Malicious QR codes: a mobile security blind spot

It's hard to read in-store signage, magazine or newspaper advertisements or product brochures these days without seeing a quick response Code (QR Code) – the blocky, square two-dimensional barcodes that let smartphone users quickly jump to a Web address by simply taking a photo of the code block.

The codes have proved to be popular with marketers, even if they are not well understood by many mobile users: a recent survey by analyst firm Russell Herder suggested that more than half of all respondents – including more than 80 per cent of respondents in the 18-24 bracket – had seen QR codes, while around 16 per cent of all respondents had actually scanned one.

Tellingly, however, one out of five respondents had no idea what a QR code is. That's around the same percentage – 22 per cent – of Fortune 50 companies that are experimenting with QR codes in their marketing, and not entirely without success: a separate study by Comscore suggested that 14 million US residents scanned QR codes in June 2011 alone.

While marketers wrestle with building demand for the codes, consumers may unwittingly be wrestling with something far more threatening: what if that barcode led your smartphone to a malware-infected Web site? And what if that malware was optimised to target Apple's iOS, Google's Android, or other mobile operating systems with a Trojan that would run in the background and send passwords to its masters?

It's an entirely possible scenario, says Scott McKinnel, Australia-New Zealand managing director with Check Point Software Technologies. "There's a body of evidence to say that people writing QR code-reading applications aren't thinking about security," he explains, noting the general lack of encryption in the codes and the threat posed by 'attack tagging' – printing a QR code with a malicious URL on a sticker and sticking it on top of a legitimate QR code.

Since most QR codes are posted in public places where a replacement sticker is easy to surreptitiously attach – and since most consumers aren't mentally attuned to question the security of QR codes they scan – this kind of attack is likely to become more common over time.

"It's a threat and it is real," says McKinnel, noting that an unscrupulous hacker could read the contents of a QR code, then modify the URL with extra elements that incorporate a security exploit. For example, a QR code could facilitate an attack by malware that makes fraudsters money by getting the phone to repeatedly text a premium SMS number at a cost of dollars per message.

"Compared with the kinds of complex attack vectors you see in conventional programming, this kind of attack is not that difficult," he explains. "Inserting or deleting elements – for example, by adding a command line that would install malware, connect to a remote computer or cause a buffer attack – would not be that difficult."

Although all smartphone operating systems could be subject to exploits of known vulnerabilities, Android devices have proven more susceptible to malware because of Google's relatively open policies on posting new apps. Google recently addressed this by introducing Bouncer, a feature that automatically scans new apps for malware – but resourceful hackers have shown remarkable success in bypassing protections to infect Android smartphones and tablets. The addition of QR codes as a new attack vector, McKinnel warns, could only help them further.

Although conventional mobile security software and URL filtering techniques may go a long way towards stopping mobile users from visiting infected sites, sheer weight of numbers means that most smartphones remain completely vulnerable to new forms of attack. QR code-reading apps could provide a first line of security defence, but few have implemented security-specific capabilities.

While smartphone and tablet security solutions are continuing to evolve, in the short term user education has a major role to play in preventing infections through new attack vectors like QR codes. The problem, McKinnel says, is that most smartphone users would be unaware if their devices have been compromised – and few take the time to do basic checks on QR codes, such as looking for the telltale edge of a sticker applied over the real code.

Even though many users have learned to think twice before clicking on an emailed URL that may not lead where it says it will, the relative newness of QR codes means most users are unlikely to exercise the same level of caution – and that makes the codes an extremely open method for attack that may prove able to circumvent normal security controls.

"People tend to take the path of least resistance, and if there's a bargain to be had by visiting a QR code link, they're going to do it," McKinnel explains. "If it's in a legitimate publication and brand, you should be right."

"But if you're having a look at the sticker and don't recognise the brand, or it's on a one-off billboard or something that doesn't feel right, why would you visit that link? This is just another security issue that's adding to the multitude of issues already associated with smartphones. There's another element of a risk that you need to consider when looking at mobile device security – and ultimately, you just have to use your common sense."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCheck Point Software TechnologiesCheck Point Software TechnologiesCheck Point Software TechnologiesGooglePoint Software TechnologiesQRScott CorporationSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place