Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Using QR Codes For Malicious Purposes

Check Point : 31 January, 2012  (Technical Article)
Check Point provides some background on emerging Quick Response codes and how they can be used to exploit browser curiosity and lead them to exploit sites
Using QR Codes For Malicious Purposes

QR codes are intended to help direct users quickly and easily to information about products and services, but are also starting to be used for social engineering exploits.  Check Point’s UK MD, Terry Greer-King, looks at the emergence of QR scan scams

You don’t have to look far these days to spot a QR code.  From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.

They’re a jumping-off point from the offline to the online world – you just scan the code with your smartphone to launch the digital content triggered by the code.  This makes them a marketeer’s dream because they make it easy to direct users toward information and services.  What’s more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.

However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware.  The concept of ‘drive-by downloads’ is already well established as a stealth weapon for stealing users’ sensitive details, and QR code offers a new angle on this old trick.

The issue is that users have to trust the integrity of the code’s provider, and assume that the destination it leads to is legitimate.  This is almost impossible for individuals to gauge, because the QR code actually conceals the site and content it leads to.  And as we’ve seen in social engineering exploits from the email worms of the early 2000s, triggering human curiosity to see what might happen when an attachment is clicked, or a QR code is scanned, often leads to big security problems.

Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, and application installation – further extending the potential risks to mobile devices.  Let’s look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.

The first step in mounting a QR exploit is to distribute the code itself, to get it in front of potential victims.  This could happen by embedding the QR code in an email – making it an elaborate phishing exploit – or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.  

Once the QR code is distributed, then the attacker has a multitude of scam options to choose from.  At a basic level, the code could simply redirect users to fake websites for phishing purposes – such as a fake online store or payment site.  This exploits smartphones’ small screens, and the fact that the user may be in a rush, to obscure the difference between the fake and real site in the hope of capturing more user details.

More sophisticated exploits involve hackers using the QR code to direct users to websites that will ‘jailbreak’ their mobile device – that is, allow root access to the device’s operating system, and install malware.  This is essentially a drive-by download attack on the device, enabling additional software or apps such as keyloggers and GPS trackers to be installed without the user’s knowledge or permission.  

Perhaps the biggest potential risk to users is increasing uptake and use of mobile payments via smartphones.  With the ability of QR codes to jailbreak devices and tap into applications, this could give virtual pickpockets access to mobile wallets, especially as QR-based payment solutions already existing and in use.  While uptake of these is currently small, it will grow as public acceptance of QR increases.  

So what can organisations and individual users do to mitigate risks from QR codes?  The most important precaution is being able to establish exactly what link or resource the QR code is going to launch when it is scanned.  Some (not all) QR scanning apps give this visibility and – critically – ask the user to confirm they wish to take the action.  This gives the opportunity for users to assess the link’s validity before the code is activated.  

For corporate smartphones, consider deploying data encryption so that even if a malicious QR code manages to install a Trojan on the device, sensitive data is still protected and not immediately accessible or usable by hackers.

In conclusion, the risks presented by QR codes are really a new spin on well-established hacking tricks and exploits.  The security basics still apply – be cautious about what you scan, and use data encryption where possible.  Or put simply:  look before the QR leap.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo