security

Samsung Galaxy SIII data wiping on Android – just by visiting a website

mobilephonesecurity9368433315 Comments

Yesterday, Ravi Bogaonkar (@raviborgaonkar) released to the world an issue that could be one of the most serious to hit the mobile industry in a very long time.

Ravi who is based at the Technical University of Berlin’s SecT lab (who has previously been in the news for his research around hacking femtocells) had discovered that there were proprietary codes for wiping devices entirely (this is not a USSD code as per spec which has incorrectly been reported). Ironically for the mobile industry, SecT is sponsored by Deutsche Telekom.

These commands can be entered via the user interface, but can also be sent remotely, via visiting a rigged webpage which calls the dialler function. Normally, the user would have to physically confirm the number to dial by pressing the green receiver button, but not in this case.

Currently, reports are coming in saying that a number of Android devices may be affected, including not only Samsung devices (the Galaxy SIII being amongst them) but also the HTC One X. It seems that devices in the UK may not be affected as they’re not using Samsung’s TouchWiz user interface, but details are still emerging.

Dangerous disclosure?

Ravi apparently made a responsible disclosure to a number of affected manufacturers and operators but after apparently getting frustrated with months of delays from certain operators decided to go public. My take on this is that there appears to have been a failing on both sides here. Without knowing all the details it is difficult to make a judgement, however I feel that making this public when the vulnerability is so easy to reproduce and has such massive destructive implications for users is bordering on criminal. Equally, if an operator has been sat on this fix for months for no good reason (and I don’t know if that is the case), then that is just as bad.

Just imagine how you would feel if you lost all of your pictures on your phone just because you visited a website.

How to test if you’re vulnerable and how to fix it temporarily

German mobile security researcher Collin Mulliner has released a temporary fix to Google Play called ‘telstop‘, which people can download if they’re concerned.

A test page setup by Ravi is available which will send the user interface command to display the IMEI number (*#06#). Just navigate with your phone to this link: http://www.isk.kth.se/~rbbo/testussd.html – if you see your IMEI number displayed instead, then you are vulnerable.

17:00 26/09/12 Update: Ravi’s test page was using Google Analytics to track who is testing. I have setup a separate test page that does not use analytics. Just point your mobile browser at: http://mobilephonesecurity.org/tel

More detail can be found in this article and a video of Ravi’s presentation is below:

 

Playstation Network mysteriously down – security again?

mobilephonesecurity9368433311 Comment

Not mobile security, but possibly big emerging security news (more on why I think so below). The Sony Playstation Network is currently down (as of 20:39 UK on the 9th of June).

Germany-Portugal 0-0 you say?

Just before 8pm, I noticed I was signed out of the PSN, so went to the “Sign In” menu. This immediately took me to a change password menu. It said that my password was “no longer valid”. The dialog asked me to enter and then re-enter a password. Quite painful on a PS3 controller with complicated passwords, but it did slightly concern me that it hadn’t asked me for my old password (I need to spend some more time thinking about this though but my first thoughts were about whether I could get access to my credit card info etc, once I had done this). Anyway, I didn’t even get that far as the system locked up on me. After a restart, I submitted the new password and it timed-out, with “This service is currently undergoing maintenance”.

The PSN website says that the service is “Partially available” but there is no statement at all about what is going on. Obviously it could just be a major hardware failure somewhere, but equally we could be seeing the effects of an emergency shutdown due to a security issue (like last time). And, it was about this time last year it all happened. Added to that the fact that there have been a lot of password related breaches this week (LinkedIn et al), could this be linked?

As I write this (now 20:51), I’ve just been able to sign in again. No password change screen or anything, so it is all a bit strange.

To be updated…

Update 14/06/12 – No word on what happened the other day from Sony by the looks of things, but this afternoon (c.14:30 ish) the PSN network is down again, with some tweets giving very similar symptoms to the ones I had above. Again, nothing from Sony as to what is going on…

Manufacturers, Developers and Device Privacy

mobilephonesecurity936843331Leave a comment

I‘m involved in the IAPP’s privacy event this afternoon, talking in the session: “Is There an App for That? Privacy in Social, Local and Mobile Services” with a view from mobile manufacturers and developers. Here is my talk and some ideas about how some of the current problems can be solved. I’d be interested in your views:

image“Privacy isn’t something that mobile manufacturers have had to get involved with. Beyond a basic device PIN lock, the furthest some manufacturers got ten years ago was to put PIN protection on mailboxes.”
 
These days, it is often a question of what does the manufacturer own? The hardware? The access control of the device? there are a vast amount of stakeholders in the mobile industry and it is difficult to see who has responsibility. When something goes wrong, the blame often goes all over the place. The manufacturer often doesn’t have control over the operating system these days, but they do have control over security in the hardware, including features such as trusted secure storage and trusted execution which can be opened up via APIs (interfaces) to the operating system and applications above that. This means that privacy sensitive information such as credentials could be stored in what is in effect a safe on the device. Other features such as full-device encryption give peace of mind if a device is stolen, but there are more fundamental things that are not fixed in some devices such as also locking down USB ports when the key-lock is in use. Often this comes down to individual engineers and it is important to note that privacy does not feature in software engineering syllabuses and there is still a problem in educating future engineers including a lack of mandatory security components.
 
As manufacturers, information sharing and disclosure of security vulnerabilities, particularly where there are privacy implications, should be encouraged and improved. This is an area that is still lacking in industry.
 
The device is our life-diary. We must all acknowledge that there are situations where the Police need to intervene and legally get access to data on devices whether the owner is the perpetrator of crime or a victim. The evidence aspect of mobile phones is incredibly important and the discipline of mobile device forensics is still emerging and developing. These needs are clearly counter to the needs of everyday security and privacy and this highlights the complexity of context, for as a user who then becomes a victim, the privacy need then turns into a need to disclose.
 
Developers
“just because you can, doesn’t mean you should” is probably the most important point when it comes to developing new services that involve the user. We have the capabilities in technology now to do almost anything. Proportionate and responsible usage by companies is a moral responsibility that is sometimes negated by the desire to make money. This is something that self-regulation is never going to be able to solve. Public exposure and the risk of public exposure by hacktivists or the media is what seems to be driving the protection of privacy rather than a genuine desire to be responsible in the majority of cases.
 
Users don’t necessarily realise that their data is being misused, because they can’t see it. This could be through profiling tools and so on. When these things become publicly exposed, such as with the Carrier IQ issue in 2011, users immediately reject the service in the most extreme ways without really realising what is going on or if indeed, the service did in fact breach their privacy. Some developers don’t know that the services they’re including in their apps breach their users’ privacy (e.g. advertising etc).
 
Some short points now on problems and solutions for manufacturers, developers and users of mobile devices around privacy:

Problems with privacy

·     Technically, we don’t have the screen real estate on mobile devices to display privacy policies and besides, no-one ever reads them anyway. This is a huge issue that has not been adequately addressed (the proposed Mozilla privacy icons are interesting..) User experience is mostly – accept these privacy settings (or permissions) or don’t use the application. This is not really acceptable. Human behaviour… Your user wants their privacy protected but is quite happy to breach others’ Privacy is contextual and often the privacy need is after the event. Here are some very brief (but extreme) examples:

1.      A user who is very open and has no privacy concerns has their social media settings set such that all their photos are available. They are murdered in unrelated events. Media across the country descend on the open site and use the images in reports, to the extreme distress of the family of the victim.
2.      A newspaper finds out that a woman has slept with a well-known celebrity. They leverage the woman through her connections on a social networking site and essentially force her to “tell her side of the story”.
3.      Employees working for a company are involved in a labour dispute. There is a division between union members and “loyalist”staff. Friends become enemies overnight without realising it. The context of privacy has changed significantly. Postings that were previously posted in a private environment are printed off and taken to management. The company takes advantag
e of the situation and goes further, even to the extent that they search for profile updates and public data on social media sites to identify “troublemakers” and discipline them.
4.      A child is befriended by another child through a social application because they both like the same band. Location data and lots of private information including pictures are happily shared, but only privately. The 2nd child is in fact an adult who has initially used the public information about the child’s interests in order to groom them.
 
Some solutions for operating system vendors and developers

·     Architecture of device operating systems needs to change – current mechanisms are more advanced than before (e.g. view privileges) but need to go to the next level. One possibility is to create the ability to “negotiate” in APIs.. – e.g. “I won’t give you fine-grained location but you can have the town I’m in” (existing example: protocol negotiation in computer systems) More fine-grained mechanisms for revoking permissions – “I don’t trust this anymore” or “I no longer want to share location” Support in APIs for saying “the user does not allow you to do this” – allows developers to gracefully fallback to something without the app breaking. Remember that human behaviour means that people will do whatever they can to get over hurdles i.e. the “Dancing Pigs” problem User must always be in control (this is not the case now) Advanced permissions architectures that allow delegation to a third party that the user trusts (e.g. children’s charities, Which? Etc.)”

Mobile World Congress – RIM Porsche fun

mobilephonesecurity9368433313 Comments

I promised you all that I’d publish an amusing story about the RIM Porsche 911 at Mobile World Congress last week. For those who don’t know about the background, RIM purchased QNX in 2010 who just happen to also do the embedded software for Porsche and others. There is a video explaining all that stuff below:

I was very impressed by this demo by the way. The coolest part is the live map of the Nurburgring giving you the right braking points because of the GPS link-up (if anyone is reading this from Porsche or RIM I would love to take it round the Ring by the way!).

Anyway, so I was standing there, the Porsche was sitting there unattended as was the Blackberry handset that was part of the demo. I can tell you that the password for the Blackberry was not “porsche” ;-). I opened up the glove box and had a quick look inside only to be presented with a Cradlepoint WiFi router filling the entirety of the space inside:

RIM Porsche glove box

Staring at me from the top of the router was a white label on the top. I’ve enhanced this in the picture below so you can see it properly. Yes, that’s right, they had a label with a default password (a reasonably weak one too) stuck to the top of the router! 🙂 Obviously I’ve blanked out the actual password in the pics:

Default password anyone?

Now I just want to say here that if anyone from RIM is reading this, please do not crank this up as a security incident or go mental at the QNX guys, this is just an amusing story. After all, it’s a demo and chances are the default password was not being used, someone had probably changed it.

Security is only as good as its weakest link

However, here is the serious bit – with all the convergence of mobile tech and the emergence of connected homes, cars and cities, it just goes to show that security is often only as good as its weakest link. That may not be the mobile technology itself, just something it’s connected to. Oh yes, another security message here – don’t leave phones unattended on trade show stands and always lock your glove box!

Mobile World Congress – Biggest story out of the bag already?

mobilephonesecurity9368433312 Comments
#MWC10 – I could have sworn we’ve been here before 😉

Mobile World Congress T minus 1 and I already feel like I’ve had too many Long Island Iced Teas. I woke up to lots of leaks about Mozilla’s Boot-to-Gecko (B2G) project. It looks like they’re teaming up with LG and a lot of others to launch a web runtime based phone. I have already seen a lot of cynical comment, to the extent that a lot of people are saying it is dead on arrival. I’m not so sure. It is clear there is a market for low-end devices with front-ends for SMS-based services in emerging countries (Smart in the Philippines have already launched a phone with this in mind). HTML5 implementations have matured to the state that is ready for mobile devices too and a lot of work has gone on in industry over the years to head in this direction.

Mobile web coverage is rubbish

The biggest issue that I see is the continuing assumption that mobile web / cloud access is ubiquitous. This kind of wrong-headed thinking is sadly typical of projects which live on Silicon Roundabout in London or in the valley with great 3G or WiFi connections. This simply isn’t the case for the vast majority of users in the world. Even in the UK, rural network coverage is horrific. Attention to caching and offline browsing has been lacking.

Don’t ignore the security concerns

I worked on this exact subject for quite a while. My biggest concern however is the way in which a lot of the people involved in these projects pay complete lip service to security and privacy. If you look at the B2G wiki, there is not one single mention of security in the FAQs.

What Mozilla are doing is connecting the web to the physical features of the device. Want access to the entire user’s phonebook or location from a web application? Yep, that’s right you can have it. Authorisation is difficult (as Android permissions have shown) and history shows that both users and system developers end up going for the least common denominator when it comes to security and privacy options – they take the one that is the most easy and requires the least intervention (which in the user’s case is pretty much setting everything to no protection).

The W3C Device APIs working group have spent years wrangling with these issues and haven’t come up with a meaningful answer. Lots of people will remember me regularly telling the group that they needed to take security seriously. The EU webinos project is continuing to work on it and are thankfully taking a better approach (based on its origins, OMTP BONDI).

My hope is that more focus on B2G’s security will ensure that mobile users are not exposed to the high number of web application security issues out there.

Mobile Security dinner in Barcelona

mobilephonesecurity9368433311 Comment

As we head towards the annual descent to Barcelona for Mobile World Congress, I thought I’d tell you about my mobile security dinner. This event is open for people interested in any aspect of mobile or network security, to share ideas and hopefully solve all the world’s problems. It’ll be held on the Sunday night (the 26th) from 9pm onwards at a secret location in Barcelona…

This is not the dinner you’re looking for…

Use the contact form above to get in touch if you’re interested in coming along. An important point to note – we split the bill at the end, so this is not a free meal 🙂

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

mobilephonesecurity9368433311 Comment

I’ve been meaning to upload these slides for a little bit. The tipping point was today, when I saw the Daily Telegraph had tweeted a story about a Councillor in Ireland who thought cloud computing depended on rainy weather. It turns out this story was a hoax (taking in the Telegraph, apparently).

To get to the point, I gave a presentation at the Informa Cloud Mobility event in Amsterdam in September entitled “Dark Clouds and Rainy Days, the Bad Side of Cloud Computing”, which I’ve uploaded to slideshare for people to have a look at and comment on. I should say that, as with a lot of things in the technology world, things move quickly and events have superseded a couple of things in the slides. It’s a pretty negative slideset, interspersed with some lolcatz, but the idea of the presentation was to give an alternative view to the conference and to get people thinking. The attendees and presenters struggled even to define “cloud”; a marketing term, which is part of the problem of this topic.

For those of you who really need proper cloud security, you can buy a cloud security umbrella from my shop. 🙂

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

Mobile Security Week

mobilephonesecurity9368433312 Comments

This week is Carphone Warehouse’s Mobile Security Week. I worked with the guys there to create some advice on security for users which you can find on their site. An extended version is on this page. As part of their research, Carphone Warehouse conducted a survey of over 2000 people which highlighted a lack of awareness amongst users about the importance of protecting personal data. It is interesting that only about 54% of those surveyed think that data on their phone is secure. That is lower than I expected and shows that people are at least concerned about mobile phone security, but maybe aren’t sure what to do. The National Mobile Phone Crime Unit (NMPCU) have done some great work in the past few years behind the scenes to help prevent mobile phone theft and one of those is to create a database of property which you the user can use by registering at the link in the first tip. If your phone turns up, the Police can then easily identify it as yours. A lot of my readers are tech people, but most mobile users aren’t and they don’t necessarily want to be. Probably one of the most important messages I’d like to get across is for people to use their handset PIN lock – if you don’t want people getting access to your personal data, this is a simple way of preventing that.

It’s great to be able to get the message out this week to people to think about mobile security, so have a look at the tips and see if you and your family are safe and secure?

David’s Mobile Security Tips

As phones become more and more sophisticated, mobile security becomes increasingly important for users. Here are some tips on how to keep you safe and secure when using a mobile phone.

Record your phone’s identity number in case it is stolen

The International Mobile Equipment Identity (IMEI) is what identifies your phone to the network and is located on the back of your phone underneath the battery. Another way to get your IMEI number is to type *#06# into your phone keypad to display it. When you get your new phone, it should be also on the side of the box. Keep the box label in a drawer just in case you need it. If your phone is lost, report the IMEI number to your service provider and they can block your phone so it can’t be used to make calls. If it is stolen, you should also give the IMEI number to the Police.

You can also register your phone’s details and IMEI number on the UK National Property Register at: http://www.immobilise.com/. This helps the Police to return lost or stolen property to its correct owner.

Secure access to your device and voicemail

PINs and passwords can be a pain as they put a barrier in the way of things you do repeatedly. These days it can be difficult to remember all your different PINs and passwords or be very tempting to use the same password for everything. Firstly, voicemail. The recent phone hacking scandal in the UK showed how important it is to have a PIN on your voicemail to prevent people listening into your private messages. Ring your operator and make sure you have one setup, or alternatively have the service switched off entirely. Don’t choose obvious PINs e.g. 1111, 1234, dates of birth etc.

Make use of the handset locks to protect your data and messages. With touch-screen phones, these are often gesture based, meaning that a convenient swipe is all that is needed to unlock your phone, whilst still keeping your phone safe.

Learn how to manage your passwords without having to remember lots of complex details. You can do this by using password safes which can store lots and lots of different passwords and generate random ones for you. Make sure these are also backed up in a safe place.

Learn how to remotely lock and wipe your phone if you lose it

Losing your phone or having it stolen does happen and when it does, what do you do to prevent someone getting access to your work or personal data? This is where lock and wipe services come in. Many handsets are now capable of running applications which you can stop someone getting access to your data and if you’re sure you can’t recover it, to delete your data. It is a service that can give you invaluable peace of mind if the worst happens. Some services can even help you locate your lost phone by using the GPS function of the device to work out where it is.

Be very wary of WiFi hotspots

However tempting it may be to connect to free WiFi when you’re out and about, take a moment to consider who is providing that service and why. If they’re charging, who are you giving your credit card details to?

By connecting to an untrusted network, you could potentially allow an attacker to get into your accounts for social networking sites, your email and banking details. In general if you are connected to a public WiFi network, don’t do anything sensitive such as internet banking or making purchases.

Know what you are giving applications permission to do

Always think about what an application is supposed to be doing, where it came from and who made it. Simple internet searches can often verify the validity of an application if you suspect all is not well. Inspect the permissions that an application requests. Does this application really need access to your phonebook? Does it really need to send SMSs? If not, just don’t install it. It should be said that some phone permissions aren’t very well done and can be difficult to understand, so even a legitimate application can give a misleading impression of what it actually does. There are some tools available to help you manage your permissions, for example only giving one application the permission to get to your location.

A common practice amongst hackers is to create a fake copy of a genuine application. This might be free, to entice people to download it. Sadly, the free version is a “Trojan horse” and will do nasty things. Mobile malware is still at a very low level in comparison with the PC world, but is definitely on the rise in 2011 and you should be extremely careful with applications you download. Many hackers see mobiles as an increasingly juicy targe
t because your whole life is stored on there. You are putting yourself at increased risk if you ‘jailbreak’ your device or if you install untrusted applications. Anti-virus applications are now available for those people who want an added level of protection.

Be careful when clicking on web links and scanning 2D barcodes

Don’t be lured into clicking on an unknown link to a web page. A phone’s screen is much smaller and it is often more difficult to see a full link to a website and verify that it is what it says it is. Not only this, but links are often shortened so you can’t actually read the proper website it goes to. If you get messages or posts on facebook and twitter with links, stop and think. Do you know the sender? If you do, is this something that they would send you? If you do click, it is often too late once you realise that there is a problem. Don’t react to or reply to spam messages you may get over SMS or Bluetooth.

New technology allows barcode scanner applications to read 2D or Quick Response (QR) codes (kind of like square barcodes). These are often put in newspapers and on advertising boards. Be very careful – do you know and trust the source. Could the poster have been tampered with or be fake? The problem here is that you often can’t verify that the link is genuine or not, because you can’t decipher the barcodes with your own eyes. It could be linking to some very nasty stuff.

Always backup your data

This is something that is always on the to-do list but never quite gets done. Take a little time to think about what would happen if you lost your phone and phone numbers and how it would affect you. Then think about what you can do to mitigate that. There are lots of services and tools out there to help you do this on a regular basis without thinking about it. Choose one you trust, or if you decide to backup your data yourself, make sure you do it regularly and store it in more than one place just in case your backup fails.

Be careful when charging your phone on someone else’s computer or at a charge point

Be extra careful if you desperately need to charge your phone while out and about. A lot of phones combine a data connection with the charger so you could end up having your data stolen without realising it. Who is providing the service? Do you have to handover your phone to have it charged? Do you really need to connect to your friend’s laptop? At a recent hacking conference, a fake battery charging booth was setup offering free phone charge but then stole the data of the phones connected.

Protect your children whilst surfing

Kids often know more than their parents when it comes to new technology. Whilst a phone can give you peace of mind that your child is safe when out and about, it also has access to lots of functionality and content that you might not want to allow your child access to at home. There are some applications available that can be installed on mobiles to help you manage what your child can access or download. You can get a shop to set these up for you and set a password so that your settings can only be changed by you. Some great information on protecting your children online in The Carphone Warehouse’s Guide to Mobile Web Safety at: http://www.carphonewarehouse.com/mobilewebsafety  and also CEOP’s website: http://www.thinkuknow.co.uk/

Be aware of your surroundings when using your phone

Phones are an attractive target to thieves and whilst they’re with us all the time, they can be snatched or stolen easily. Think about your surroundings when you’re about to use your phone. Do you really want to turn your phone on, just as you walk out of the tube, or can you do it further down the street? If you’re sat in a café or bar, don’t leave your phone on the table. It is a prime target for snatching or a distraction theft. Of course, make sure that any handbags or rucksacks are secured too; trapping a chair leg around a handle is a good way to prevent a bag being stolen.

When you’re walking along and browsing such that you haven’t noticed if someone is near you? You are particularly vulnerable if you’re tied up doing something else. Rather than walking home at night on the phone to a loved one, put the phone away so that you’re aware of everything going on around you.

QR code security tips for both consumers and advertisers

mobilephonesecurity9368433315 Comments
There’s a lot of interest around creating malicious QR codes for one simple reason – the user cannot easily see what the encoded link is. Here’s some basic advice for both consumers using QR codes and also for those companies creating them as part of marketing campaigns etc. For more detail on QR code security, see my earlier blog.

Tips for users of QR codes:

  • Get a good QR reader – one that allows you to review a link after you’ve scanned it and doesn’t randomly execute malicious stuff (I use Zebra Crossing’s ZXing Barcode Scanner for Android)
  • Be extremely careful, alert and wary when scanning a QR code, don’t just scan anything assuming it’ll be ok.
  • Don’t allow a QR code to dial a number or send an SMS unless you are absolutely sure you know that the number is legitimate. Otherwise you may end up with a very large phonebill!
  • If it looks too good to be true, it often is. If you’re handed a flyer or competition with a QR code, offering some fantastic offer think about whether it is legitimate or not – is it trying to just get your personal data or worse, trying to lure you into a security trap? A simple Google search is often enough to reveal scams.
  • Don’t give away information needlessly – if a site asks you to connect to Facebook or your bank, does it really need this? (extremely unlikely!) Remember you can always close the site and walk away. You do not have to enter your details and I wouldn’t recommend that you do.
  • Check to see if the QR code is physically the original if scanning a poster. Someone may have placed a sticker over the top of the original QR code to try and get you to download some malware or give away your details.
  • Always check the URI (the link) to be sure it is going where you expected it to. Check the address bar at the top of the page. Is the website unusual? Have you been redirected to another site? If your scanner software on your phone has shown you the URI for the website, is it the same?
Tips for companies planning on using QR codes:
  • Avoid link shortening services, these further confuse users as to who is providing the website – you probably don’t need the URI shortening anyway, you are using a QR code!
  • Always display the URI you are linking to in plain text near to the QR code in order that the user can see what website it is supposed to be going to, or at least choose to manually enter it if they don’t want to use the QR code.
  • Don’t use QR codes for anything that requires a user to divulge sensitive information such as credit card details. It’s irresponsible and customers won’t thank you for it.
  • For shops, if possible, display your QR code behind a window or counter rather than ‘outside’ so that it is difficult / obvious if people are trying to tamper with it.
  • Be conscious of defacement by people who may be opposed to your product or service. Remember, it only takes one code to be hijacked and reported in the press and your marketing campaign is wrecked. Think carefully about poster campaigns and where you place QR codes.
  • For newspapers and magazines, consider triaging adverts using QR codes to check they’re ok in advance.
For more marketing tips, have a look at this blog from Stephen D Poe

QR codes and security – my take

mobilephonesecurity9368433318 Comments

This blog details some of the risks and security issues of QR codes. If you’re a user looking for advice on how to protect yourself from bad stuff or a company looking to use a QR code in a consumer campaign, check out my tips here

Some background

QR codes, 2D barcodes, they’ve been around for a while. Essentially a barcode of old was just a string of numbers and letters, equating to ‘something’ (in the case of EAN and ISBN codes amongst others). I used to write software for some mobile phone stuff that used both EAN-13 and Code 128 but that’s an entirely different story. Anyway, there are lots of barcode standards around (if you’re interested have a look at the Wikipedia article). 2D barcodes have been around for a while but the QR (Quick Response) version has become the most popular, mainly because there aren’t major patent issues around using it – Denso Wave do not ‘exercise’ their right to it. As a result, it’s very popular and in the first few months of 2011 has become extremely popular in the marketing world. It’s mainly being used for quickly communicating web links (or URIs as they’re properly called) to people so they can get on and buy / see / do stuff, usually from their mobile phones.


Usage

A big supporter in the mobile world is my friend Terence Eden. He runs QRpedia which facilitates the reading of articles in multiple languages, for example in museums and tourist sites. His blog contains some great stories about QR codes and I fully recommend reading it.

QR codes have only become really popular in 2011 because of the rise in the number of smartphone users and the increasing popularity and usability of the mobile web. A raft of applications are available to read QR codes and in some handsets I understand this functionality is pre-installed.

One example of companies using it are the train company, First Great Western, who’ve recently started publishing train timetables as QR codes.

Another example, this time for voucher / marketing purposes is Bulmers for their Cider (see picture), although they’ve not quite got the user experience right – it takes you to a full (non-mobile) website and then once they’ve got all your details give you a printable voucher on your phone. If anyone can point me in the direction of a phone with a printer, I’ll let Bulmers off the hook.

The next picture shows estate agent Hamptons – which in theory looks like a good example – situated in the window of the estate agents (behind the glass so it is protected from tampering) and hopefully displaying the URI it takes the user to (at the bottom left).

Of course a well-designed site could then also take you to its mobile app if it has one (try the tripadvisor site on your mobile for a good example of this).

Security

Where do I stand on QR codes? Well, generally I think they’re quite a good timesaver – they allow me to quickly input a website into a mobile browser, save a link for later perusal or even (as in the case of QRpedia) give me access to much more information on something than I would be able (or bothered) to get normally. I can even see the argument on the SMS and dial features. All good stuff, yet I’m concerned that we technologists are running ahead of the public with the technology (as usual).

It’s the old marketing v security problem. Of course marketing departments want to make use of this great (sort of new) technology, but they’re not paid to think about the security stuff and often they’re not required to do any consultation with a security department, even if it exists. Besides, what security can you actually add to a QR code?

So what’s the risk?

This is not such good example (as shown on Terence’s blog) . The Verrus paybyphone service takes you straight to a mobile site which asks you to enter your credit card details. This is so astonishingly easy to spoof that it is scary. There is no description whatsoever near the QR code about what it is supposed to do. I could therefore also quite easily perform a whole host of attacks (as described below).

There are a number of threats to the consumer from the misuse of QR codes. These aren’t usually because of a big security mistake by the company advertising its product or whatever with the QR code, however it could turn out to be quite a nasty PR experience for the company involved if they’re not careful with the way in which they do it.

  • QRjacking (not a good term – it is actually a form of Pharming) – This is the practice of putting stickers over existing QR codes which link to wherever the attacker wants them to go. Dan Wilkerson published this blog back in May 2011 which has some nice pictures.
  • Scanjacking (as opposed to clickjacking) Here’s a paper I like by App Sec labs which assesses some QR readers and how a payload can be inserted into a QR code if JavaScript is allowed to be randomly executed on the device. This post the other day talks about using QR codes to point to an evil server running metasploit to “attag” a target (I don’t like that term either).
  • Man-in-the-middle attack – This is where again, a sticker is placed over the legitmate QR code or is falsely advertised in a newspaper or magazine. The user has their credentials captured or bank details taken, then they are redirected back to the
    correct website with an error such as ‘you didn’t type your details correctly’. It is unlikely that the average user would pick up on what was going on. Colin Mulliner mentioned this kind of attack when he did some great work around NFC (Near Field Communications) a few years back. In fact many of the attacks he describes mirror in some ways the attacks possible on QR.
  • Phishing – Randomly posting QR codes that entice people to scan them but actually go to something malicious is highly tempting for attackers. You could probably even get people to attach to your fake WiFi network. You could imagine lots of places that could be targeted e.g. bars, bus stops etc. This could of course happen via email, asking you to scan and download an application to your phone. The QR code below was sent to me the other week by a friend, It isn’t malicious and I’m not sure it even works on mobiles, but I liked the potential!

  • Spear Phishing – Extending the Phishing method described above, but targeting a particular individual or a small group (imagine dropping a fake competition flyer around an extremely upscale bar).
  • Premium rate SMS fraud – One of the things that is supported with QR codes is the ability to make calls and send SMSs. I’m not going to explain exactly how here, but the information is pretty widely available. It would seem pretty trivial to do a premium rate fraud using fliers for a competition at a concert or sporting event. Less so for call fraud because of the time and hassle involved for the user, but depending on the social engineering aspects of the attack, it could be done.
  • Pre-registration fraud – Terence Eden found an incident where Nokia had failed to register a bit.ly link on a QR code which could have quickly been hijacked by an opportunist, this would probably be technically classed as a pre-registration fraud although very rare.
  • False Advertising – This is a sophisticated attack on a company, perhaps by an activist group by putting fake QR codes in advertisements. It is obviously incumbent on magazines and newspaper to check adverts and their sources anyway, but I’m not sure how well this is done. Even if some form of checking did take place, it could be side-stepped by only putting the malicious content live once the target publication is in the shops.

Generally with all the attacks on QR codes, they have to be very well crafted and prepared to be successful. For the savvy attacker, it is a social engineering exercise. It all comes down to what logical next steps a user could expect to take. In general though, it is quite difficult to launch a traditional distributed attack without high cost. The chances of detection and therefore prosecution are higher than other types of attack. For example, the benefits of crafting an attack where you want to encourage the user to use their phone, scan the QR code from their computer with their device, download an application and therefore maliciously get access to their information is so complicated and difficult it almost isn’t worth doing. There’s too much other low hanging fruit out there in terms of attack success.

Is there anything that can be improved in terms of security? Well a lot comes down to the reader software applications themselves and how they present the data to the user once it has been scanned. This helps the user make a reasonably informed, intelligent decision. From a technical point of view though, it is difficult to defend QR URIs even by using blacklisting services such as stopbadware.org. Premium rate attacks seem also difficult to defend against as the numbers could be (and are) changed easily. The time window between a successful attack and the blacklisting is still attractive to an attacker. Some forms of URL redirection could potentially be ‘triaged’ by the barcode reader application with some helpful warnings to the user, but given the propensity for companies to use URI shortening services, it may have limited success as an effective security measure. Given all the other security scenarios that could happen (e.g. what if the QR code is situated in a hostile environment with a compromised WiFi router?), it does seem futile at the moment to introduce other measures which may actually just confuse the user further.

I do have some further ideas on this topic, but I’d welcome your comments and ideas, just add a comment to this blog.

Obviously what applies to QR codes applies to anything else, barcode or otherwise that you can’t decipher, such as ‘NFC’ tags which you ‘touch’ with your phone. I’ll be writing about this closely related and upcoming technology soon.