Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: How QR codes can hack your phone

Bhavesh Naik | April 19, 2013
Be careful before scanning QR codes, because you never know what may be lurking behind them.

With the huge popularity in mobile devices like the smartphone and tablets, two-dimensional barcodes, also called QR codes, are beloved by marketers. QR codes, or Quick Response codes, were designed for the automotive industry in Japan. Now, QR codes have become popular outside the industry due to greater reliability and storage space.

Originally designed for industrial application, the QR code has gained popularity in the advertising industry.

image alt text

Now, let's see how they operate on mobile platforms.

QR codes can be used in iOS devices like iPhone/iPad/iPod and Google's Android operating system, as well as third-party applications like 'Google Glass.'

The browsers in these devices support URI redirection, allowing the metadata from the QR code to the existing applications on the device.

It is believed that by the use of this advertising technique, marketers can use the behavior of scanning to get consumers to buy, causing it to have a better impact on the business.

But this huge popularity in the marketing world invites some nasty and gruesome evil - malicious hackers. These attackers depend on human curiosity and the innate obfuscation of the QR codes to craft an attack. If people see a random code that is not connected to anything, maybe just a sticker on the wall, they are going to scan it just because they want to know.

The biggest risk is that people cannot control their curiosity, and end up facing severe consequences.

This is what a pro-American hacker, Jester, was banking on when he decided to change his Twitter avatar to a QR code to craft an attack.

In his blog, he said anyone who scanned the QR code on his Twitter page was redirected to a jolly little greeting via their default web browser on their mobile device on some free web hosting. The greeting on the page featured the word 'Boo!' directly below it.

He claimed that he has exploited the open source Webkit built into the device's default browser. This is the same vulnerability which was exploited in "Mobile Rat, turning Android mobile into ultimate spy tool," as was demonstrated at the RSA conference.

This curiosity pwned the cat thing went on for five days without being noticed. During these five days, the QR code was scanned nearly over 1,200 times and over 500 devices reverse shelled back to the server on listening mode. Tom Teller, a security evangelist at Checkpoint, said "It is a drive-by download attack, where a user scans a bar code and is redirected to an unknown website. Once the website is visited, the modified exploits will affect the system software and additional malware will get deployed, such as keyloggers."

 

1  2  3  Next Page 

Sign up for Computerworld eNewsletters.