Printers

Beware of QR codes

QR codes are a disruptive technology. Find out why bad guys are happy about that.

As a journalist, I try to remain unbiased. But, as a consultant, I owe it to my clients to be honest. So, I'm telling every one to be leery of QR codes -- they're evil.

What are QR codes?

Quick Response (QR) codes are bar codes, they just look different. That's because QR codes use segments -- like pixels on a monitor.

Whereas, more-familiar bar codes use vertical lines of varying thickness.

QR codes were developed in 1994 by Denso Corporation, a Japanese company affiliated with the car-manufacturing industry. By using segments, QR codes provide several enhancements. To start, a QR code can handle significantly more data that the 20-characters afforded UPC bar codes (courtesy of Denso).

And, QR codes:

  • Utilize two dimensions, making them smaller physically.
  • Have built in error-correction, allowing data retrieval from dirty or damaged surfaces.
  • Can be scanned faster and from any direction.

The following slide explains the different parts of a QR code (courtesy of Wikipedia).

They may not be all bad

Remember my describing QR codes as evil? Well, an old guy can change his mind, can't he?

While preparing this article, I had a minor epiphany. QR codes do have a place. They allow me to provide digital information in a non-electronic format -- my business card, for example. I have several websites and email addresses listed on the card. Pre-QR codes, people were required to input the information manually. With QR codes, it's a simple scan.

Apparently, others have figured this out a lot sooner than I. For example, Dr. Shilpy Pattar's blog "5 Uses of QR Codes in the Classroom" discusses how QR codes help teachers and students focus on what's important -- learning.

QR codes everywhere

I began spotting QR codes everywhere and driving my son nuts, "Look, this one is really cool. Oh wait, there's another one." That hyperactive curiosity nearly got me in trouble.

Not wanting any further part of my great adventure, I had to fend for myself at the local coffee house. While waiting for my decaf, a poster caught my attention. It had a QR code. Acting sufficiently cool, I scanned the code, and started to tap the link. I stopped.

Something's not right

Something about the URL was off. Then I spotted it, the number zero instead of a lower-case O. I knew what that meant right away. Digital bad guys were on the hunt. Setting up malicious websites using domain names that are misspellings (typosquatting) of popular websites is a common ploy. PaypaI.com is a good example. Did you notice the upper-case I instead of a lower-case L?

Upon examination

I took a closer look at the poster. Someone placed a QR-code printed sticker right on top of the real QR code. Sneaky. After I got home, I called William Francis -- my Android investigative cohort -- telling him about my experience. Here's what William had to say:

"It's fortunate that your QR-code scanner happened to be Google Goggles. It and ZXing Barcode Scanner are the only two I know of that preview a scanned link before taking any action. ShopSavvy -- probably the most popular QR-code scanner -- does not preview the data."

William continued with the following example:

"It's an issue of user education. If my son scans a QR code, and a notification pops up saying "Sprint System Update", he will tap it. Furthermore, if it asks him "Do you want to install the update?" He will likely say yes -- not realizing that Sprint has nothing to do with the app in question."

William's comment about user education jolted my memory. We created an example once before -- R U @ RISK -- to help explain an Android permissions issue. I asked if we could do something similar now. He thought we could.

You have a system update

It's time to put your pretend propeller hat on.

You have a world-famous app from MKassner.Net -- I did say pretend -- on your smart phone. You receive an email from MKassner.Net. It suggests you scan the following QR code to download an update that fixes an exploitable vulnerability.

The next slide is what it looks like on my phone after scanning the above QR code. I encircled what's embedded in the QR code. To avoid any confusion, I wanted to mention you may see different results depending on what version of Android is installed.

The next slide confirms the app has been downloaded and is ready to install. William even made the app look official, just like the bad guys would.

Now, it's time for the brave souls who have been following along to click on the .apk and see what happens. If you see the next slide, the setting "Allow install of non-Market applications" is not checked.

Clicking on the Setting button will bring you to the following slide.

Some pundits consider this setting a security feature. Trouble is, it's not insurmountable. If the setting was checked or the application downloaded from Android Market, sys_update.apk would have automatically installed.

Final thoughts

First and foremost, keep in mind the security advice you've accumulated about live links in emails and on websites. All of it applies to QR codes. For example, URL shorteners come in to play with QR codes, and I'm betting that the bad guys will use them to obfuscate the actual URL.

William wanted to add:

  • Remember QR code exploits depend on the user being uninformed. When scanning QR codes have some idea of what you expect to happen.
  • Don't leave the "install from unknown sources" option enabled. If for some reason it needs to be enabled, be extra vigilant when scanning QR codes. There is one less layer of protection between you and the bad guys.
  • If during the process of scanning a QR code anything seems fishy -- it probably is..
One last thing, William and I are really curious. What did you think of his app -- sys_update.apk?
Update (10 Jan 2012): I wanted to ask a favor. There seems to be confusion as to whether the setting: "Unknown sources. Allow installation of non-Market applications" is available or not on different phone systems. If you could let us know your circumstances, it would be appreciated.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

75 comments
Deadly Ernest
Deadly Ernest

First, I NEVER scan anything direct in for auto processing, that's JUST ASKING for trouble, big trouble. Second, until I saw this I thought the QR stood for Queer Reader - thinking about, maybe that's a more appropriate name, anyway.

Sara_
Sara_

The box of the cookies I bought has QR Code on it, and it direct me to there shop when I scan it. It encodes URL.

Iris_1990
Iris_1990

i've used QR Codes for few years. it's my first time to heard be aware of QR Code. interesting. i'll read this carefully.

mithun22
mithun22

i can not open my quick heal settings it says to enter password please help me

pavlado2012
pavlado2012

I work for a big company and the only time we use QR codes is when we connect printed ad ??with our online strategy. The bad thing is that QR codes looks poor. But as always there is a lot of customization options and now I found also app with predefined QR graphic styles (http://iqr.hrubasko.com/).

Kristin2626
Kristin2626

I use an iPhone and the two apps you listed for Android aren't available. Not that I scan QR codes all that often though.

Paul A Thomas
Paul A Thomas

Interesting article, an issue I hadn't thought about to be honest. QR Codes that can be trusted 99.9% of the time will appear on or in: Magazines and Newspapers Billboards Building facades Company Brochures Trusted websites such as cinema or official movie sites Train and bus ads and posters Product cartons and packaging I doubt that anyone with malicious intent would pay to run a magazine advert using a deceptive QR Code. Could happen, but I doubt it. Deception is a key for attackers, "click here to speed up your PC for free" ... yep, people are easily fooled. But now there is the possibility of a more sinister plot where the code is promoted as a coupon, discount, whatever... it's shiny so people will scan away! What I do with the QR Codes I create for my clients, if it is on their website, is to make the image a link to the same place as the QR Code or, I link it to the QR Code reader app download page. People using a smartphone without a reader can click the QR Code to get the app! At the business level, set a policy for staff so that they understand the risks involved and what is acceptable. It boils down to common sense. Sadly though, ID-10T problems are ingrained at the user level. For legitimate use, I think QR Codes are great and are helping my clients gain more business! [Edit] My HTC Desire set not to accept installs outside android market by default. I never scan QR's without investigating or knowing the source. Sorry, I didn't try to scan your QR Code Michael, no offense, but I love my HTC and it's in pristine condition... no angry birds on this baby!

kumaran.pec
kumaran.pec

I am using a Nexus S phone. I went for the Google experience. I have manually updated it to the 4.0 (ICS) version. It does have the setting to enable Installation of Non-Market applications which I have disabled. The only time I ever enabled it is to install "Swype". I do not have the complete idea on why is it not available via the Market. But other than that I will always disable that option. I really like your effort for user education. I have used QR codes, but in a limited volume. Its good to know that Zing QR scanner has some checks regarding the links as it is the one I am using now. Keeping posting more articles.

Who Am I Really
Who Am I Really

I've seen lots of them but since my phones can't "see" them (no camera) thus I've not had any problems with them other than the only thing those codes do is bug my eyes a bit interesting, the one in the article looks like a frowny face, is it a functional QR? .

lshanahan
lshanahan

Frankly, this is one of those technologies that has been around for some time that is suddenly coming to the fore because now it is becoming practical for consumer use and profitable for business to create them. Previously, you could not scan barcodes without purchasing a device costing several thousand dollars, but now all you need is a smartphone. The best way to handle these QR codes is to think of them as any other type of Internet-related advertising (which is the entire purpose), with all the caveats and cautions thereunto pertaining. They're somewhat less obnoxious because you actually have to pull out your smart device and perform a scan, unlike say, banner ads and spam, but still indiscriminate scanning has its risks.

boucaria
boucaria

Or should I say, should I be warning staff I support about "potential" risks with QR scans ? I hate cleaning up after the case, especially when someone has either clicked on a link or received a file that loads a keylogger. In two cases I have had to help people clean up PCs and desktops, and then help them when their bank has allowed fraudulent transactions to occur because of the keylogger. If you have a good case about security problems, I find that most security officers will help convey the knowledge, or better put, they lock down the access through the gateways. The process I find better is inform the staff as best as possible, and then this minimizes issues. It works for me since the main area I work with has had the best running computers, and the least amount of basic problems, and no virus issues, even network based virii ( as soon as an issue occurs, they disconnect the PC/Laptop from the network). Anyway, the QR issue, if it is one, seems to be something that may be worthwhile checking, and even if it only has one event occurring in the world, then great... the less the better. Educate staff, educate people, and advise on what to do.

wyattharris
wyattharris

I don't have a QR scanner app on my phone. You're going to laugh but the only QR scanning I've done is grabbing Pokemon AR codes for my sons Pokedex 3D on the 3DS. You can also scan and generate AR (QR) codes for Mii's on the 3DS. I tried scanning random QR codes but there is a specific format to the real ones so they were unrecognized. Still, very informative article, I learned a lot. And now I've got one more thing to be wary of. ;)

JoshtheGeek
JoshtheGeek

People, particularly consumers and teens, are becoming much more aware of QR codes. Last year Macy's ran a "Backstage Pass" promo featuring QR codes. The ads were on TV, in stores, and in print media. (You can view it on their website here: (http://www1.macys.com/campaign/social?campaign_id=207&channel_id=1&cm_mmc=backstage-_-vanity-_-n-_-n) Taco Bell and Pepsi joined forces in a Mountain Dew promo and printed QR codes on Mountain Dew themed drinking cups last year. I flip open a copy of Golf Digest and there's a QR code. Car and Driver - QR code. Sports Illustrated - QR Code. You get the idea. They are not as rare as they were 12 months ago. Advertisers are catching on to their potential uses and advertisers are directing consumers to install QR reader apps if they do not already have one on their phone.

themeadows2
themeadows2

I use QR Droid on my phone. It allows you to preview the text and decide what to do with it.

Ceciliaxw
Ceciliaxw

interesting article as Im just to meet someone that is going to tell me about his new project: Synertag.com here is what it promises: Why use SynerTAGs? SynerTAGs are the future of mobile media communications access by creating a secure bridge to mobile websites and apps. SynerTAGs provide consumers with confidence that the QR Code they are scanning is both safe and secure. What makes SynerTAGs safe and secure? SynerTAGs are created with a proprietary code generator engine that creates a custom QR Code that has a dedicated URL connection to the SynerTAG cloud network. SynerTAGs can be re-directed to almost any kind of website or app as long as the targeted URL passes the SynerTAG engine safety tests. These tests check for malicious code, executable files (potential viruses), dead links & problem landing pages. Any feedback on this company? what should I be looking for? meeting is in two hours, any feedback its greatly appreciated

lshanahan
lshanahan

I work with barcodes daily, they're integral to my field. ALL barcodes are essentially text in another format. Some barcodes are actually just fonts, while others require mathematical encoding for error-correction and such. They encode text strings into various symbologies: UPC, Code 39, Datamatrix, PDF417, etc. QR is just another symbology, and has the advantage that it can be read by smartphones instead of requiring a purpose-built reader. Thus, the smartphone is going to resolve ANY QR barcode to whatever text it encodes - malicious URL or not. Although there is no way I can think of to "hijack" a barcode scan (i.e. changing the decoded scan to something other than what is contained in the barcode), if a barcode encodes a malicious URL, it decodes to a malicious URL - period end of sentence. As pointed out by other posters, this does limit inital distribution significantly, but it's still possible to use it as a vector for say, an initial infection that could then be further spread via security holes in the victim's smartphone. Long and short, barcodes are just very compact, machine-readable text. The security problem lies in what text is encoded and what the scanning device does with that data once it is decoded. There is effectively no difference to a computer or smartphone between scanning a barcode and typing in the data strings encoded in that same barcode on a keyboard.

rigacci
rigacci

I was about to install your app when I saw thaat he named it sys_update! I don't know about you but I do not want my "System Updated", even if it appears to be legit. Not exactly the perfect choice of a name for it. Can you tell me what to expect or rename it to something more "conservative" and I would be more at home with installing it. I too am big on security and SmartPhones are becoming as susceptible to malware and redirections as a PC. I like the Android but anyone that thinks it is safer or better (same as Mac) is naive. We are all under attack!

duane_paulson
duane_paulson

when i took a screenshot of the QRcode and ran it through libdecodeqr-simpletest in Debian Squeeze.

Michael Kassner
Michael Kassner

Could you explain this better: "I link it to the QR Code reader app download page. People using a smartphone without a reader can click the QR Code to get the app!" Are you saying the QR code also has a hyperlink? Thanks

Michael Kassner
Michael Kassner

Appreciate your comments. And we will keep working on articles to be sure.

Michael Kassner
Michael Kassner

You are the first one to mention that it's a sad face. And it is not functional.

Michael Kassner
Michael Kassner

I do see one difference, the amount of storage. Without that, I doubt we would see them used as much as they are.

Michael Kassner
Michael Kassner

I've been at this for over 35 years and I have never felt it wrong to pass along information that might keep people safe and the infrastructure secure. This sort of thing might affect employees outside of work and being aware might save them some personal grief. Just a thought.

AnsuGisalas
AnsuGisalas

It has the small square for orientation, but seems to lack the three large ones for position.

Michael Kassner
Michael Kassner

Another member mentioned something that I had not considered. Ad companies now have another way to glean information. So permissions given to the QR code reader become critical.

Michael Kassner
Michael Kassner

Appreciate the information and you taking the time to provide it.

lshanahan
lshanahan

I found this rather interesting paragraph: "DATA COLLECTION & MANAGEMENT SynerTAGs collect useful data when scanned by your customer's smart phone which is then converted to a PDF statistics page." With so many concerns these days about consumer privacy, etc., I would definitely want to know what's being collected and how it is used. And as to Michael's question about whether or not it is actually being verified, there isn't any way short of previewing the decode and making sure it is going where it is supposed to, and how a user is to verify this is beyond me since it would be very difficult for them to know what the decode should be. The thing to keep in mind about barcodes regardless of symbology is they all boil down to machine-readable text. They were created pretty much as a more accurate alternative to OCR.

Michael Kassner
Michael Kassner

I have not heard of the business. Interesting. I checked their site. It seems proprietary -- thus no vetting. Does it mean a special client? How does the user know it is actually being vetted by SynerTAG? What is their EULA as traffic appears to travel through their system first? Please let us know what you find out. And, thanks for mentioning SynerTAG. I am really curious.

Michael Kassner
Michael Kassner

I appreciate the information you provided. It cleared up a question I had. I will humbly suggest one difference between scanning and typing. You know what you are typing in. As I mentioned in the article, most scanners do not offer a preview, that is not good from our perspective.

Michael Kassner
Michael Kassner

To be honest, your reaction is what we are hoping for. But, not what we are getting. Others, see it completely opposite -- "I better update". The app just opens another browser and brings you to the article's web page. We do not want to mess anyone's phone up. Your comment has me thinking. The bad guys, probably understand who their targets are and focus the app name on what will entice them to install it.

Michael Kassner
Michael Kassner

We talked about doing something cute or have the app be more representative of malware -- such as have it pop open a window the next day. But, we thought that might not be appreciated. The important thing is that you are now aware of what is possible. Thus, malicious QR codes will not be a problem for you.

Paul A Thomas
Paul A Thomas

If someone visits a web page using a smartphone or tablet there is no way they can scan the QR Code... they are using the device to access the web page that has the QR image. If you add a hyperlink to the QR Code image it can take the visitor to a QR Code reader app on Android Market or on the App Store. Alternatively, it can be a link to the QR Code destination URL etc. Otherwise It's a bit like trying to touch your right elbow with your right hand... What I normally do is place a QR Code with, say a link to a client's location map [in the code]. The QR image then links to a popup video telling the user what a QR Code does. If they are on a computer or hand held device they can watch the video and learn about QR Codes. I also place two text hyperlinks on the page one says "Click to get your free QR Code Reader App for Android" and the other says the same for iOS. Regardless of the device the user has they can either find out what a QR Code is, and get the app or view the map which is embedded on the web page anyway! Scanning the QR Code will let them save the location on their phone or tablet helping them find their way to the store! We really need to start thinking about how mobile use is increasing and cater to the hand held device users as much as desktop users. One of my clients receives 580+ visitors/month just from users on mobile devices! Last year it was 184 mobile visits for Nov to Dec 2010. A big jump in twelve months! Once again Michael, this was a great article, thank you for sharing and going to the trouble setting up the QR demo code and all, much appreciated. Cheers, Paul

Who Am I Really
Who Am I Really

but some things just really stand out like green or blue hair would at a Baptist convention .

wyattharris
wyattharris

Using the 3DS' 3D camera you hold it up to something like this: http://www.pokemonaus.com/wp-content/uploads/2011/06/PokeDexGuide1.png in the Pokedex and it scans them and they come to life and start popping into your database and moving around on the screen. The Pokedex codes look proprietary but they only need to unlock info already in the database. Or you can scan something like this in the Mii Maker: http://livedoor.blogimg.jp/ted2011/imgs/b/0/b09bef00-s.jpg and it reads it and creates a little Mii out of the code. You can then generate your own Mii AR codes for other people to scan inside the program. It's very restricted. Like I said, I tried scanning a random QR code and it wouldn't accept it. Now that I look at the Mii codes I recognize the different information zones you described.

Michael Kassner
Michael Kassner

A red alert in my world. Being a profit center, we will see more of it.

lshanahan
lshanahan

>I will humbly suggest one difference between scanning and typing. You know what you are typing in Sorry, I wasn't clear enough. It is different to the user, but as far as a computer or smartdevice is concerned, it is the same thing. You're basically getting a string of characters from the decode, making any kind of automated screening particularly difficult. And I agree, giving a user preview and asking for confirmation is a very good idea. You also have to consider the possibility of incorrect decodes due to badly-printed or damaged barcodes (even with the error-checking built in to certain symbologies) as opposed to the case of someone deliberately encoding a malicious URL.

wizard57m-cnet
wizard57m-cnet

try naming your app something like "Brittney_Spears_nude.apk" or "Paris_Hilton_Uncensored.apk", THEN sit back and watch the downloads! edit to add: You would probably want to create a new page to bring up rather than link to this article...something along the lines "Didn't anyone ever tell you not to click on links you are unsure of?", then link to the article.

Michael Kassner
Michael Kassner

Thanks for sharing that information. I am game-challenged, so I know virtually nothing about that subject.

Michael Kassner
Michael Kassner

You provided much to think about. I would be curious to learn your approach to QR codes. I'm a bit apprehensive, but darn they are convenient.

Michael Kassner
Michael Kassner

I'm sure they would disable my TR WordPress account.