Stand Close to Me, & You’re pwned! : Owning SmartPhones using NFC

Description: NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.

Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.


Speaker 1: Aditya Gupta

Aditya Gupta is the co-founder of XY Securities, an information security firm based in India. He is responsible for leading the penetration testing and application security assessments in his work at XYSEC. His main expertise includes Exploiting Web Applications, Evading Firewalls, Breaking Mobile Security and Exploit Research. He has also discovered much serious vulnerability in websites such as Google, Apple, Microsoft, Skype, Adobe, and a variety of other major software technologies. Aditya has worked on many Android security projects and has been a frequent speaker to many conferences including Clubhack, Nullcon, The Hackers Conference, Defcon India Chapter, ToorCon and many more.

Speaker 2: Subho Halder

Subho Halder is Programmer, Security Researcher and Penetration Tester. He is well equipped with programming in PHP, Java and Python. He is well equipped and has a deep understanding of Android and Blackberry frameworks.