Forgot your password?
typodupeerror
Security Wireless Networking

Malicious QR Code Use On the Rise 234

Posted by Soulskill
from the time-to-incorporate-rorschach-verification-tech dept.
New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"
This discussion has been archived. No new comments can be posted.

Malicious QR Code Use On the Rise

Comments Filter:
  • by dotancohen (1015143) on Friday December 30, 2011 @01:09PM (#38540392) Homepage

    Use a service that will decode it for you. With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes. At least with QR the code can be decoded locally, with software that you trust.

    • by SQLGuru (980662) on Friday December 30, 2011 @01:26PM (#38540630) Journal

      I've never used a QR code reader that auto-navigated to a link. The ones I use will display the content/data....and if it's a URL, will show the URL as a hyperlink. It's up to me to click it. This includes the QR code reader built on my phone.

      I don't think I would want a reader that worked any other way. Especially considering that the QR code can contain more than just a link.

    • by bmo (77928) on Friday December 30, 2011 @01:30PM (#38540686)

      >With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.

      That is why God made preview.tinyurl.com

      --
      BMO

      • by jhoegl (638955) on Friday December 30, 2011 @01:36PM (#38540782)
        I made no such thing mere mortal!
      • by GIL_Dude (850471) on Friday December 30, 2011 @01:58PM (#38541022) Homepage
        For Chrome users, the LinkPeelr extension works well to pre-decode links for you in a little tooltip window. I've been using it for quite some time and it seems to work pretty well. Saves your from many a rickrolling or goase link. Although I guess when people bounce them through several layers of link shortener it doesn't work for that.
      • That is why God made preview.tinyurl.com

        --
        BMO

        1) That wasn't God, that was a computer programmer.

        2) You still have to trust TinyURL. If TinyURL is compromised or malicious, then I am at risk or blocked. TinyURL is a US company, so it someone uses a TinyURL to point to a Syrian website, I might not be able to get through. Likewise, if TinyURL itself is hacked, I am vulnerable.

        • by bcmm (768152)
          Supposed the website you were trying to access was hacked?
          • Supposed the website you were trying to access was hacked?

            Exactly. Under the understanding that all web services are vulnerable, using TinyURL just doubled the chances that the user will be exposed to an attack vector.

            • by bmo (77928)

              >using TinyURL just doubled the chances that the user will be exposed to an attack vector.

              I'm calling bullshit. I'm not saying that preview.tinyurl.com is bulletproof, but over the years they have demonstrated competence in keeping the bad people out of their servers.

              Yes they are a target.

              But claiming that they cannot be trusted because of some theoretical threat means that you have an agenda bordering on libel. You owe them an apology, sir.

              --
              BMO

        • My personal God is a computer programmer, you insensitive clod!

          (If you don't trust TinyURL, then don't even load the preview. The point is that a QRCode by itself shouldn't be able to do anything, since you can always see the URL it points to, at least with any decent reader)

          • My personal God is a computer programmer, you insensitive clod!

            Jesus built my car. It's a love affair. Mainly Jesus, and my hot rod.

            If you don't trust TinyURL, then don't even load the preview. The point is that a QRCode by itself shouldn't be able to do anything, since you can always see the URL it points to, at least with any decent reader

            That is exactly my point. Always look at the URL before going any further.

            • Jesus built my car. It's a love affair. Mainly Jesus, and my hot rod.

              I bet. So you must be intimately aware that he was an architect previous to his career as a profit...and that Jerry Lee Lewis is the devil...btw

      • >With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.

        That is why God made preview.tinyurl.com

        So your God will ensure people with malicious intent will always use a URL shortener with a preview function? Sounds like a nice guy.

    • by Fez (468752) * on Friday December 30, 2011 @02:00PM (#38541064)

      Which is where LongURL [longurl.org] comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.

  • by Nadaka (224565) on Friday December 30, 2011 @01:09PM (#38540394)

    Does anyone have a QR code to a Rick Roll?

  • by DaphneDiane (72889) * <tg6xin001@sneakemail.com> on Friday December 30, 2011 @01:10PM (#38540402)

    The QR scanner app [apple.com] that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.

  • by LikwidCirkel (1542097) on Friday December 30, 2011 @01:11PM (#38540432)
    This just in:
    Clicking a hyperlink may result in being directed to a malicious site.

    Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.
    • by gstrickler (920733) on Friday December 30, 2011 @01:29PM (#38540674)

      We should all sue BT, after all, they claim they invented the hyperlink [slashdot.org], therefore, they should be liable for the damages of malicious hyperlinks. My theory is based upon the premise that the most effective way to fight abuse of the legal system is to use it against the abusers thereby costing them billions of dollars. Call it an "economic sanction".

    • by crymeph0 (682581)
      Absolutely, this is no different than before - if you see a URL spray-painted on the side of a building, would you type it in without up-to-date antivirus?
    • In other news: some people have such crappy security that they are actually *afraid* of going to random links.
  • by cmv1087 (2426970) on Friday December 30, 2011 @01:12PM (#38540438)
    http://bit.ly/rCBPp7 [bit.ly] You don't know where that link goes until you click it. So, what do you do?
  • by icebike (68054) * on Friday December 30, 2011 @01:13PM (#38540462)

    You can do a lot with QR codes that have no destination at all, they are not restricted to web links. [qrstuff.com]
    They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.

    But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
    the content visually before acting on it. They ask if you want to proceed.

    Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
    these are the same people that no amount of malware/antivirus software can protect. They do the same with
    links in email links.

    • by cras (91254)

      But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect the content visually before acting on it. They ask if you want to proceed.

      Of course one could argue the click-thru generation does not know enough to evaluate the content, but then these are the same people that no amount of malware/antivirus software can protect.

      Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

      • by icebike (68054) *

        Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

        It varies by implementation of course, but most offer a choice of actions depending on the type of QR code.
        For instance, with the android version I am running right now, a simple Vcard via QR code, offers me a choice of add to address book, call number, sms number, etc.
        Additionally there is the normal "Back" button which does nothing.

    • by stesch (12896)
      I've searched for some time until I found a QR code scanner for iOS that does show me the URL first. There aren't many of them, I'll tell you. :-( The 6th was the right one, after I asked on Twitter, Reddit, a mobile phone newsgroup, and a Mac newsgroup. Qrafter is the name.
      • by icebike (68054) *

        The first to market for IOS was RedLaser. It always asks.

        • by stesch (12896)
          I bought my iPhone this December and the high rated Apps (even searched the web for lists of QR scanners) never ask. Maybe they were first, but finding anything via the iPhone is tedious. It's better on the iPad, but I can't try 10 or 20 Apps for just one feature.

          As for RedLaser: I think I've avoided it because of the company name "eBay Inc."

      • one called 'scan' can be set to ask first as well.
        • by stesch (12896)
          That's the second time today I read about it, but there's no preferences option in this App. Do I have to tripple tap it with four fingers?

          Scan is the first QR code scanner I installed on my iPad and later on my iPhone. There is nothing to change any options.

          I look again: There's just the History

          ARGHL! THERE IT IS! The settings are hidden on the history page!? WTF?

    • Hmm. Is QR Turing complete?

    • by bhtooefr (649901)

      There actually is a way - the same way that iOS avoids malware installation.

      The problem is, it's whitelisting.

      • by icebike (68054) *

        There actually is a way - the same way that iOS avoids malware installation.

        The problem is, it's whitelisting.

        Not really practical.

        Look, QR codes are meant to convey information, just like a note pad, or tablet. Who whitelists what you write on the back of your business card?

        What if I want to give you my Vcard on my phone via a QR code so you can scan it to add me to your contacts, who becomes the whitelisting authority? Do I have to first appeal to Apple to be able to display a contact as a QR code?

        All QR codes do not go to websites. Its just a method of writing, not a central clearing house.

  • This won't deter people, look at the popularity of URL shortening services for a reference. It's a tool and it has a potential for misuse. People are assholes, story at 11.
  • I mean, it was just another way to exploit the trust of unsuspecting and most of the time, non-internet-savvy public, armed with the gizmo of the day, called smartphones. What could possibly go wrong ? It is just like giving a loaded gun to the hands of a adolescent child with raging hormones and telling him or her just shoot people who are really-really bad and nobody else. You are just trusting the judgment of totally untrustable person. If you expect a better outcome than this, good luck to you.
    The probl
  • Shock Value (Score:5, Funny)

    by DigitalGodBoy (142596) on Friday December 30, 2011 @01:21PM (#38540570) Homepage
    A while back, a friend of mine at a university printed up several dozen flyers with a QR code pointing to LemonParty and posted them around campus. Hilarity ensued as he took pictures of people's reactions as they scanned them.
  • How hard is it to sandbox a visit to a URL? Malicious or not, nothing is going to get out if the sandbox is properly designed... and it's not like it's hard to do, it just requires a bit of forethought and planning.
  • by Anonymous Coward

    Submitter EliSowash, editor Soulskill; please, when you folks put together summaries in the future...

    ...link things like QR code [wikipedia.org]; don't expect us to know all abbreviations out there.

  • "In the simplest of terms, a QR code is a 2D barcode that can store data which can then be read by smart phone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website."

    If visiting a "malicious site" can harm your phone, switch to a secure browser. Unless you are locked into Safari, then you are screwed.

  • How... about.... using... an other QR reader that shows the destination first???
    Still you don't know if you can trust the link, but at least you know where you're going.

  • Hey, another Slashdot summary ended with a forecast of impending doom disguised as a handwringing question, written by someone who doesn't know what he's talking about.

    QR codes are a method for encoding text. If your decoder does stupid stuff (like visit links automatically) with that decoded text then get a different decoder.

    Forget QR codes, most links on the web are quadruple encoded! They're sent to you in binary (of all things). When you turn that back into decimal you end up with ASCII code (!) and

  • Users don't want protection, they want simplicity. As soon as you try to secure something it makes things "hard" and they go back to doing insecure things for the sake of simplicity, or, they just don't use it at all.

    The simple login/pass texfield on a webpage is a great example. It used to be easy and simple but now every one of them has some form of a super-secure captcha that is so secure the human eye cannot even discern it. A simple thing has been bastardized to the point it's to frustrating to use.

    May

  • Where's the OCR? (Score:5, Insightful)

    by Doc Ruby (173196) on Friday December 30, 2011 @02:10PM (#38541160) Homepage Journal

    I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead? Maybe a standard font that's easy for OCR to read, like that MICR [wikipedia.org] font they invented for check numbering in the 1960s. Maybe at first the phone just sends the image up to a server, for 3D->2D reformation and reading. But it would eliminate this problem.

    And also the IDN homograph attack [wikipedia.org] that will surely become more widespread with the increase in Unicode in the Web and gradually in URLs. Your phone would be set to decode the URLs as your home character set, that you recognize, for opening as a URL - not the arbitrary URL composed of the similar looking but different valued Unicode characters.

    WYSIWYG URLs. An idea whose time has come.

    • Re: (Score:3, Informative)

      by benjamindees (441808)

      The obvious answer is that QR codes are useful to scan something with crappy resolution, like a phone display, using something with crappy resolution, like a phone camera, and to process it in real-time using something with crappy computing power, like a phone cpu. The fact that it works at all is really kind of amazing.

      • by Doc Ruby (173196)

        Phone displays and cameras are routinely in the megapixel range. As I pointed out, the image can be processed at the server. I don't see why practically every smartphone, and most featurephones, can't do the OCR.

    • by mdmkolbe (944892)

      Yes! Please! So many QR codes are in-place-of rather than in-addition-to a human-readable URL. If I don't have my phone with me or don't want to bother digging it out of my pocket (or don't even have a QR-enabled phone), then the QR code is just obfuscation.

      Smart people will always include a human-readable URL next to the QR code, but given that most QR designers evidently aren't smart enough for that, I'll settle for a human-readable QR.

    • by sco08y (615665)

      I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead?

      Okay, a QR code can transmit up to a kilobyte of data, with error correction, even with blurring. But you can't read it.

      A typical MICR code is a roughly 10 digit account or routing number, and it's typical use case is it's printed on a check that has information indicating which way is up, and is scanned by a machine with a fixed lens.

      Even with an OCR font, any blurring makes features run together, so you have to get the focal length just right. The MICR fonts only handle numerals; many English glyphs are h

    • by Carnildo (712617)

      QR codes have the benefits of a higher information density and significant error checking/correction ability. MICR has an error rate of 1 per 100,000 characters, which works out to about one error per thousand URLs scanned. QR codes have an error rate of essentially zero: the ECC information means that when a scan error occurs, it either gets corrected or reported.

  • The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it."

    Are you sure? Wanna try some Snow Crash?

  • As far as I've been able to make out, while QR codes have different possible applications, the only application for which I've ever seen them used is for encoding URLs in posted advertisements. And in every case, the URL was printed adjacent to the QR code block, and usually was short and obvious, e.g., on a poster for www.example.com, there's the URL, http://www.example.com/ [example.com] and a QR code, that when scanned and translated, presents the URL, http://www.example.com/ [example.com]. Since I'd have to take a photo of the QR

  • If you can't read the link to know where it leads, how can you possibly avoid phishing attacks with a QR code? This technology is a wet dream for spammers and malware authors! They can send you anywhere, and you can't even see where they're sending you.

    URL shortening services are bad enough. I disagree with posting shortened URLs except in a twitter feed.

  • how do we protect unsuspecting users from QR codes, where you can't see the destination at all?

    By having clicking links never be dangerous or risky.

    I don't know about you, but when I load a web page, I expect my browser to display a web page, not download and execute foreign code, nor run that code as with my permissions.

    The old advice of "don't click a link if you don't know where it goes" was stupid. Not stupid in the sense that it shouldn't be heeded, but that it was an acknowledgement that peoples' bro

  • by kobotronic (240246) on Friday December 30, 2011 @10:19PM (#38545350)

    Depending on how your phone scanner app is configured, QR code URL content may be shown on the screen as a link you can choose whether or not to open. But the links are often shortened so as to make for a smaller or less dense QR code box. And that puts this "risk" in the same category and amount as following any other bit.ly "mystery meat" link that resolves on the redirect service in a redirect to the real destination.

    If your browser is built like shit and visiting a "maliciously constructed" webpage can cause code execution on your system, well that's still not a problem with the QR code technology.

    QR is vulnerable to "spoofing" in the sense that for example a printed advert with a link on it to download an endorsed phone app - could with a cheaply produced sticker placed over the legitimate code become corrupted so the new code points to some other app. With Android's allowance for un-regulated third-party app installations, there is some concern there that this could lead to unwitting users downloading and installing a malicious app that masquerades as the endorsed, legitimate one.

    The solution here could be to extend the established Android app signing system to have an "advisory" service that ranks the credibility of the individual app signing developers and publishers and as part of the app installation process can give you a heads-up hey wait a minute this app publisher has a strongly negative trust ranking maybe you shouldn't install it.

    I want nothing like Apple's walled garden, but a voluntary model where you can get a "green seal" as a trustworthy app publisher and specifically trusted apps, might go a long way.

The major difference between bonds and bond traders is that the bonds will eventually mature.

Working...