Nightwatch Cybersecurity’s Y. Shafranovich posted about a near filed communication (NFC) vulnerability affecting Android versions 8.0 and higher. Specifically, there is an Android feature known as Android Beam that’s built around this technology, and it’s intended for close-proximity data-sharing scenarios. NFC has an effective range of about 4 cm (1.5 inches), which doesn’t seem like much but still enough to pose a threat. With security, given an inch may lead to attackers taking a mile.
The scary thing here is if Android-based POS systems were compromised and you went to make a payment while both features were on. To clarify, there are two distinct settings. In order to enable Android Beam, NFC must be enabled in the first place. There was actually a similar vulnerability back in 2012 when researcher Charlie Miller was able to exploit NFC and Android Beam vulnerabilities and have Android devices automatically open up web requests, potentially even to attacker-controlled web servers. Scarier still is the fact that there was no user interaction required in this case!
Bottom line: don’t just leave NFC enabled. In fact, don’t just leave any service on unless you’re actively using it. For me, this includes Wi-Fi, Bluetooth and NFC. Wireless technologies have both advantages and disadvantages. Unfortunately, unknown disadvantages are where zero day vulnerabilities come into play and they can attract some nefarious threat actors.