tag:blogger.com,1999:blog-4912713243046142041.post2582026357766891371..comments2024-03-28T23:22:41.774-05:00Comments on TYWKIWDBI ("Tai-Wiki-Widbee"): Risks of QR codesMinnesotastanhttp://www.blogger.com/profile/01382888179579245181noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4912713243046142041.post-13152062517187032352013-01-10T19:08:39.099-06:002013-01-10T19:08:39.099-06:00This is exactly why I'll only use a QR-reader ...This is exactly why I'll only use a QR-reader that shows me the contents and lets me choose whether to follow any links, and will never follow a shortened URL from a QR code.<br /><br />Last year I needle felted a QR-code cube where each side resolves to a page on random.org that rolls a different number of six-sided dice (1 - 6 dice, of course. Picture: http://www.flickr.com/photos/spiralshannon/5996628052/) I was initially going to use a URL shortener to make less complex QR codes, but then I started thinking further about these potential security problems with codes that give no info about where they will take you and decided it was worth the extra work to put the full link in. That's also when I made the personal rules above...Shannonhttps://www.blogger.com/profile/03872764774077617999noreply@blogger.comtag:blogger.com,1999:blog-4912713243046142041.post-90801168749263598472012-12-27T09:17:25.792-06:002012-12-27T09:17:25.792-06:00Steve Gibson of "Security Now!" dedicate...Steve Gibson of "Security Now!" dedicated a recent episode to this subject (my favorite podcast, BTW).<br />http://twit.tv/show/security-now/382<br /><br />One thing that is never mentioned is that even if a QR reader app displayed the URL encoded in QR code, it doesn't mean that it will make it any safter.<br /><br />If I was inclined to create a website that is loaded with Malware to attack a phone, and I planed to use QR codes to as the attack vector, then I would obfuscate the URL with a URL shortening service such as Tiny.com, or Bit.ly (http://en.wikipedia.org/wiki/URL_shortening). Then the potential victim wouldn't have a clue as to where the QR would take them.<br /><br /><br /><br />Ron Larsonhttps://www.blogger.com/profile/16030823782542340978noreply@blogger.comtag:blogger.com,1999:blog-4912713243046142041.post-31635214185363618722012-12-26T19:36:01.490-06:002012-12-26T19:36:01.490-06:00Thank you, Richard.Thank you, Richard.Minnesotastanhttps://www.blogger.com/profile/01382888179579245181noreply@blogger.comtag:blogger.com,1999:blog-4912713243046142041.post-29824806358593908252012-12-26T19:27:13.976-06:002012-12-26T19:27:13.976-06:00Simple: You don't.
These problems have been o...Simple: You don't.<br /><br />These problems have been obvious to the security cycles from the start and, if anything, it's surprising that it took so long.<br /><br />In their current incarnation, QR codes are inherently insecure and this is not likely to change any time soon.<br /><br />This is not a problem with QR codes specifically, but with any third-party input to your devices. What's specific to QR codes is that you can not read what they say before you actually allow your device to scan them.<br /><br />The more commonplace they become, they more attractive they become as an attack vector.<br /><br /><br />The best thing you can do is not to scan them at all.RichiH 'RichiH' Hartmannhttp://richardhartmann.de/blognoreply@blogger.com