Security researcher Charlie Miller has demonstrated a number of flaws in the way NFC is handled on Android and MeeGo. Miller designed an NFC tag that would be able to execute malicious code on the device. The tag could be placed on a point-of-sale terminal or in other public places, exploiting users that are looking to use their device for NFC payment. The issue is not with NFC as a protocol, which remains secure, but rather with the Android and MeeGo's software implementation of the standard.
"The attack surface really is the whole web browser."
The Android Beam specification allows NFC to automatically launch the web browser, allowing for a wide range of web-based exploits. "Instead of the attack surface being the NFC stack, the attack surface really is the whole web browser and everything a web browser can do. I can reach that through NFC," Miller told Ars Technica. Many of the browser bugs prevalent in earlier Android builds have now been fixed, but even early Ice Cream Sandwich builds have significant security holes related to the WebKit-based stock browser.
For Android 2.3 devices, Miller was able to hijack the application daemon that controls NFC functions, rather than just launch a browser. Luckily, the number of devices that run Android 2.3 and have NFC is limited, and the potential for real-world use is low. Miller used a Nexus S running Android 2.3 Gingerbread to demonstrate the issue — an Ice Cream Sandwich update is available for the smartphone that fixes the hole. For the Beam issues, he used a Galaxy Nexus running Android 4.0.
Miller says NFC could make it easier for hackers to get their code on your device. He gives the example of PDF bugs (as found in past exploits across many platforms), noting that "instead of trying to email it to the person or get them to go to your website, you can just get near them with NFC." Similar methods were also demonstrated running on a Nokia N9. Google refused to comment on Miller's exploits, but it has been made aware of it. Of course, users are able to turn off the Android Beam function completely, but hopefully we'll see something akin to a pop-up dialogue box asking "NFC would like to launch the browser, is that okay?" added to Android soon.