Graham's Blog

I now have a new blog, Graham Thinks.

Can You Open The Android Browser? The BBC Calls You a Hacker!

9 months ago    

Tweet    

This story from BBC News is frankly ridiculous. A ‘skilled hacker’ (you’d think that’d imply they hack things in some way, but keep reading…) has shown how to ‘hijack’ an Android phone by ‘exploiting’ a deadly new feature of Android. The hacker has managed to ‘attack’ several phones with this method (the method which requires ‘skill’, as the BBC put it).

“Oh my God,” you say. Well, this story includes zero real godly hacking powers.

He discovered that the default setting in Android Beam forces a handset to visit any weblink or open any file sent to it. Via this route he forced handsets to visit websites that ran code written to exploit known vulnerabilities in Android.

So, what’s really going on? A man (not a hacker) worked out how to send a website to a phone via Android Beam. The website he sent happened to run malware when opened.

Yes, that is all. Now, let me explain why this is a BS story. To send a website via Android Beam, several conditions must be met: the phone must be on and active; the two devices (the phone and the NFC chip) must be in close contact; NFC must be enabled; Android Beam must be enabled.

So, this isn’t a practical ‘hack’. For it to work, your phone can’t be in your pocket - and I think you’d notice the freak trying to touch an NFC tag to your leg anyway. Essentially, it must be left unlocked - without a pin or password enabled, may I add - out in the open. Then this master of hackery can walk up, unlock it and touch the tag, opening the website in the phone’s browser. Ooh, what a hack!

It doesn’t take much brainpower to realise that just opening the site by typing in the URL to the browser would have the same bloody effect! This is such a non-hack it’s unbelievable, and for the BBC to report it in this way is simply fear-mongering page click bait.

The article ends:

Google has yet to comment on this research.

Well, what are they going to say? “Yes, Android Beam is indeed a feature of Android.” That is literally all they can confirm. Or maybe you want them to remove the browser from Android. Yes, that would be logical - for the BBC.

Anonymous BBC author, you should be ashamed. Either you haven’t any idea about how NFC, Android Beam or Android works, or you’re employing cheap tactics to gain page views.

The BBC has yet to comment on this rant.