Hackers at a notorious Def Con gathering that ends here Sunday have come up with ways to reach into digital wallets.
Smartphones
at the heart of modern lifestyles are becoming top targets for cyber
attacks, according to security specialists and hackers who flocked to
Las Vegas this week for back-to-back Def Con and Black Hat conferences.
"We
are entering a post-PC (personal computer) exploitation world," said
researcher Stephen Ridley of Xipiter, where his team uncovered that the
same types of attacks that plague desktop computers can be turned on
mobile gadgets.
"I think phones are going to be the only thing
people are interested in popping in the next five years or so," he
concluded, saying hacker attention is shifting to the always-on,
personal data rich devices in people's pockets.
Along with contact
information for friends and logs of activities such as Internet
surfing, smartphones typically have location-sensing capabilities that
track where they have been.
Using smartphones as "wallets" will be
common within a decade, largely replacing cash and credit cards,
according to a Pew Research survey released in April.
Sixty-five
percent of "technology stakeholders and critics" who responded to an
opt-in poll by Pew Research and Elon University Imagining the Internet
Center agreed that handheld gadgets would be a mainstream way to pay by
the year 2020.
"What is in your wallet now? Identification,
payment, and personal items," Google chief economist Hal Varian was
quoted as saying in a survey response. "All this will easily fit in your
mobile device and will inevitably do so."
Google last year
launched a "Wallet" service that lets sophisticated Android-powered
mobile phones be used to "tap and pay" for purchases at shops.
Blackwing
Intelligence security researcher Eddie Lee showed Def Con attendees how
to how to use an Android-powered smartphone to pick up the data from a
credit card and then used the swiped information for digital wallet
purchases.
"You can start spending on someone's credit card;
basically you can use it the way you use Google Wallet," Lee said while
demonstrating his technique for a packed room of hackers.
"We've
know for a long time you can skim RFID credit cards," he said. "This
lets you abuse that information and spend on those cards. Maybe this
will give the credit card companies an incentive to fix the things in my
wallet."
He theorized the tactic could work on other cards, such as those for metro system fares or building access.
Accuvant
computer security firm consultant and former National Security Agency
analyst Charlie Miller showed Def Con attendees a way to slip into
smartphones by getting a sensor close enough to read signals from NFC
chips.
In some cases, it is even possible to take over control of a
phone via NFC -- stealing photos and contact lists, and sending text
messages or make phone calls, according to Miller's presentation.
"You're
supposed to be paying for stuff and scanning movie posters with your
smartphone, but be aware that this is another way that bad guys can
attack your phone," Miller told AFP.
He showed that if he could
briefly get an antennae device easily concealed in a sticker near enough
to a phone at an opportune moment, it can open a virtual door that a
hacker could slip in through.
He contended it would be simple to
discreetly affix an innocuous-looking sticker near a digital wallet
touchpad at a store checkout counter and then linger nearby and hack
phones of buyers.
"It will pair with my machine and I can control the phone," Miller said.
"A
bad guy can use that moment of talking to your phone to steal data," he
continued. "NFC is cool, convenient and fun; I'm just trying to say
let's pay attention to the security implications."
NFC or RFID technology used to share data with nearby sensors is used in smartphones, credit cards, and even passports.