STD
No, not a Sexually Transmitted Disesase, but a Samsung-Transimitted-Disaster.
There ya go El Reg. A smutty innuendo in your end-oh!
A Galaxy SIII running Android 4.0.4 was infected with malware over an NFC connection at a hacking contest in Amsterdam using nothing more than a bump in the dark. Full details of the vulnerabilities exploited haven't been revealed by the team, who came from MWR InfoSecurity and were showing off at Mobile Pwn2Own this week, as …
This post has been deleted by its author
Given how infrequently Android users update their OS (often never - look at the number of devices still on Froyo or Gingerbread) is this really going to happen?
I think there are going to be a helluva lot of vulnerable phones out there, meaning standing next to a stranger on a train with an NFC enabled phone will be a risky proposition.
Load of scaremongering.
Not only do you have to stand next to someone with a phone with the vulnerability, you have to pretty much touch their phone with yours in the right spot, (NFC will only work if the two devices are -very- close.) which has to be done over 100 times. (185 from the article) Then the attacker has to hope that the stock browser is on there, instead of Firefox or Chrome.
Yes its a hole, which isn't great, but come on, it'll take a lot of work to do. Its not like a vulnerability in a browser so it can be 'owned' by a dodgy adframe.
AC 09:35
I'm sure you're aware that NFC range can be boosted? Right now you just need to be close enough, try a crowded train for example.
The 100 tries is all software, not actual bonks. As the article said those 185 tries were done in less than a minute.
Why are you blaming Android users for not updating? My Samsung Galaxy Ace from 3 is only 6 months old and into a 24m contract. It came with Gingerbread and, unless I want to root it, that's my OS until 3 offer an upgrade. Which they're not going to apparently because the Ace, being a very modest phone, would take an unacceptable performance hit on ICS never mind JB.
"Paying" is passing a couple beer tokens, virtual or otherwise, to someone else, right?
So why does it need to involve shoddy software with holes enough to stack exploits through? Or hardware that you're expected to replace every year? My wallet is at least five years old and the previous two, each lasting at least as long, are the exact same model. Or why does it have to involve passing your name, payment history, by extension a list of where you've been, and a whole lot of other things that cash can do without? Why does it have to involve numerous third, fourth, fifth parties, some of whom may or may not have joined up in some industry body or other, possibly swapping out even more information? All of them caring for stacks of hardware, and a fault anywhere can put a wrench in the machinery. Why does my ability to lend a couple of quid to me mate have to depend to all that plus the charge level in the smartphone? What's with all the folderol, when simply passing over a couple tokens would otherwise be enough?
Make me a digital system that is as provably anonymous, as robust, as simple, and as simple and easy to use as cash, and then I'll consider it. Before that, sticking to cash isn't a fail. It makes good, objective sense. For verily, the technology isn't being pushed for the problems it's solving. It's being pushed for the business opportunities of all the middle men that're aching for a bit of payment pie.
..that is all except that it's not in anything like a finished state for the S3 yet, of course, so that's crap advice.
Just checking that all the spurious "features" you don't actually use are switched off is a flying start for any piece of complex computer-based tech, and is a lot less likely to screw up your ability to take/make calls than the current state of Cyanogen on the S3.
(That said, it's fine on my old HTC Desire, I am in favour of it in principle, when it's stable)
^This. And I for one will be wanting a pretty compelling reason to ever turn it on, let alone leave it on for any length of time. File transfer certainly ain't it (we can both turn Bluetooth on just as easily and with mutual identification); moving money around ain't it for as long as I can possibly avoid it (my money and all my personal info in one pocketable package? What could possibly go wrong?)
Especially since we have no NFC commercial offerings here in Oz that work anyway (yet?), and I tried to get file transfers to work between two S3's and failed every time.
After twenty mintues of getting what looked like two turtles to mate, we gave up hoping everyone else didn't think we were weird or something.
We failed. :-(
>how is it possible to fail at that?
Very possible. Mr Tserkezis might have been trying with individual phones that were being awkward for some reason... perhaps a different version of the Samsung firmware was on his units, perhaps one suffered from a hardware fault.
If it were me, I'd try my best to explore the possibility of user error before deciding it something else is at thought, and we have no reason to assume Mr Tserkezis hasn't done so.