General NFC security
-
Hi,
Not sure where the best place for this question is, but I'll try here.
So I did some testing with my Asus NFC tag, I put a URL on it (HTTPS://Test) and then put it against the back of my phone.. and my browser directly opened the browser at that page.. .. .. I'm sorry am I the only one who sees this as an enormous security issue? Yeah, just go around with an NFC tag with a malicious URL programmed to it and put it against phones...
So I guess what I want to ask is if there is any way to actually set up security on the phone so you'll have to accept anything an NFC tag wants to do? I don't want my phone blindly assuming all NFC tags are sent from angels. (Of course I mean besides disabling NFC)Or is it just the fact that I wrote the tag on my device and it hence trusted it automatically?
Sanya
(Oh also, completely off-topic but I had issues registering for this forum, the first account I clicked the activation link yet was unable to log in reset password said no e-mail or something like that, so had to create this one instead.. Just saying, might be something wrong)
-
@SanyaIV It's not an enormous security issue. Web browsers are some of the most security audited pieces of software in the world. NFC NDEF record would need to be a URL that exploited this software.
It's a plausible attack vector but most modern phone OS have way more simple attack vectors an attacker would target first.
-
@johnyma22 And at the same time one browser exploit is all it could take.
But disregarding URLs, several other things auto-launch as well when scanning an NFC tag (with relevant records on it) The likelihood of one of these having some sort of vulnerability that has yet to be found is relatively probable (formation of that sentence doesn't meet exactly what I say but I can't figure out how to say it better, tired)
Either way I don't like the auto-launch nature of how NFC seems to work on my phone and I see it as a security issue but would still like to use NFC (having to verify to do whatever the tags says to do) So for example when reading a tag with a URL then it would show a pop-up that says something like "Tag wants to open [URL]" with a button "Open" and "Close" etc.. Is that possible or no?
Sure there may be simpler attack vectors but just because there are simpler attack vectors doesn't mean one should leave a possible attack vector ignored and open for abuse. I mean, it doesn't even have to be malware, could simply be malicious websites that someone wants to spread, opens a phishing site for a bank, general propaganda spreading for X or Y cause, spreading disturbing content, having a ring on your finger and "accidentally" bumping into someones phone causing it to open a site showing discriminating content etc.. you know.. And that's just looking at what you can do with URLs, there's probably other things you can do as well. My point is that auto-launch is not a good thing to force, the user should be able to choose whether to open things automatically or having to verify first. I mean, I can see the benefits of automatic launching for.. well.. automation, but at the same time I can see disadvantages with it. Of course one could just disable NFC, but i'd still like to use it.
-
@SanyaIV said:
Either way I don't like the auto-launch nature of how NFC seems to work on my phone
@SanyaIV have you considered a windows phone ? last I had one, every time a NFC action happened, it caused an annoying user prompt which the user had to manually approve before anything happened.
To me this was annoying, however it sounds exactly what your after.
cheers
-
@jasok2 I have considered it, didn't know about how NFC works on it though, but Windows phone doesn't have all the things I need, for example from what I gather the Pebble support for it is non-existent or poor. And besides that it lets me do less things etc, just not a phone OS I'd like to use in its current state.
-
@SanyaIV said:
@jasok2 I have considered it, didn't know about how NFC works on it though, but Windows phone doesn't have all the things I need, for example from what I gather the Pebble support for it is non-existent or poor. And besides that it lets me do less things etc, just not a phone OS I'd like to use in its current state.
yeah, I get that. I ditched it too. I do wonder what windows 10 phone will be like, but I really need the sonos app :( sigh.
-
I'll borrow my own thread to ask another question: Is it okay to place the Asus NFC Express device on top of my Desktop case or will it cause any interference of any sorts?
-
It should be ok but YMMV. Give it a try and see how it goes.
-
@Lokki Tried it, works relatively fine but the angle gets a little weird for me, but still looks way nicer.
-
I've always figured that if I set one up for my desktop I'll use a router to make a recessed hole in the desk top to hold the reader.
Or make my own with PN532+Arduino and recess into the bottom side of the desk top and read through the remaining wood. -
So now after trying with the NFC Express on top of the desktop for a while I can say that it was impractical for me, I'm not sure if it was interference or just the angle but it would take longer and more re-positions to get the Asus tag to read when I had the NFC Express on top of the Desktop case. I've since changed it to sit upside down on the underside of the table (Using folded duct tape..) over the desktop, this has given me a much more comfortable angle and it reads much better now (faster and rarely need to re-position)
Again, not sure if interference or angle but I'm starting to think it was a bit of both.
Edit: Actually, perhaps I'm using the word "Desktop" incorrectly, I use it to refer to my stationary computer that resides under my table.
-
Yeah, possibly - my desktop computer, routing a mounting point in the wooden desk top.
;-) -
Hmm.. Folded duct tape didn't work very well, started to come loose after a while, decided to get double-sided tape instead which seems to work just fine.
-
Speaking from experience it's best to use a wax and grease remover on things you're sticking double-sided tape to. Do that and it'll never fall off.