Here’s what to keep in mind as near-field communications (NFC), the technology that allows Apple iPhone users to tap and pay, takes off. By the end of 2015, more than a billion phones will have the capability to use the wireless protocol to exchange data, and applications beyond payments will become common.
The technology promises greater security, but individual smartphone makers’ implementations of the technology are not perfect. In an annual hacking competition of mobile devices in 2012 and 2014, security researchers used previously unknown flaws in the NFC functionality of smartphones to compromise devices.
As smartphones’ NFC capabilities are used for more than mobile payments, researchers and attackers alike will focus more on the security and privacy of NFC, and such vulnerabilities could become more common. “Most users may not be aware of the expanded attack surface they expose to adversaries when applications use NFC to transport data between mobile devices,” says Brian Gorenc, vulnerability research manager and head of HP’s Zero Day Initiative, which runs the Pwn2Own competition.
NFC, based on contactless smartcard technology, allows secure data exchange by using encryption and a special processor. In addition, the wireless technology limits communication to within a short distance, reducing the opportunities for an attacker to eavesdrop on communications and adding security and privacy. Yet, while the NFC Forum claims a read range of a few centimeters (an inch or so), academic researchers have extended that to about 80 centimeters (about 31 inches)—a much greater distance for attackers to play with.
Already, home automation aficionados have used NFC tags—small devices capable of storing and transmitting data—to allow location-dependent phone settings. Does a guest want to use your wireless router? Tap a tag on the router to configure their phone automatically. Location-based marketers have started deploying NFC tags to give consumers who tap additional information.
Yet, the most interesting uses are by businesses, says David Shalaby, co-founder and president of TapTrack, an NFC systems vendor. Contactless conference badges are a common use. The smart card technology on which NFC is based means the data on the badge is secure, and the close proximity required to read the card usually satisfies any requirements for the user to opt in. At amusement parks or on cruise ships, NFC can be used to manage access to rides, venues or other attractions.
“If you implement it correctly with the proper technology and the proper software development, it is secure,” Shalaby says.
A few simple steps will help you get started safely with NFC.
1. Read the fine print for NFC-enabled applications
With a credit card transaction, most people understand that a handful of companies—the store, card processor, issuing bank and credit card company—will get some information on their buying habits. With NFC, however, the picture is less clear. The application developer and the service provider may also get information.
Consumers should read up on any application’s data usage policy to protect their privacy.
2. Monitor NFC updates and patch your device promptly
The NFC vulnerabilities used to compromise devices in the Pwn2Own competition have been fixed, but manufacturers are typically slow to release patches for vulnerabilities in smartphones.
They’re getting better, however, leaving consumers as the primary hurdle for locking down phones.
“Consumers should be less concerned about whether or not another vulnerability will be discovered,” HP’s Gorenc says. “They should be concerned with how fast mobile device vendors can fix the issue and deploy the patch.”
3. If you’re not using NFC, turn it off
NFC is new, and many consumers have yet to adopt the technology. Unless you’ve started using Google Wallet or Apple Pay, turn NFC off.
“The average mobile user has asked, ‘What does this do for me?’” TapTrack’s Shalaby says. “On the consumer-facing side, most people turn their NFC off.”
Aside from saving some power, turning off unused networking features is a good rule of thumb to limit exposure to attackers.