Announcement

**Feathers McGraw** · Jan 24, 2014, 05:14 PM

Originally posted by SteveRiley View Post

Ready for a shock? Visit https://developers.google.com/android/nexus/drivers. All you get are closed-source binaries. If you build your own Nexus AOSP ROM from source and stop there, most of the hardware won't function. You need to include these drivers in your ROM build.

For non-Nexus phones, it's even worse: the manufacturers (HTC, Nokia, et al) don't provide any downloads at all. The ROM cookers on XDA have to extract the hardware drivers out of existing factory ROMs.

I was actually thinking about the Kubuntu side of things, but I guess it doesn't matter - it only takes one part of the couple to be compromised for you to have a problem!

Originally posted by SteveRiley View Post

Wait. Nobody engages in full-on analysis and counter-argument on web forums! You're just supposed to shout your opinions as if they were facts and go nah-nah-nah-nah-nah-nah when someone disagrees! LOL.

Well... you (and the rest!) have raised the bar in this forum, I don't think either one of us could get away with that kind of thing for very long! Everyone's wasting their time in that kind of conversation, anyway, since nobody is listening.

Originally posted by SteveRiley View Post

...it is entirely within the realm of possibility to envision an NFC-equipped device that has been remotely infected via some other vulnerability. This device may carry a payload designed to transparently intercept NFC communications after decryption and then forward the clear text over some control channel. Such channels have included DNS to be especially stealthy. Do not underestimate the ability of bad guys to make your computer behave in ways you cannot predict.

Yeah, true. That's possible, but there are so many things that could go wrong with that piece of malware: the original infection method has to work, and the NFC interception method also has to work. Relating this back to your presentation where you mentioned attack surfaces, imagine you're a malware author: flip it over and call it a "detection surface" rather than an "attack surface" - you've just provided antivirus vendors and hackers with more points of reference to identify the infection and remove it.

Also, I know this isn't what you were arguing, but it's relevant: consider a piece of malware whose infection vector is NFC... an infection that spread through NFC probably wouldn't spread very far, (today, 2014!) since most people don't link a long chain of NFC devices together. I actually don't know anyone, even in my relatively technology literate (engineers, mainly) circle who has used NFC more than a handful of times out of curiosity. So at most, the typical user has two devices that they will touch together to use NFC.

Originally posted by SteveRiley View Post

One additional point, since we're in the mode of friendly analysis of arguments: arguing from "not many people would know where to start" isn't a strong position. Attackers often have a luxury defenders do not: time. Attackers are usually the earliest to know about vulnerabilities -- after all, it's sort of their job

You're right there, I was trying to make a point about the probability rather than the feasibility of an attack like this.

Originally posted by SteveRiley View Post

This is prime example of good risk assessment. And I'd agree: right now, January 2014, such an attack is unlikely. You should not stop using NFC for your purposes just because I'm worrying about how NFC can be abused. Remember, these kinds of worries are my real job.

Thanks

I hope your _other_ job has nothing to do with those emails

Feathers

**SteveRiley** · Jan 24, 2014, 05:45 PM

Originally posted by Feathers McGraw View Post

Relating this back to your presentation where you mentioned attack surfaces, imagine you're a malware author: flip it over and call it a "detection surface" rather than an "attack surface" - you've just provided antivirus vendors and hackers with more points of reference to identify the infection and remove it... Also, I know this isn't what you were arguing, but it's relevant: consider a piece of malware whose infection vector is NFC... an infection that spread through NFC probably wouldn't spread very far, (today, 2014!) since most people don't link a long chain of NFC devices together.

Remember also the bit about vulnerability chains. I'm not actually (too) worried about the NFC as an attack target (yet). But as a mechanism to deliver malicious payloads or confidential data from one place to another, I see risk.

Originally posted by Feathers McGraw View Post

you (and the rest!) have raised the bar in this forum... I hope your _other_ job has nothing to do with those emails

An aspect of my job is, in fact, competitive analysis. I argue for (part of) my living, haha.

Originally posted by Feathers McGraw View Post

it only takes one part of the couple to be compromised for you to have a problem!

Or a negatively affected social life, at least until you get to the doc

**Feathers McGraw** · Jan 26, 2014, 10:33 AM

Actually, the potential for transmitting malware via NFC is probably not as small as I thought.

People will try anything to save/win money... putting malware in one of these would definitely work:

**SteveRiley** · Jan 26, 2014, 03:21 PM

Originally posted by Feathers McGraw View Post

People will try anything to save/win money

One of the best ways to short-circuit the brain's reasoning capacity.

**Snowhog** · Jan 26, 2014, 03:36 PM

Free money to Man, is what cocaine is to Rats.

Announcement

questions about touchscreens and the upcoming Yoga from Lenovo...

Comment

Comment

Comment

Comment

Comment

Users Viewing This Topic