Vulnerability Report --- BEGIN ADVISORY --- Manufacturer: Nokia (www.nokia.com) Device: Nokia 6131 NFC Firmware: V 05.12, 19-09-07, RM-216 Device Type: mobile phone OS: Symbian Series40 Subsystem: Near Field Communication ----------------------------- Executive Summary: URI/URL Spoofing when displaying the content of a NDEF Smart Poster and plain URI tag. Web browser does not display full hostname when loading a web page. Crash of the parser for various parts of NDEF records, reboots graphical user interface (GUI) of phone. ----------------------------- Reporter: Collin Mulliner ----------------------------- Affiliation: Fraunhofer SIT / MUlliNER.ORG / the trifinite group ----------------------------- Time line: Reported to vendor : 27. March 2008 Received ack. : 28. March 2008 Presented at EuSecWest2008 : 21. May 2008 Received further feedback : 04. July 2008 Published to mailing lists : 16. August 2008 ----------------------------- Fix: The first device without the reported vulnerabilities will be the Nokia 6212 Classic NFC mobile phone. ----------------------------- Brief Technical Details: The Nokia 6131 NFC mobile phone is a mobile phone featuring the Near Field Communication (NFC) technology (http://www.nfc-forum.org). The phone has multiple security vulnerabilities in the code that parses and displays the content of a NDEF Smart Poster and a plain URI tag. 1) NDEF Smart Poster URI Spoofing The NDEF Smart Poster displays a URI together with a descriptive text. The URI can be a URL (http,https,ftp,...) or can point to a phone number (tel:) or to a short message (sms:). The vulnerability: the phone concatenates the descriptive text and the URI. The URI might not be displayed if the the descriptive text already uses the available space to display both information. Further the descriptive text can contain text that reassembles a URI. Therefore a user can be tricked into opening/activating a different URI than he expects. This can lead to monetary damage. There is no visual indication of which part is text and which part is the URI. 1.1.1) URL Spoofing Descriptive text: Bank online with Happy Bank and Trust https://www.happybankandtrust.com URI: http://westealallyourmoney.com User will believe he is accessing https://www.happybankandtrust.com but he actually will load http://westealallyourmoney.com. 1.1.2) URL Spoofing surviving a quick check Descriptive text: http:\\www.nokia.com\r\r\rAddress:\rhttp:\\www.nokia.com\r\r\r\r\r. URI: http://www.mulliner.org The user will be see "http://www.nokia.com" in main screen, if he presses "Show" he will see: Title: http://www.nokia.com Address: http://www.nokia.com 1.2) Telephone URI Spoofing Descriptive text: Tourist Information\r080012345678\r\r\r\r\r\r\r\r\r\r. URI: tel:19006661666 The user will believe this is a free call but will actually call 1900... 1.3) SMS URI Spoofing Descriptive text: Get todays weather forecast\r08005551234 URI: sms:33333?body=tone1 The user will believe the SMS is for free but he will actually send a message to a premium rate number. 2) Plain URI Spoofing Spoofing using the classic @ method. URI: http://wap.somebank.com\wap\login&where=ccinfo@\r\r...\r\r@badguy.net Notice: some characters are not allowed before the @ these are: / and ? the user will probably not notice. 3) NDEF Record Parser Crash The NDEF Record parser crashes if the record payload length field contains either 0xFFFFFFFF or 0xFFFFFFFE The crash will reboot the GUI of the phone. After 4 reboots in a row the phone will switch off completely (e.g. user constantly trying to read the tag containing this value). 4) NDEF Tel/SMS Handler Crash The handler for the sms and tel URI crashes when encountering a phone number of exactly 124 characters. Examples: tel:<124 characters> and sms:<124 characters> Best guess is a off-by-one bug since shorter numbers work and longer numbers produce an error message. The crash will reboot the GUI of the phone. After 4 reboots in a row the phone will switch off completely (e.g. user constantly trying to read the tag containing this value). ----------------------------- More Detailed Information: More details, slides and tools are available here: http://www.mulliner.org/nfc/ --- END ADVISORY ---