NFC on the N9 isn't turned on by default, but once it's enabled, it too will accept malicious content and requests with no prompting. Among the easiest and most damaging attacks are those that use NFC to establish a Bluetooth connection with another device. Once NFC is turned on, an N9 will automatically accept all connection requests with no prompting. Once Miller connects his MacBook to a handset in range, he can force it to make phone calls, send text messages, or upload and download proprietary files, including contact lists. Users can reject requests for unauthorized Bluetooth connections, but they must first select a configuration setting requiring each one to be approved.
But even when N9 users change default configurations so they're notified of such NFC requests, the phones accept file transfers initiated by other users without warning. The N9 then opens an application to render the downloaded file, again without prompting. Miller will demonstrate an attack that exploits a known vulnerability in the Microsoft Word-compatible reader, which is based on the open-source KOffice that ships with the phone. Similar attacks can be launched using booby-trapped PDF files. Using NFC to send a poisoned document to an unsuspecting end user, would make it "easy" to exploit such bugs, Miller said.
"If you know of a PDF bug, instead of trying to e-mail it to the person or get them to go to your website, you can just get near them with NFC and get them to render it," he explained.
Son of credit-card skimming

Most of the attacks Miller described could be waged using a concealed NFC tag attached to a payment terminal or other legitimate NFC-enabled device. For attacks to work, a phone's screen must be active, and when it's running Ice Cream Sandwich or MeeGo, it must also be unlocked. Miller said those requirements provide little protection since the most common attack scenario involves targeting people as they're already in the process of using NFC. Attackers who are targeting someone they know can also call or text their victim before exposing him to a malicious tag to ensure the phone is unlocked.
In a statement, Nokia officials wrote: "Nokia takes product security issues seriously. Nokia is aware of the NFC-research done by Charlie Miller and are actively investigating the claims concerning Nokia N9. Although it is unlikely that such attacks would occur on a broad scale given the unique circumstances, Nokia is currently investigating the claims using our normal processes and comprehensive testing. Nokia is not aware of any malicious incidents on the Nokia N9 due to the alleged vulnerabilities."