Xiaomi smartphones can steal bank card data via NFC

Chinese woman accidentally discovered that its Xiaomi smartphone has the capability to steal bank card data via near field communication.

A report issued by the Nanjing-based Yangtse Evening News states that smartphones produced by Chinese Xiaomi are able to steal bank card data from wireless connections. Rumors reports that a woman from Nanjing has revealed to the newspaper that her new Xiaomi smartphone managed to automatically pick up private account details from a bank card stored in close proximity.

The woman, surnamed Feng, was surprised by noticing that the data was displayed directly on the display of her device, the data sent to the smartphone included the card number stored in close proximity and the account’s last 10 transactions with related amounts and locations.

“Feng, who said she had not accessed her bank account on her phone or entered her password, initially thought it may have been the work of spyware, though she soon realized it was an automatic function because her bank card could still be read even after she closed all running applications.” states the WChina Times.

The journalists at Yangtse Evening News decided to verify Feng’s revelation and confirmed that near field communication (NFC) mode had been activated on her Xiaomi device.

“Near field communication (NFC) is a set of standards for Smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity. The standard describes a radio technology that allows two devices to communicate at a short distance, no more than a few centimeters, allowing the exchange of information quickly and safely.” I reported in a previous post in NFC standards.

The disconcerting discovery made by the experts in charge of the Yangtse Evening News newspaper  is that the Feng’s phone could retrieve details from a microchip bank card automatically in two seconds from within a range of about 10 centimeters.

Now image a classic scenario when in a crowded place, an attacker pass very close to your wallet, in this context, he can steal personal information from bank cards without the victim’s knowledge. We have discussed many times on the security issues related to the NFC and possible abuses of the technology.

Feng declared to be shocked by the behavior of the smartphone and she believed Xiaomi should have warned its customers of this potentially serious security flaw that could expose them to the theft of personal information from bank cards.

“She said when she called customer support she was told that she could simply switch off the NFC function if she had concerns.”

I have no possibility to test the above feature at time I’m writing but I consider the reply provided by customer support not adequate, a bad actor in fact could be able to serve a malware on victims mobile theoretically could turn on the NFC feature and listen to others bank card in close proximity to steal the data and send them to a C&C controlled by attacker.

Really worrying, let’s hope Xiaomi  and other manufacturers will consider seriously the NFC security issues.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Xiaomi, NFC)  

[adrotate banner=”5″]

[adrotate banner=”13″]