Do you fall into the risk zone and can you somehow protect yourself?
A vulnerability has been discovered Android operating system that allows access to complete bank card data via NFC-enabled multifunction devices, such as Flipper Zero. The issue was identified as CVE-2023-35671 and affects all devices running Android 5.0 and higher.
The vulnerability is related to the "Screen Pinning" function. If this feature is enabled for any application, and if the "Request PIN code before unpinning" and "Require device unlock for NFC" options are activated, the victim's bank card data may be stolen.
The "Pin screen" option is necessary to lock the smartphone screen to one specific application, without being able to minimize it. This is necessary, for example, to temporarily transfer the device to another person (friend, relative) and be sure that they will not launch any other application or violate your privacy.
So, if there is active pinning, a person with a suitable NFC reader can get full credit or debit card details, if it is linked to the victim's Google Wallet and configured for contactless payment. At the same time, it is enough to simply attach a hacker gadget to a vulnerable device, without having to enter a password, which is usually required in such cases.
www.youtube.com
It should be noted that the vulnerability does not allow making payments, but it provides access to the linked card data, including its number and expiration date, which can also be useful for a potential attacker.
Despite the very specific conditions for implementation and a small risk of using it in real attacks, Google has already marked the vulnerability as "serious" and started to solve the problem.
The fix is included in the September 2023 security patch , but only relatively recent versions of the system, starting with Android 11, will receive it. The patch is already available to all manufacturers of Android smartphones, which, each at its own pace, began to deploy it on supported devices.
But devices running on outdated versions of Android, or those whose support is officially discontinued by the manufacturer, are not likely to receive a security patch. Therefore, the only solution to the problem can only be a complete refusal to use the "Pin screen" function.
A vulnerability has been discovered Android operating system that allows access to complete bank card data via NFC-enabled multifunction devices, such as Flipper Zero. The issue was identified as CVE-2023-35671 and affects all devices running Android 5.0 and higher.
The vulnerability is related to the "Screen Pinning" function. If this feature is enabled for any application, and if the "Request PIN code before unpinning" and "Require device unlock for NFC" options are activated, the victim's bank card data may be stolen.
The "Pin screen" option is necessary to lock the smartphone screen to one specific application, without being able to minimize it. This is necessary, for example, to temporarily transfer the device to another person (friend, relative) and be sure that they will not launch any other application or violate your privacy.
So, if there is active pinning, a person with a suitable NFC reader can get full credit or debit card details, if it is linked to the victim's Google Wallet and configured for contactless payment. At the same time, it is enough to simply attach a hacker gadget to a vulnerable device, without having to enter a password, which is usually required in such cases.
CVE-2023-35671 - Android App Pin Security Issue Allowing Unauthorized Payments via Google Wallet
Android app pinning is a security feature that allows users to lock their device to a specific app, restricting access to other applications. When an app is ...
www.youtube.com
It should be noted that the vulnerability does not allow making payments, but it provides access to the linked card data, including its number and expiration date, which can also be useful for a potential attacker.
Despite the very specific conditions for implementation and a small risk of using it in real attacks, Google has already marked the vulnerability as "serious" and started to solve the problem.
The fix is included in the September 2023 security patch , but only relatively recent versions of the system, starting with Android 11, will receive it. The patch is already available to all manufacturers of Android smartphones, which, each at its own pace, began to deploy it on supported devices.
But devices running on outdated versions of Android, or those whose support is officially discontinued by the manufacturer, are not likely to receive a security patch. Therefore, the only solution to the problem can only be a complete refusal to use the "Pin screen" function.
