Discussion on:

Beware of QR codes

New post

I learned a great deal writing this article. My hope is that you will as well.

As for William's app, we were torn about what it should do. We settled for a rather benign outcome. Please make no mistake, bad guys aren't into benign.

A couple of points...

Of the billions and billions of QR Code scans that have taken place in Asia and the West I have yet to find a real world example of one code resolving to a malicious URL. I did read of one recently reported by an Eastern security software company but they where unable to supply me with any details.

Your experience of ???code-jacking??? or "code-switching" is so rare in Japan that I cannot find anyone when I am there who has heard of it. However I have one example from Hamburg, one from Paris and now yours in the US. You don't say if yours resolved to a malicious site but the other examples were activist switches and harmless.

Roger
Editor: 2d-code magazine.

I appreciate your advice and as I mentioned I am all for QR codes.

But, first and foremost, I am for IT security. So informing everyone of the potential is of utmost importance. Email and website links are similar in many respects and as user awareness improved, damages decreased.

QR codes are a bit more benign, they do not require electronics. So, they're going to be everywhere in short order. If a "proof of concept" helps people become more aware of what's possible, that's a good thing.

people are just beginning to realize that their smartphones can read these things.
That makes the target sort of small. It also requires a lot more foot-work than normal malcode dissemination, making it more useful for grass-roots movements (to attack an QR-code using ad campaign by a hated entity) than for people trying to make an illegal profit.

But that will change when QR codes hit the mainstream. The bad guys already have stuff on the drawing boards for that event. Soon as it is profitable, it will happen.

As always I find your articles very interesting. As I don't have a Smart Phone, I can't try out the app and of course I am impervious to any malware from this vector. The more security things that you show me, the more I wonder if Smart Phones are smart at all.

The phones are fine. It's what we try to do with them that gets us into trouble. I also see parallels when desktops were new. It just takes time to sort it all out. Technology moving at a faster pace doesn't help either.

As I also don't have (or want) a smart phone. Remember, kids, if you put info on your business card in QR format, make sure you also print the plain text.

I admit it, I'm addicted to my smart phone. I don't have to drag my notebook with me all the time.

As well as the part about using them in a classroom since not everyone has a smart phone or event wants one (like me).

I've also seen the potential since just about every sign, poster, commercial, or anything big enough to slap one of these on has one, it would be very easy to direct someone to a malicious site.

I think it will just be another avenue. Many classes I attend, have individuals without computers. The professor makes sure to provide what is required in multiple formats.

Out of curiosity, I searched for QR-code readers for computers. It's almost funny. the hoops one must jump through to read one correctly.

I've been in the IT undustry for 13 years now, having spent 7 of them at Microsoft, and recently I decided go back to a "dumb" phone. Between GPS tracking, malicious software, the increasing cost, and now the potential for QR exploits I'm just tired of it all. For years now I've flet that neither my PC nor my smartphone where actually secure. And Microsoft's consistent monthly releases of exploit code vulnerabilities in their security bulletins does nothing to alleviate my concerns.

I'm buying a mac and keeping my dump phone. And yes I realize that the only reason there aren't more explioits for mac's is because there aren't as many of them out there, and that is changing also.

Maybe it's just time to scale back from technology, brew a cup of tea and sit down for a face to face conversation with a physical, rather than virtual, friend.

Apologies for the tangent. Great article Micahel.

Great work, Michael! This really made me think.

The physical manifestation may make some people "think" it to be more trustworthy than the non-physical data. It's really more "not think" than "think", but that would have been ambiguous

Trouble is, if you say "Don't scan a QR code that you don't know to be trustworthy", much of the uses of QR codes are defeated, since very very few will actually be known to be trustworthy. After that they're really just "Somebody Else's Problem" stuff, that people will simply not see. Which is ok.

But the people who want or need to use them will not be much helped. It's painfully easy to counterfeit a printed product, replacing the QR code but leaving the rest untouched. And proof-readers generally don't go wondering about the QR codes, so factory-level insertion is all too easy, too.

What would be needed, at an OS level, is a link-checker. It would need to use a "bluelist" (made that one up, sorry if there's a proper name), not a blacklist or whitelist, but instead a list of genuine links TO BE PROTECTED FROM LOOK-ALIKES. Makers of scanner text-recognition software must already have a good idea about telling a program to notice what constitutes a probable look-alike.

One additional way to handle parts of this, independently of lists, would be to require the user to type in the domain of every link they want to visit : that means www.paypaI.com will not be verified, since the user will reveal that they think it reads www.paypal.com instead. Most domain names aren't prohibitively long, and it's much less likely that www.paypal.com would host illicit pages at their site... in any case, while an attacker could achieve that, I believe it would put the financial liability on paypal, not on the user.

And... block link-shorteners. That's a service that has too many problems.

I'm still coming up with all sorts of ideas.

Lists may be the answer, but like prior solutions -- they are reactive. I'm hoping for something proactive for once.

It would be better if it read "QR codes are an efficient technology. Find out why bad guys are happy about that."

Leaves no foot-holds, being all objectively true.

Bad guys love efficiency. Efficiency and convenience both.
More, faster, easier...

I guess I was looking at it more philosophically.

I just think people working with QR in, say, a warehouse environment, wouldn't understand immediately how QR is disruptive
To some people it's just a bar code.

Very informative for me, even at 2:37 AM. Thank you for posting it...

when i took a screenshot of the QRcode and ran it through libdecodeqr-simpletest in Debian Squeeze.

I was about to install your app when I saw thaat he named it sys_update! I don't know about you but I do not want my "System Updated", even if it appears to be legit. Not exactly the perfect choice of a name for it.

Can you tell me what to expect or rename it to something more "conservative" and I would be more at home with installing it.

I too am big on security and SmartPhones are becoming as susceptible to malware and redirections as a PC. I like the Android but anyone that thinks it is safer or better (same as Mac) is naive. We are all under attack!

To be honest, your reaction is what we are hoping for. But, not what we are getting. Others, see it completely opposite -- "I better update".

The app just opens another browser and brings you to the article's web page. We do not want to mess anyone's phone up.

Your comment has me thinking. The bad guys, probably understand who their targets are and focus the app name on what will entice them to install it.

try naming your app something like "Brittney_Spears_nude.apk" or
"Paris_Hilton_Uncensored.apk", THEN sit back and watch the downloads!

edit to add:
You would probably want to create a new page to bring up rather than
link to this article...something along the lines "Didn't anyone ever tell
you not to click on links you are unsure of?", then link to the article.

I work with barcodes daily, they're integral to my field. ALL barcodes are essentially text in another format. Some barcodes are actually just fonts, while others require mathematical encoding for error-correction and such. They encode text strings into various symbologies: UPC, Code 39, Datamatrix, PDF417, etc. QR is just another symbology, and has the advantage that it can be read by smartphones instead of requiring a purpose-built reader.


Thus, the smartphone is going to resolve ANY QR barcode to whatever text it encodes - malicious URL or not. Although there is no way I can think of to "hijack" a barcode scan (i.e. changing the decoded scan to something other than what is contained in the barcode), if a barcode encodes a malicious URL, it decodes to a malicious URL - period end of sentence. As pointed out by other posters, this does limit inital distribution significantly, but it's still possible to use it as a vector for say, an initial infection that could then be further spread via security holes in the victim's smartphone.

Long and short, barcodes are just very compact, machine-readable text. The security problem lies in what text is encoded and what the scanning device does with that data once it is decoded. There is effectively no difference to a computer or smartphone between scanning a barcode and typing in the data strings encoded in that same barcode on a keyboard.

I appreciate the information you provided. It cleared up a question I had.

I will humbly suggest one difference between scanning and typing. You know what you are typing in. As I mentioned in the article, most scanners do not offer a preview, that is not good from our perspective.

>I will humbly suggest one difference between scanning and typing. You know what you are typing in

Sorry, I wasn't clear enough. It is different to the user, but as far as a computer or smartdevice is concerned, it is the same thing. You're basically getting a string of characters from the decode, making any kind of automated screening particularly difficult.

And I agree, giving a user preview and asking for confirmation is a very good idea. You also have to consider the possibility of incorrect decodes due to badly-printed or damaged barcodes (even with the error-checking built in to certain symbologies) as opposed to the case of someone deliberately encoding a malicious URL.

interesting article as Im just to meet someone that is going to tell me about his new project: Synertag.com
here is what it promises:
Why use SynerTAGs?
SynerTAGs are the future of mobile media communications access by creating a secure bridge to mobile websites and apps. SynerTAGs provide consumers with confidence that the QR Code they are scanning is both safe and secure.

What makes SynerTAGs safe and secure?
SynerTAGs are created with a proprietary code generator engine that creates a custom QR Code that has a dedicated URL connection to the SynerTAG cloud network. SynerTAGs can be re-directed to almost any kind of website or app as long as the targeted URL passes the SynerTAG engine safety tests. These tests check for malicious code, executable files (potential viruses), dead links & problem landing pages.
Any feedback on this company? what should I be looking for? meeting is in two hours, any feedback its greatly appreciated

I have not heard of the business. Interesting. I checked their site. It seems proprietary -- thus no vetting.

Does it mean a special client?
How does the user know it is actually being vetted by SynerTAG?
What is their EULA as traffic appears to travel through their system first?

Please let us know what you find out. And, thanks for mentioning SynerTAG. I am really curious.

I found this rather interesting paragraph:

"DATA COLLECTION & MANAGEMENT
SynerTAGs collect useful data when scanned by your customer's smart phone which is then converted to a PDF statistics page."

With so many concerns these days about consumer privacy, etc., I would definitely want to know what's being collected and how it is used.

And as to Michael's question about whether or not it is actually being verified, there isn't any way short of previewing the decode and making sure it is going where it is supposed to, and how a user is to verify this is beyond me since it would be very difficult for them to know what the decode should be.

The thing to keep in mind about barcodes regardless of symbology is they all boil down to machine-readable text. They were created pretty much as a more accurate alternative to OCR.

I use QR Droid on my phone. It allows you to preview the text and decide what to do with it.

People, particularly consumers and teens, are becoming much more aware of QR codes.

Last year Macy's ran a "Backstage Pass" promo featuring QR codes. The ads were on TV, in stores, and in print media. (You can view it on their website here: (http://www1.macys.com/campaign/social?campaign_id=207&channel_id=1&cm_mmc=backstage-_-vanity-_-n-_-n)

Taco Bell and Pepsi joined forces in a Mountain Dew promo and printed QR codes on Mountain Dew themed drinking cups last year.

I flip open a copy of Golf Digest and there's a QR code. Car and Driver - QR code. Sports Illustrated - QR Code. You get the idea.

They are not as rare as they were 12 months ago. Advertisers are catching on to their potential uses and advertisers are directing consumers to install QR reader apps if they do not already have one on their phone.

http://www.psfk.com/2010/04/giant-qr-code-cut-into-german-field-for-google-earth.html

I don't have a QR scanner app on my phone. You're going to laugh but the only QR scanning I've done is grabbing Pokemon AR codes for my sons Pokedex 3D on the 3DS. You can also scan and generate AR (QR) codes for Mii's on the 3DS. I tried scanning random QR codes but there is a specific format to the real ones so they were unrecognized.

Still, very informative article, I learned a lot. And now I've got one more thing to be wary of.

How does that work: scanning Pokemon AR codes?

Using the 3DS' 3D camera you hold it up to something like this:
http://www.pokemonaus.com/wp-content/uploads/2011/06/PokeDexGuide1.png
in the Pokedex and it scans them and they come to life and start popping into your database and moving around on the screen. The Pokedex codes look proprietary but they only need to unlock info already in the database.

Or you can scan something like this in the Mii Maker:
http://livedoor.blogimg.jp/ted2011/imgs/b/0/b09bef00-s.jpg
and it reads it and creates a little Mii out of the code. You can then generate your own Mii AR codes for other people to scan inside the program.

It's very restricted. Like I said, I tried scanning a random QR code and it wouldn't accept it. Now that I look at the Mii codes I recognize the different information zones you described.

Or should I say, should I be warning staff I support about "potential" risks with QR scans ? I hate cleaning up after the case, especially when someone has either clicked on a link or received a file that loads a keylogger. In two cases I have had to help people clean up PCs and desktops, and then help them when their bank has allowed fraudulent transactions to occur because of the keylogger. If you have a good case about security problems, I find that most security officers will help convey the knowledge, or better put, they lock down the access through the gateways. The process I find better is inform the staff as best as possible, and then this minimizes issues. It works for me since the main area I work with has had the best running computers, and the least amount of basic problems, and no virus issues, even network based virii ( as soon as an issue occurs, they disconnect the PC/Laptop from the network). Anyway, the QR issue, if it is one, seems to be something that may be worthwhile checking, and even if it only has one event occurring in the world, then great... the less the better. Educate staff, educate people, and advise on what to do.

Frankly, this is one of those technologies that has been around for some time that is suddenly coming to the fore because now it is becoming practical for consumer use and profitable for business to create them.

Previously, you could not scan barcodes without purchasing a device costing several thousand dollars, but now all you need is a smartphone.

The best way to handle these QR codes is to think of them as any other type of Internet-related advertising (which is the entire purpose), with all the caveats and cautions thereunto pertaining. They're somewhat less obnoxious because you actually have to pull out your smart device and perform a scan, unlike say, banner ads and spam, but still indiscriminate scanning has its risks.

I've seen lots of them but since my phones can't "see" them (no camera)
thus I've not had any problems with them
other than the only thing those codes do is bug my eyes a bit

interesting, the one in the article looks like a frowny face, is it a functional QR?
.

You are the first one to mention that it's a sad face. And it is not functional.

I am using a Nexus S phone. I went for the Google experience.
I have manually updated it to the 4.0 (ICS) version.

It does have the setting to enable Installation of Non-Market applications which I have disabled.

The only time I ever enabled it is to install "Swype". I do not have the complete idea on why is it not available via the Market. But other than that I will always disable that option.

I really like your effort for user education. I have used QR codes, but in a limited volume. Its good to know that Zing QR scanner has some checks regarding the links as it is the one I am using now.

Keeping posting more articles.

Looks like Websense has captured a new series of spam emails with QR codes:

http://community.websense.com/blogs/securitylabs/archive/2012/01/09/spam-emails-link-to-qr-codes.aspx

Interesting article, an issue I hadn't thought about to be honest.

QR Codes that can be trusted 99.9% of the time will appear on or in:

Magazines and Newspapers
Billboards
Building facades
Company Brochures
Trusted websites such as cinema or official movie sites
Train and bus ads and posters
Product cartons and packaging

I doubt that anyone with malicious intent would pay to run a magazine advert using a deceptive QR Code. Could happen, but I doubt it.

Deception is a key for attackers, "click here to speed up your PC for free" ... yep, people are easily fooled. But now there is the possibility of a more sinister plot where the code is promoted as a coupon, discount, whatever... it's shiny so people will scan away!

What I do with the QR Codes I create for my clients, if it is on their website, is to make the image a link to the same place as the QR Code or, I link it to the QR Code reader app download page. People using a smartphone without a reader can click the QR Code to get the app!

At the business level, set a policy for staff so that they understand the risks involved and what is acceptable. It boils down to common sense. Sadly though, ID-10T problems are ingrained at the user level. For legitimate use, I think QR Codes are great and are helping my clients gain more business!

[Edit] My HTC Desire set not to accept installs outside android market by default. I never scan QR's without investigating or knowing the source. Sorry, I didn't try to scan your QR Code Michael, no offense, but I love my HTC and it's in pristine condition... no angry birds on this baby!

Could you explain this better:

"I link it to the QR Code reader app download page. People using a smartphone without a reader can click the QR Code to get the app!"

Are you saying the QR code also has a hyperlink? Thanks

I use an iPhone and the two apps you listed for Android aren't available. Not that I scan QR codes all that often though.

I work for a big company and the only time we use QR codes is when we
connect printed ad ??with our online strategy. The bad thing is that QR
codes looks poor. But as always there is a lot of customization
options and now I found also app with predefined QR graphic styles
(http://iqr.hrubasko.com/).

i can not open my quick heal settings it says to enter password please help me

i've used QR Codes for few years. it's my first time to heard be aware of QR Code. interesting. i'll read this carefully.

The box of the cookies I bought has QR Code on it, and it direct me to there shop when I scan it. It encodes URL.

The 2D barcode, QR Code, is really powerful! And so we have developed and released the QR Code generator control for creating this amazing barcode.
http://www.keepdynamic.com/dotnet-barcode-winforms/qr-code.shtml

QR Code is able to encode many type of characters including URLs. This is a matrix barcode reader which is capable of decoding QR Code:
http://www.keepdynamic.com/1D-2D/matrix-barcode-reader-vbnet.shtml

First, I NEVER scan anything direct in for auto processing, that's JUST ASKING for trouble, big trouble.

Second, until I saw this I thought the QR stood for Queer Reader - thinking about, maybe that's a more appropriate name, anyway.

It is possible to create qr code generator by using such a qr code c-sharp library, http://www.avapose.com/csharp_barcode/qrcode_generator.shtml

Thank you