NFC's security vulnerabilities

Over the last two days HP's Pwn2Own competition has exposed some previously unknown security issues in a number of the most popular smartphones available on the market. The majority of the hacks, or "pwns", exploited the NFC capabilities of the devices. NFC's security vulnerabilities

HP's Zero Day Initiative(ZDI) hosted the event for the third year in a row in Tokyo, offering whitehat hackers the chance to win some serious cash if they could demonstrate previously unknown vulnerabilities in a number of the most widely used smartphones, such as the iPhone 5s and Samsung Galaxy s5. Hackers were given 30 minutes to demonstrate their hacks and win some of the $425,000 (usd) prize pool provided again this year by sponsors Google and Blackberry.

The exact details of the successful hacks are of course withheld but on day one of the competition, the iPhones 5s Safari browser was compromised by South Korean researchers lokihardt@ASRT.

Then both the Samsung Galaxy s5 and LG nexus where hacked via NFC vulnerabilites by Jon Butler of MWR InfoSecurity and Adam Laurie of Aperture Labs respectivly. Laurie's hack shared a more than striking resemblance to a plot line featured on the US crime drama show 'Persons of Interest'. Well done to the writers of that show!

At the end of day two, all the successful hacks were documented and confirmed by ZDI and reported to the respective manufactures of each device. Shannon Sabens of HP said that, this year, exploiting NFC was "clearly the most popular" method of hacking devices. Manufacturers, operators and payment companies dependent on NFC - such as Apple Pay - will be unhappy to hear of its vulnerability, but they will all know that when it comes to security, it is a constant battle to stay ahead of the game. The more whitehat hacking events the better for tech companies and ultimately their customers.

Ensygnia puts security at the heart of everything we do. We offer solutions for Payments, identity and loyalty, but they are all founded upon a secure and safe cloud based platform for completing interactions. Find out more here.

By Matthew Taylor 13th November 2014

Related stories around the web

Pay-by-bonk chip lets hackers pop all your favourite phones - The Register

Mobile Pwn2Own 2014: The Day one recap - HP

Mobile Pwn2Own begins: Competitors and targets - HP

Mobile Pwn2Own Tokyo 2014 - HP