Application security

Security attacks via malicious QR codes

Pavitra Shankdhar
March 30, 2015 by
Pavitra Shankdhar

With the increasing use of smartphones, QR codes are becoming popular. Recently, WhatsApp launched its web version, which needs QR code scanning to access the web version of WhatsApp. So, many people now know what QR code is, but still more are unaware. It is very similar to a bar code we see in products, but it does not need a different reader. Our smartphone camera can easily read it with the help of a QR code scanner app. Due to fast readability, it is now widely accepted. And the use of QR codes is increasing. With the scan of a QR code, we can perform various tasks which would otherwise need a lot more effort. For example, scan a QR code and save the business card details in your smartphone. This is why people like to use QR code scanning for general tasks. But most users are not aware that QR codes can also be malicious. This is why scammers are now using malicious QR codes for tricking users.

In this article, I will discuss QR codes in details. I will also try to cover all the potential security issues related to QR codes.

QR codes

QR code (or Quick Response code) is a matrix bar code which can be read by an imaging device (camera) and then processed to read its data. It was initially developed for the automotive industry in Japan, but now it is being used by many companies. You will be surprised to know that the QR code was invented back in 1994 by Denso Wave. Nowadays QR codes are being used to display text to users, to save a vCard contact information to the user's smartphone, to open a website URL, to code payments, for website login (ex: WhatsApp web login) or to compose an e-mail or text message just by scanning a QR code.

QR codes are really useful and help us to complete tasks faster in smartphones. You can quickly open a website just by scanning a QR code and you do not need to manually type the URL in your smartphone. This is why many websites' poster ads now contain QR code. Another popular use is on a business card. Now people also include QR code in their business cards. So, other persons can simply scan the QR code to save the contact details in their smartphone.

See the sample QR code below. This is for opening a website.

QR code for: https://resources.infosecinstitute.com

Scanning the above QR code will open https://resources.infosecinstitute.com.

How to Generate QR Codes

There are various tools available for this. If you want to generate a QR code with specific information, you can use these tools, which let you create QR code for URL, text, vCard, SMS, call, geo-location, event, email and login. Different tools have different abilities. A few good QR code generator tools are:

You can use any of the above tools to generate your own QR code.

Lifespan of QR codes

This is a question about QR code people generally ask. QR code does not need any platform for redirection, but it has data within it. Once a QR code is generated, it can be used anytime, anywhere. The lifespan of the QR codes is unlimited, so you do not need to worry about lifespan. Generate and then use.

Can QR codes be hacked?

A QR code is the square matrix with small black square dots arrangement. Hacking a QR code means manipulation of the action without modifying the QR code. This is not possible. QR codes can be malicious and can trigger malicious action. But that QR code will not be the same as the legitimate QR code. Two QR codes with different actions will never be the same. You will certainly see different patterns in both QR codes. So, QR codes cannot be hacked. But It can be malicious and hackers can use a QR code for various malicious purposes. And there are various reports in which we have seen the malicious acts.

Security Risks Involved with Use of QR Codes

As I already discussed, QR codes can be malicious. So, there are various security risks involved with QR codes. In this section, I will discuss all the security risks involved with QR codes.

Phishing

Phishing is a popular way of hacking web accounts. Attackers send a fake web login page which pretends to be the original login page of the website it's claiming to be. When an innocent user use this fake page to login, his/her login information is sent to the attacker. And now, his/her password is in the hands of the attacker.

Phishing is the main security issue involved with QR codes. It is also described as QRishing by some security researchers. QR codes are generally scanned by a smartphone camera to visit a website. Now, many website ads put QR code along with a URL so users can quickly scan QR code to visit the website. This is where scammers try to trick users. As I already told you, QR codes cannot be hacked. So, hackers or scammers try to change the QR code added in the poster. They can also print the similar kind of fake posters and put in public places. Innocent customers will scan these fake QR codes to visit the websites but they will be redirected to phishing websites. Most people judge a website by its look and feel, and phishing pages look exactly similar to legitimate websites. In mobile devices, it is hard to check the full address in the browsers. Due to limited space, browsers do not show the full address in the URL field. And most people never try to check the full address. This makes users more vulnerable. When they use this phishing page to login, their passwords are compromised.

Although this phishing trick has limited scope, it is most effective. There are various case studies which clearly confirm that people generally trust QR codes and become the victim of QRishing at public places.

Malicious software distribution

Scammers generally use malicious websites to distribute malware via drive by download attack. Nowadays, most of the drive by download attacks are being done against Android users. Drive by download attacks are attacks in which a website forcefully downloads software in your device when you visit the website. It does not need any action from the user's side. Visiting the website is enough to trigger the download action. Scammers try to install malicious apps and then exploit that device. These infected devices can join an existing botnet or can send SMS to premium numbers. It can also leak your data.

By using QR codes to point to this kind of malicious websites, we can easily trick users. Users cannot see the URL, so there is no point of doubt. In QR codes, there is no need to enter the URL manually, users only scan QR code. And they only know what you will write about the QR code.

In Russia, a malicious QR code on scanning sent SMS to premium numbers costing $5 USD per SMS. Most of these kinds of attacks have been seen against Android devices.

Pointing to potentially harmful websites

This is similar to what we learned in the previous point, but it is not about serving malware. Sometimes websites have browser exploits which can do lot more harm. Browser exploits can enable microphone/camera access, access browser data, send emails or join a botnet to perform a DDOS attack on any legit website. All these actions occur in the background, so users never know about this. They will only see a website, but they are being tricked.

How to Protect Yourself from Malicious QR Codes

Malicious QR codes have limited scope, but may be harmful. So, you need to be protective and always take care of your security while using QR codes. If you are going to use it from banners at public places, you need to be selective. There are few things which you can do to protect yourself from malicious QR codes and its attacks.

Observe before use: If you find a QR code in any banner advertisement in a public place, look at it closely. Most of the times, scammers stick their fake QR code above the legitimate QR code in a legitimate poster. So try to see if it is real or not. You can check by touching the poster. If it does not look like it's actually printed on the poster, do not use it. Follow this guideline for QR codes in public places. Your observation can save you from attacks. If you are not sure, never scan that QR code.

Be suspicious and never giver personal or login info: Always be suspicious of the page you land on via QR code. Never share your personal information on these pages. Only do this if the QR code is from a very trusted source and you trust the website. And yes, avoid entering your login information. It may be a phishing page. So for login, always enter the URL manually on the browser's address bar. Entering login information on the pages you land on via QR code means putting yourself in big trouble. So, why take the risk just to avoid a little extra effort? Open a browser, type the address and login directly on the website.

Look at URL before proceeding: A few QR code scanners also show the actual URL before proceeding and ask to confirm whether you want to visit the URL. You can use these QR code scanners to know what URL the QR code will send you. This will help you to know if the QR code is malicious or not. Looking at the QR code does not confirm whether it is malicious or not. So, I recommend use of safe QR code scanners.

Norton Snap is a nice QR code scanner app with built-in security features. This app is available for both Android and iOS platforms. You can use this QR code scanner app to prevent any malicious activity in your smartphone. It not only shows the URLs but also checks the URLs within its database of malicious links. If it finds any malicious URLs within the QR code, it will warn you.

Conclusion

Although QR codes are not new, their use is still very limited. With the increasing use of smartphones, we have seen sudden a rise in the use of QR codes. Now various websites and apps let users use a QR code to login or complete other tasks. But there are still very few users who use QR codes. This is the reason why there is little reporting on malicious QR codes. Nobody wants to waste time on things which have low impact. But this will change very soon. With the launch of WhatsApp for web, now many users know how to use QR codes. So, we can expect another sudden rise in the use of QR codes. And when it is used by a greater number of users, attackers will surely find new ways to exploit its weaknesses.

As of now, QR code risks have limited scope, but when there are more users, there will surely become a bigger risk. In the near future, we will also see the use of QR codes for payments and money transfer. At that time, it will be very important to follow security rules. As of now, we only need to use a good and secure QR code scanner app and then relax. Having a good anti-virus and Internet security app is also recommended. This will warn if a website is a phishing website or trying to install a dangerous app in your smartphone.

I hope you have found this article interesting. If you use QR code, do not forget to be safe.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Sources

Pavitra Shankdhar
Pavitra Shankdhar

Pavitra Shandkhdhar is an engineering graduate and a security researcher. His area of interest is web penetration testing. He likes to find vulnerabilities in websites and playing computer games in his free time. He is currently a researcher with InfoSec Institute.