As smartphones’ NFC capabilities are used for more than mobile payments, researchers and attackers alike will focus more on the security and privacy of NFC, and such vulnerabilities could become more common. “Most users may not be aware of the expanded attack surface they expose to adversaries when applications use NFC to transport data between mobile devices,” says Brian Gorenc, vulnerability research manager and head of HP’s Zero Day Initiative, which runs the Pwn2Own competition.

nfc installed base Statistica

The number of NFC-enabled phones is expected to surpass 1 billion by 2016.

NFC, based on contactless smartcard technology, allows secure data exchange by using encryption and a special processor. In addition, the wireless technology limits communication to within a short distance, reducing the opportunities for an attacker to eavesdrop on communications and adding security and privacy. Yet, while the NFC Forum claims a read range of a few centimeters (an inch or so), academic researchers have extended that to about 80 centimeters (about 31 inches)—a much greater distance for attackers to play with.

Already, home automation aficionados have used NFC tags—small devices capable of storing and transmitting data—to allow location-dependent phone settings. Does a guest want to use your wireless router? Tap a tag on the router to configure their phone automatically. Location-based marketers have started deploying NFC tags to give consumers who tap additional information.

Yet, the most interesting uses are by businesses, says David Shalaby, co-founder and president of TapTrack, an NFC systems vendor. Contactless conference badges are a common use. The smart card technology on which NFC is based means the data on the badge is secure, and the close proximity required to read the card usually satisfies any requirements for the user to opt in. At amusement parks or on cruise ships, NFC can be used to manage access to rides, venues or other attractions.

“If you implement it correctly with the proper technology and the proper software development, it is secure,” Shalaby says.

A few simple steps will help you get started safely with NFC.

1. Read the fine print for NFC-enabled applications

With a credit card transaction, most people understand that a handful of companies—the store, card processor, issuing bank and credit card company—will get some information on their buying habits. With NFC, however, the picture is less clear. The application developer and the service provider may also get information.

Consumers should read up on any application’s data usage policy to protect their privacy.

2. Monitor NFC updates and patch your device promptly

The NFC vulnerabilities used to compromise devices in the Pwn2Own competition have been fixed, but manufacturers are typically slow to release patches for vulnerabilities in smartphones.

They’re getting better, however, leaving consumers as the primary hurdle for locking down phones.

“Consumers should be less concerned about whether or not another vulnerability will be discovered,” HP’s Gorenc says. “They should be concerned with how fast mobile device vendors can fix the issue and deploy the patch.”

3. If you’re not using NFC, turn it off

NFC is new, and many consumers have yet to adopt the technology. Unless you've started using Google Wallet or Apple Pay, turn NFC off.

“The average mobile user has asked, ‘What does this do for me?’” TapTrack’s Shalaby says. “On the consumer-facing side, most people turn their NFC off.”

Aside from saving some power, turning off unused networking features is a good rule of thumb to limit exposure to attackers.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.