Using implants for hacking phones
(Edit: Updated title for accuracy)
First post here, and I don't use forums much. (usually strictly a lurker/troll/etc.)
tl;dr: I was able to hack a phone with my NFC implant and another phone.
I was reading a bit into this thread, and it got me thinking: What about the opposite? How could I use my shiny new NFC implant for hacking?
So here goes.
A rough outline of the use-case of using NFC for hacking:
First was the implant which is common enough of a conversation.
(I'm using xNTi from dangerousthings)
Attacker uses a special linux distro ported to an android phone to generate a malicious APK file for android in one click.
(this file listens to a specified IP address for connection/commands.)
Attacker sets the connection IP address to listening server, where Attacker would have an interpreter listening for inbound connections.
Attacker uploads the file to some web server, possibly self owned webserver or a free webhosting service.
Attacker copies the malicious APK direct link over to the implanted tag and sets off to have fun.
exploitation is now as easy as asking someone to use their phone to make a call and hitting the chip to initiate a download. Install, and give the phone back*. (payload running silently in the background.)
(There are many factors dictating success here like the funny look they'll give you when you're rubbing your phone on your hand, and the phone's security implementations like the newer samsung knox** which will recognize and quarantine the malicious code. I haven't come across an NFC compatible phone that has any sort of security on the tech.)
Once installed, the server and the infected device establish a link and from there, the attacker can wreak some serious havoc.
(dump texts, call logs, pics, whatever (*delete the downloaded apk file and clear the url from history))
*If the attacker has some deft hands, Attacker may be able to delete the apk and clear the URL before giving the phone back without raising suspicion
** The newer samsung knox will detect the generic payloads if you do not craft them all crafty like :P
I've tested this on a few phones and it works great!
If you have questions, ideas, etc. let me know, I'm all about freedom of information and I will tell you whatever I know.
(moving forward, I'm trying to create some shellcode that is small enough to be written to the chip for an ultra small single tap payload.
if anyone knows of people fuzzing NFC for vulnerabilities please let me know, or let them know I'm looking for them.)