Malicious QR Codes: A Mobile Security Blind Spot
It's hard to read in-store signage, magazine, or newspaper advertisements or product brochures these days without seeing a quick response Code (QR Code) -- the blocky, square two-dimensional barcodes that let smartphone users quickly jump to a Web address by simply taking a photo of the code block.
The codes have proved to be popular with marketers, even if they are not well understood by many mobile users: a recent survey by analyst firm Russell Herder suggested that more than half of all respondents -- including more than 80 per cent of respondents in the 18-24 bracket -- had seen QR codes, while around 16 per cent of all respondents had actually scanned one.
Tellingly, however, one out of five respondents had no idea what a QR code is. That's around the same percentage -- 22 per cent -- of Fortune 50 companies that are experimenting with QR codes in their marketing, and not entirely without success: a separate study by Comscore suggested that 14 million U.S. residents scanned QR codes in June 2011 alone.
While marketers wrestle with building demand for the codes, consumers may unwittingly be wrestling with something far more threatening: what if that barcode led your smartphone to a malware-infected Web site? And what if that malware was optimized to target Apple's iOS, Google's Android, or other mobile operating systems with a Trojan that would run in the background and send passwords to its masters?
QR Readers at Risk
It's an entirely possible scenario, says Scott McKinnel, Australia-New Zealand managing director with Check Point Software Technologies. "There's a body of evidence to say that people writing QR code-reading applications aren't thinking about security," he explains, noting the general lack of encryption in the codes and the threat posed by 'attack tagging' -- printing a QR code with a malicious URL on a sticker and sticking it on top of a legitimate QR code.
Since most QR codes are posted in public places where a replacement sticker is easy to surreptitiously attach -- and since most consumers aren't mentally attuned to question the security of QR codes they scan -- this kind of attack is likely to become more common over time.
"It's a threat and it is real," says McKinnel, noting that an unscrupulous hacker could read the contents of a QR code, then modify the URL with extra elements that incorporate a security exploit. For example, a QR code could facilitate an attack by malware that makes fraudsters money by getting the phone to repeatedly text a premium SMS number at a cost of dollars per message.
"Compared with the kinds of complex attack vectors you see in conventional programming, this kind of attack is not that difficult," he explains. "Inserting or deleting elements -- for example, by adding a command line that would install malware, connect to a remote computer or cause a buffer attack -- would not be that difficult."
Although all smartphone operating systems could be subject to exploits of known vulnerabilities, Android devices have proven more susceptible to malware because of Google's relatively open policies on posting new apps. Google recently addressed this by introducing Bouncer, a feature that automatically scans new apps for malware -- but resourceful hackers have shown remarkable success in bypassing protections to infect Android smartphones and tablets. The addition of QR codes as a new attack vector, McKinnel warns, could only help them further.
Harder to Guard Against
Although conventional mobile security software and URL filtering techniques may go a long way towards stopping mobile users from visiting infected sites, sheer weight of numbers means that most smartphones remain completely vulnerable to new forms of attack. QR code-reading apps could provide a first line of security defence, but few have implemented security-specific capabilities.
While smartphone and tablet security solutions are continuing to evolve, in the short term user education has a major role to play in preventing infections through new attack vectors like QR codes. The problem, McKinnel says, is that most smartphone users would be unaware if their devices have been compromised -- and few take the time to do basic checks on QR codes, such as looking for the telltale edge of a sticker applied over the real code.
Even though many users have learned to think twice before clicking on an emailed URL that may not lead where it says it will, the relative newness of QR codes means most users are unlikely to exercise the same level of caution -- and that makes the codes an extremely open method for attack that may prove able to circumvent normal security controls.
"People tend to take the path of least resistance, and if there's a bargain to be had by visiting a QR code link, they're going to do it," McKinnel explains. "If it's in a legitimate publication and brand, you should be right."
"But if you're having a look at the sticker and don't recognize the brand, or it's on a one-off billboard or something that doesn't feel right, why would you visit that link? This is just another security issue that's adding to the multitude of issues already associated with smartphones. There's another element of a risk that you need to consider when looking at mobile device security -- and ultimately, you just have to use your common sense."