26 December 2012

Risks of QR codes

Malicious QR codes combined with a permissive reader can put a computer's contents and user's privacy at risk. This practice is known as "attagging", a portmanteau of "attack tagging". They are easily created and can be affixed over legitimate QR codes.

On a smartphone, the reader's many permissions allow use of the camera, full Internet access, read/write contact data, GPS, read browser history, read/write local storage, and global system changes.

Risks include linking to dangerous web sites with browser exploits, enabling the microphone/camera/GPS, and then streaming those feeds to a remote server, analysis of sensitive data (passwords, files, contacts, transactions), and sending email/SMS/IM messages or DDOS packets as part of a botnet, corrupting privacy settings, stealing identity, and even containing malicious logic themselves such as JavaScript or a virus. 

These actions could occur in the background while the user is only seeing the reader opening a seemingly harmless web page. In Russia, a malicious QR code caused phones that scanned it to send premium texts at a fee of US$6 each.
So how does one detect a malignant QR code or protect onself against them?


  1. Simple: You don't.

    These problems have been obvious to the security cycles from the start and, if anything, it's surprising that it took so long.

    In their current incarnation, QR codes are inherently insecure and this is not likely to change any time soon.

    This is not a problem with QR codes specifically, but with any third-party input to your devices. What's specific to QR codes is that you can not read what they say before you actually allow your device to scan them.

    The more commonplace they become, they more attractive they become as an attack vector.

    The best thing you can do is not to scan them at all.

  2. Steve Gibson of "Security Now!" dedicated a recent episode to this subject (my favorite podcast, BTW).

    One thing that is never mentioned is that even if a QR reader app displayed the URL encoded in QR code, it doesn't mean that it will make it any safter.

    If I was inclined to create a website that is loaded with Malware to attack a phone, and I planed to use QR codes to as the attack vector, then I would obfuscate the URL with a URL shortening service such as Tiny.com, or Bit.ly (http://en.wikipedia.org/wiki/URL_shortening). Then the potential victim wouldn't have a clue as to where the QR would take them.

  3. This is exactly why I'll only use a QR-reader that shows me the contents and lets me choose whether to follow any links, and will never follow a shortened URL from a QR code.

    Last year I needle felted a QR-code cube where each side resolves to a page on random.org that rolls a different number of six-sided dice (1 - 6 dice, of course. Picture: http://www.flickr.com/photos/spiralshannon/5996628052/) I was initially going to use a URL shortener to make less complex QR codes, but then I started thinking further about these potential security problems with codes that give no info about where they will take you and decided it was worth the extra work to put the full link in. That's also when I made the personal rules above...


Related Posts Plugin for WordPress, Blogger...