Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The dangers of QR codes for security

David Geer | Aug. 20, 2013
David Geer investigates the dangers of malicious QR codes and finds this emerging technology is yet another way for criminals to exploit the same old threats

A large number of end-user computers are mobile devices and the lion's share of those are smartphones. APTs are increasingly targeting the mobile market.

"Mobile malware increased more than 1,000-percent in 2012 alone," said Catalin Cosoi, Chief Security Researcher, BitDefender. BitDefender bases this data on analyses of mobile threats it collects via honeypots.

Criminal hackers use malicious QR codes for the same reasons they use any attack on mobile devices: the mobile market is outpacing PCs, creating a bigger target; and, these newer, mostly end-user devices (especially smartphones) are the least likely to carry any security software.

Dissecting malicious QR codes
A malicious QR (Quick Response) code contains a link to a website embedded with malware.

"It doesn't matter how the user scans or collects the QR code, eventually the device translates it to a link," said David Maman, Founder and CTO, GreenSQL, who also speaks at conferences on the dangers of malicious QR codes.

The web link then infects the user device with a Trojan.

"It's typically a JavaScript Trojan. When the website comes up, the JavaScript automatically runs, embedding the Trojan into your system," said Dave Chronister, Lead Hacker, Parameter Security, which enterprises contract to perform penetration (pen) tests to audit network security.

Once a Trojan infiltrates a mobile device, it typically reports to the hacker's servers, which automatically transmit any number of other threats through that opening to leach data and wreak havoc.

Freely available tools automate QR code creation so criminal hackers do not have to roll their own.

"The Social Engineering Toolkit has a QR code generator. You can use it to create malicious QR codes," said Chronister. The intent of The Social Engineering Toolkit is that ethical hackers use it to test systems for security vulnerabilities with the enterprise's blessing. However, whether it is good or bad really depends on whose hands it is in.

Attack vectors / infection points
Criminal hackers could distribute malicious QR codes and/or malware through marketing firms that create legitimate codes, through malicious QR code tools, and when people access bogus QR codes unawares. Hackers can compromise systems belonging to marketing firms that create QR codes for their enterprise clients. They can then substitute the legitimate codes with malicious ones before the firm distributes them. This creates obvious liabilities for the enterprise that ordered the QR code.

There are also many free apps for creating QR codes already available.

"What would stop someone from putting an app out that adds a JavaScript to the QR codes, which sends people to a secondary site to inject malware on the device?" noted Chronister.

In addition, if malicious QR codes infect smartphones and the enterprise permits these devices to connect to the company network, they can become bridges to the enterprise for malware via the phone's data connection.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.