[Full-disclosure] Nokia 6131 NFC URI/URL Spoofing and DoS Advisory

Vulnerability Report


Manufacturer: Nokia (www.nokia.com)
Device: Nokia 6131 NFC
Firmware: V 05.12, 19-09-07, RM-216
Device Type: mobile phone
OS: Symbian Series40

Subsystem: Near Field Communication


Executive Summary:
URI/URL Spoofing when displaying the content of a NDEF Smart Poster
and plain URI tag. Web browser does not display full hostname when
loading a web page.

Crash of the parser for various parts of NDEF records, reboots
graphical user interface (GUI) of phone.


Reporter: Collin Mulliner <collin.mulliner[AT]sit.fraunhofer.de>


Affiliation: Fraunhofer SIT / MUlliNER.ORG / the trifinite group


Time line:

Reported to vendor : 27. March 2008
Received ack. : 28. March 2008
Presented at EuSecWest2008 : 21. May 2008
Received further feedback : 04. July 2008
Published to mailing lists : 16. August 2008



The first device without the reported vulnerabilities will be the
Nokia 6212 Classic NFC mobile phone.


Brief Technical Details:

The Nokia 6131 NFC mobile phone is a mobile phone featuring the Near
Field Communication (NFC) technology (http://www.nfc-forum.org). The
phone has multiple security vulnerabilities in the code that parses and
displays the content of a NDEF Smart Poster and a plain URI tag.

1) NDEF Smart Poster URI Spoofing

The NDEF Smart Poster displays a URI together with a descriptive text.
The URI can be a URL (http,https,ftp,...) or can point to a phone
number (tel:) or to a short message (sms:).

The vulnerability: the phone concatenates the descriptive text and the
URI. The URI might not be displayed if the the descriptive text
already uses the available space to display both information. Further
the descriptive text can contain text that reassembles a URI.
Therefore a user can be tricked into opening/activating a different
URI than he expects. This can lead to monetary damage.

There is no visual indication of which part is text and which part is
the URI.

1.1.1) URL Spoofing

Descriptive text: Bank online with Happy Bank and Trust

URI: http://westealallyourmoney.com

User will believe he is accessing https://www.happybankandtrust.com
but he actually will load http://westealallyourmoney.com.

1.1.2) URL Spoofing surviving a quick check

Descriptive text:

URI: http://www.mulliner.org

The user will be see "http://www.nokia.com"; in main screen, if he
presses "Show" he will see:



1.2) Telephone URI Spoofing

Descriptive text:
Tourist Information\r080012345678\r\r\r\r\r\r\r\r\r\r.

URI: tel:19006661666

The user will believe this is a free call but will actually call

1.3) SMS URI Spoofing

Descriptive text: Get todays weather forecast\r08005551234

URI: sms:33333?body=tone1

The user will believe the SMS is for free but he will actually send a
message to a premium rate number.

2) Plain URI Spoofing

Spoofing using the classic @ method.


Notice: some characters are not allowed before the @ these are:
/ and ? the user will probably not notice.

3) NDEF Record Parser Crash

The NDEF Record parser crashes if the record payload length field
contains either 0xFFFFFFFF or 0xFFFFFFFE

The crash will reboot the GUI of the phone. After 4 reboots in a row
the phone will switch off completely (e.g. user constantly trying to
read the tag containing this value).

4) NDEF Tel/SMS Handler Crash

The handler for the sms and tel URI crashes when encountering a
phone number of exactly 124 characters.

tel:<124 characters> and sms:<124 characters>

Best guess is a off-by-one bug since shorter numbers work and longer
numbers produce an error message.

The crash will reboot the GUI of the phone. After 4 reboots in a row
the phone will switch off completely (e.g. user constantly trying to
read the tag containing this value).


More Detailed Information:

More details, slides and tools are available here:


Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@xxxxxxxxxxxxxxx
Don't ask me! I don't use windoze!

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/