Chester Wisniewski, writing over at Naked Security, reports on Charlie Miller's talk at the current Black Hat security conference:
...Charlie decided to look into the attack surface of NFC. He began by probing the drivers, hardware and program stack on both a Nokia Meego and Google Android phone. While he was able to find some flaws using classic fuzzing techniques, nothing major was discovered. Although Charlie did find a vulnerability in Android that affects all "Gingerbread" devices and "Ice Cream Sandwich" devices lower than version 4.0.1, the most interesting findings were at the application layer. There can be many programs loaded onto a phone that will accept instructions or input from NFC. This is where the real bugs are found.
The Nokia N9 with Meego suffers from the same type of trouble. The Nokia Content Sharing app will allow a user to compel another persons phone to load a web page without any user interaction. This despite an option on the phone called "Confirm sharing and connecting" being enabled. Even worse the Nokia device is configured to automatically pair with Bluetooth devices when tapping NFC tags. Even if your Bluetooth is disabled it will turn it on and pair without your permission (unless Confirm sharing and connecting is enabled).
...The onus is on Google, Nokia and other operating system manufacturers to build in better security controls and to never allow an action to occur without the ability to prompt the recipient that they wish to proceed. While it might be convenient to tap a speaker with my phone and have my music start playing, I'm OK with a prompt on my handset that says "Bluetooth pair for Logitech BlueBlast speakers?".
All of this does apply, to an extent, to existing Symbian NFC-equipped handsets and upcoming Windows Phone devices, but there's little need to panic yet. For example, tapping an NFC tag on Symbian brings up (by default) a 'Open this link?' prompt. It's true that the actual URL is often obfuscated on tags, but you can still make an informed decision as to whether to proceed based on what you thought you were tapping on and how much you trust the tag's location (e.g. in a shop or museum).
Plus, writing NFC tags isn't that difficult or expensive, but it is non-trvial, you'd have to be pretty unlucky to come across a tag that had been maliciously put in place purely to take advantage of a browser vulnerability in your phone's mobile OS. There's no such prompt when pairing with a Bluetooth accessory, but creating a maliciously constructed piece of hardware is several orders of magnitude harder again.
But the article is a timely warning for the future that NFC's convenience could potentially come at a security price. 'Could'. It's very early days for NFC in terms of protocols and 'how should this work?' functionality, and I suspect that more people are working on making things secure than are currently scheming to subvert the technology.
PS. You can follow Charlie Miller here on Twitter.
PPPS. Bonus link across to Sophos' excellent PDF-format Threatsaurus, also published today - it's IT generic and not mobile-related, but it's free to download and worth a place on anyone's hard disk or memory card.