CVE-2023-35671: Critical NFC Information Disclosure Vulnerability in HostEmulationManager.java
The security vulnerability identified in the software coded as CVE-2023-35671 poses a significant risk for Android devices relying on NFC communication. This long-read post will delve into the vulnerability's function, examine the questionable code snippet, and explore its implications. Moreover, it will provide resources to comprehend and mitigate the impacts of the issue on the affected system.
Exploit Details
An NFC-enabled Android device running the insecure code in onHostEmulationData of HostEmulationManager.java could be at risk of exposing sensitive credit card information. Specifically, when the Android device is in locked screen mode, the code includes a logic error that enables a general purpose NFC reader to obtain the entire card number and expiry details. The most concerning aspect of this vulnerability is that it does not require any user interaction for its exploitation and mandates no additional execution privileges. Consequently, it allows unauthorized actors to access relevant information simply by skimming the phone using a nearby NFC reader.
Code Snippet
Here is the problematic code snippet found in the onHostEmulationData method within the HostEmulationManager.java file:
private void onHostEmulationData(byte[] data) {
boolean isDeviceLocked = mIsDeviceLocked.get();
boolean screenOffSecure = false;
if(isDeviceLocked){
screenOffSecure = true;
}
if(mScreenState == SCREEN_STATE_OFF && alertBeforeUnlock && screenOffSecure){
if (DBG) Log.d(TAG, "Screen is off, don't allow card emulation");
mHandler.obtainMessage(MSG_ROUTE_APDU, data).sendToTarget();
return;
}
...
}
As seen, the logic error lies within the conditions used to determine if screenOffSecure is set to true or not. This error circumvents the intended security measure, displaying critical private information even when the device is locked.
To learn more about this alarming vulnerability, consider checking out the following resources
1. The Common Vulnerabilities and Exposures (CVE) page specifically for this issue: https://nvd.nist.gov/vuln/detail/CVE-2023-35671
2. Android Security Bulletin detailing the vulnerability at a high level and its severity: https://source.android.com/security/bulletin/2023-03-01
3. Further resources on the workings of HostEmulationManager.java: https://developer.android.com/reference/android/nfc/cardemulation/HostEmulationManager
Mitigation Steps
As the vulnerability exploits the locked screen mode to acquire sensitive information, users should be aware of high-risk areas where NFC readers might be employed. The development team responsible for the affected code should address the logic error and roll out a security patch to rectify the issue. Until then, users can minimize potential breaches by using alternative features like mobile payment services exclusively in times when the device is unlocked and the screen turned on.
In summary, CVE-2023-35671 presents a significant threat to Android device users with NFC communication capabilities. By exposing sensitive credit card data on locked screens, this vulnerability offers an easy pathway for unauthorized users to obtain sensitive information using readily available general-purpose NFC readers. As a result, users should remain vigilant about their environment when using such devices and explore alternative payment methods whenever possible.
Timeline
Published on: 09/11/2023 21:15:42 UTC
Last modified on: 09/14/2023 01:31:36 UTC