This blog details some of the risks and security issues of QR codes. If you’re a user looking for advice on how to protect yourself from bad stuff or a company looking to use a QR code in a consumer campaign, check out my tips here

Some background

QR codes, 2D barcodes, they’ve been around for a while. Essentially a barcode of old was just a string of numbers and letters, equating to ‘something’ (in the case of EAN and ISBN codes amongst others). I used to write software for some mobile phone stuff that used both EAN-13 and Code 128 but that’s an entirely different story. Anyway, there are lots of barcode standards around (if you’re interested have a look at the Wikipedia article). 2D barcodes have been around for a while but the QR (Quick Response) version has become the most popular, mainly because there aren’t major patent issues around using it – Denso Wave do not ‘exercise’ their right to it. As a result, it’s very popular and in the first few months of 2011 has become extremely popular in the marketing world. It’s mainly being used for quickly communicating web links (or URIs as they’re properly called) to people so they can get on and buy / see / do stuff, usually from their mobile phones.

Usage

A big supporter in the mobile world is my friend Terence Eden. He runs QRpedia which facilitates the reading of articles in multiple languages, for example in museums and tourist sites. His blog contains some great stories about QR codes and I fully recommend reading it.

QR codes have only become really popular in 2011 because of the rise in the number of smartphone users and the increasing popularity and usability of the mobile web. A raft of applications are available to read QR codes and in some handsets I understand this functionality is pre-installed.

One example of companies using it are the train company, First Great Western, who’ve recently started publishing train timetables as QR codes.

Another example, this time for voucher / marketing purposes is Bulmers for their Cider (see picture), although they’ve not quite got the user experience right – it takes you to a full (non-mobile) website and then once they’ve got all your details give you a printable voucher on your phone. If anyone can point me in the direction of a phone with a printer, I’ll let Bulmers off the hook.

The next picture shows estate agent Hamptons – which in theory looks like a good example – situated in the window of the estate agents (behind the glass so it is protected from tampering) and hopefully displaying the URI it takes the user to (at the bottom left).

Of course a well-designed site could then also take you to its mobile app if it has one (try the tripadvisor site on your mobile for a good example of this).

Security

It’s the old marketing v security problem. Of course marketing departments want to make use of this great (sort of new) technology, but they’re not paid to think about the security stuff and often they’re not required to do any consultation with a security department, even if it exists. Besides, what security can you actually add to a QR code?

So what’s the risk?

This is not such good example (as shown on Terence’s blog) . The Verrus paybyphone service takes you straight to a mobile site which asks you to enter your credit card details. This is so astonishingly easy to spoof that it is scary. There is no description whatsoever near the QR code about what it is supposed to do. I could therefore also quite easily perform a whole host of attacks (as described below).

There are a number of threats to the consumer from the misuse of QR codes. These aren’t usually because of a big security mistake by the company advertising its product or whatever with the QR code, however it could turn out to be quite a nasty PR experience for the company involved if they’re not careful with the way in which they do it.

• QRjacking (not a good term – it is actually a form of Pharming) – This is the practice of putting stickers over existing QR codes which link to wherever the attacker wants them to go. Dan Wilkerson published this blog back in May 2011 which has some nice pictures.
• Scanjacking (as opposed to clickjacking) – Here’s a paper I like by App Sec labs which assesses some QR readers and how a payload can be inserted into a QR code if JavaScript is allowed to be randomly executed on the device. This post the other day talks about using QR codes to point to an evil server running metasploit to “attag” a target (I don’t like that term either).
• Man-in-the-middle attack – This is where again, a sticker is placed over the legitmate QR code or is falsely advertised in a newspaper or magazine. The user has their credentials captured or bank details taken, then they are redirected back to the
  correct website with an error such as ‘you didn’t type your details correctly’. It is unlikely that the average user would pick up on what was going on. Colin Mulliner mentioned this kind of attack when he did some great work around NFC (Near Field Communications) a few years back. In fact many of the attacks he describes mirror in some ways the attacks possible on QR.
• Phishing – Randomly posting QR codes that entice people to scan them but actually go to something malicious is highly tempting for attackers. You could probably even get people to attach to your fake WiFi network. You could imagine lots of places that could be targeted e.g. bars, bus stops etc. This could of course happen via email, asking you to scan and download an application to your phone. The QR code below was sent to me the other week by a friend, It isn’t malicious and I’m not sure it even works on mobiles, but I liked the potential!

• Spear Phishing – Extending the Phishing method described above, but targeting a particular individual or a small group (imagine dropping a fake competition flyer around an extremely upscale bar).
• Premium rate SMS fraud – One of the things that is supported with QR codes is the ability to make calls and send SMSs. I’m not going to explain exactly how here, but the information is pretty widely available. It would seem pretty trivial to do a premium rate fraud using fliers for a competition at a concert or sporting event. Less so for call fraud because of the time and hassle involved for the user, but depending on the social engineering aspects of the attack, it could be done.
• Pre-registration fraud – Terence Eden found an incident where Nokia had failed to register a bit.ly link on a QR code which could have quickly been hijacked by an opportunist, this would probably be technically classed as a pre-registration fraud although very rare.
• False Advertising – This is a sophisticated attack on a company, perhaps by an activist group by putting fake QR codes in advertisements. It is obviously incumbent on magazines and newspaper to check adverts and their sources anyway, but I’m not sure how well this is done. Even if some form of checking did take place, it could be side-stepped by only putting the malicious content live once the target publication is in the shops.

Generally with all the attacks on QR codes, they have to be very well crafted and prepared to be successful. For the savvy attacker, it is a social engineering exercise. It all comes down to what logical next steps a user could expect to take. In general though, it is quite difficult to launch a traditional distributed attack without high cost. The chances of detection and therefore prosecution are higher than other types of attack. For example, the benefits of crafting an attack where you want to encourage the user to use their phone, scan the QR code from their computer with their device, download an application and therefore maliciously get access to their information is so complicated and difficult it almost isn’t worth doing. There’s too much other low hanging fruit out there in terms of attack success.

Is there anything that can be improved in terms of security? Well a lot comes down to the reader software applications themselves and how they present the data to the user once it has been scanned. This helps the user make a reasonably informed, intelligent decision. From a technical point of view though, it is difficult to defend QR URIs even by using blacklisting services such as stopbadware.org. Premium rate attacks seem also difficult to defend against as the numbers could be (and are) changed easily. The time window between a successful attack and the blacklisting is still attractive to an attacker. Some forms of URL redirection could potentially be ‘triaged’ by the barcode reader application with some helpful warnings to the user, but given the propensity for companies to use URI shortening services, it may have limited success as an effective security measure. Given all the other security scenarios that could happen (e.g. what if the QR code is situated in a hostile environment with a compromised WiFi router?), it does seem futile at the moment to introduce other measures which may actually just confuse the user further.

I do have some further ideas on this topic, but I’d welcome your comments and ideas, just add a comment to this blog.

Obviously what applies to QR codes applies to anything else, barcode or otherwise that you can’t decipher, such as ‘NFC’ tags which you ‘touch’ with your phone. I’ll be writing about this closely related and upcoming technology soon.