Scanning NExT reboots MI 10 into recovery mode

So, as I said in the title.
Yesterday I smashed my MI 9 :frowning: and bought MI 10.
Now the fun part. When I scan my Spark 2 or right-hand NExT everything is fine, but when I try to scan my left NExT screen just turns black with loading circle animation in the middle and after a few seconds it reboots into recovery mode.
Everything was fine on the MI 9.

Update: I’ve just rewritten the tag and everything seems fine, but I still have no idea what was going on.
Only change I’ve made was changing link from custom URL to http://www. in datasheet on the TagWriter app.

1 Like

Lol for me http://www. results in “Unknown Tag Type” while http://www works.
In theory it’s a perfectly valid domain:
http protocol, host www and the . in the end should do nothing.
Someone could host a website on this link if he owns the .www tld.

If you can reproduce it you have founda nice little DoS :slight_smile:

URLs are very strange, they seem so simple but are so hard to parse.

I think my other NExT has still the “custom URL”, so maybe the exploit is actually the… pornhub link I had in there xddd
I was showing the supreme capabilities to my friends :smiley:


That’s pretty interesting

Being able to cause a phone to reboot into recovery via a NFC tag is concerning.

Are you able to replicate this again ?

Android’s NFC stack is pretty fragile apparently. I found a really nifty way of freezing the UI with a simple vCard the other day. If you don’t know how to unlock it, you pretty much have to reboot the phone :slight_smile:

Technically it’s a DoS vulnerability.

Clearly there’s some sort of bug there handling NFC data.

Could be worth looking into more for sure


I haven’t looked into it because I’m struggling to care really. But I’m pretty sure it would be fairly quick to find a way to thoroughly hose an Android cellphone with a properly crafted tag content. The intent system for NFC in Android tries to do so many things in the background before even handing control over to the user or the registered app that there has to be multiple ways of messing with it.

I suspect it’s limited to a OS version or series or phones rather than all of android.

Could be worth a CVE if more details are found about the crash it causes

1 Like