The dangers of QR codes for security

David Geer investigates the dangers of QR codes and finds this emerging technology is another way for criminals to exploit the same threats

A large number of end-user computers are mobile devices and the lion's share of those are smartphones. APTs are increasingly targeting the mobile market.

"Mobile malware increased more than 1,000-percent in 2012 alone," said Catalin Cosoi, Chief Security Researcher, BitDefender. BitDefender bases this data on analyses of mobile threats it collects via honeypots.

[Slideshow: Mobile security and how gadgets evolved]

Criminal hackers use malicious QR codes for the same reasons they use any attack on mobile devices: the mobile market is outpacing PCs, creating a bigger target; and, these newer, mostly end-user devices (especially smartphones) are the least likely to carry any security software.

Dissecting malicious QR codes

A malicious QR (Quick Response) code contains a link to a website embedded with malware.

"It doesn't matter how the user scans or collects the QR code, eventually the device translates it to a link," said David Maman, Founder and CTO, GreenSQL, who also speaks at conferences on the dangers of malicious QR codes.

The web link then infects the user device with a Trojan.

"It's typically a JavaScript Trojan. When the website comes up, the JavaScript automatically runs, embedding the Trojan into your system," said Dave Chronister, Lead Hacker, Parameter Security, which enterprises contract to perform penetration (pen) tests to audit network security.

Once a Trojan infiltrates a mobile device, it typically reports to the hacker's servers, which automatically transmit any number of other threats through that opening to leach data and wreak havoc.

Freely available tools automate QR code creation so criminal hackers do not have to roll their own.

"The Social Engineering Toolkit has a QR code generator. You can use it to create malicious QR codes," said Chronister. The intent of The Social Engineering Toolkit is that ethical hackers use it to test systems for security vulnerabilities with the enterprise's blessing. However, whether it is good or bad really depends on whose hands it is in.

Attack vectors / infection points

Criminal hackers could distribute malicious QR codes and/or malware through marketing firms that create legitimate codes, through malicious QR code tools, and when people access bogus QR codes unawares. Hackers can compromise systems belonging to marketing firms that create QR codes for their enterprise clients. They can then substitute the legitimate codes with malicious ones before the firm distributes them. This creates obvious liabilities for the enterprise that ordered the QR code.

There are also many free apps for creating QR codes already available.

"What would stop someone from putting an app out that adds a JavaScript to the QR codes, which sends people to a secondary site to inject malware on the device?" noted Chronister.

In addition, if malicious QR codes infect smartphones and the enterprise permits these devices to connect to the company network, they can become bridges to the enterprise for malware via the phone's data connection.

Hot new attack vectors, chilling results

Attackers use malicious QR codes in phishing attacks. An attacker could create thousands of business cards purporting to be from Subway that say, 'Free footlong if you join our QR Club' printed next to the malicious code. When they scan the code and enter the link, the site could simply respond, 'Thank you for joining the club' while silently installing a Trojan.

[Phishing: The basics]

"So many companies are using QR codes, how can a consumer tell whether the QR code is from a company they trust or is a forgery?" asked Chronister.

In another attack, APTs can use a cross-site scripting vulnerability on a legitimate website to open a hole to insert a malicious QR code in place of a legitimate code.

"When a web browser pulls up the legitimate site, the QR code referencing the hacker's site is now part of the otherwise benign site and the browser will pull them up together," said Chronister.

Malicious QR codes can also enable a hacker to control cell phones to access messages and GPS, turn on the camera(s), and listen in on phone conversations.

"Even botnet software is showing up on phones, allowing APTs to enlist them into botnets for attacking other systems, says Chronister. The attacker can use the phone as part of an SMS botnet or an Internet botnet to attack countless targets.

What CSOs should do now

The best way to avoid malicious QR codes and protect the enterprise is simply to not use them.

"The codes are really not valuable enough to any company to afford the risk. If the enterprise must use them, ensure they are set up in a way that enables the enterprise to continually validate them as legitimate," said Chronister.

Instruct employees not to use QR codes on phones that also attach to the company network.

"If the company uses BYOD, instruct employees of the risks of QR codes," Chronister advised.

Enterprises should already be segregating the wireless guest network from the rest of the infrastructure as well as segregating internal networks with core data from other internal networks. Unfortunately, this is often not the case.

"When we do pen testing, we find that though the enterprise has a guest network, smartphones are connected to the corporate network," said Chronister.

Make sure smartphones as well as mobile devices have anti-virus and other anti-malware software installed and updated.

"In the course of our pen testing, we'll see that the network policy says every system that connects to the corporate network is supposed to have anti-virus software installed. Then I will ask to see someone's iPhone. It doesn't have anti-virus software installed, but it's a system and it's on the corporate network," said Chronister.

Long-term Solutions

Ultimately, enterprises will have to continue to refine fine-grained policies and rules that examine log files in depth for network events.

'These help to determine whether, for example, an authorized smartphone connecting to an internal system belongs to someone who happens to be off sick that day," says Maman. Then the network can automatically drop the connection and IT can investigate further.

But, even such policies cannot detect everything.

"There may not be enough evidence or detail to detect," said Maman.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingsecuritywirelessbitdefender

More about BitDefenderQRToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts