Slashdot Mirror
Malicious QR Code Use On the Rise
New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"
Use a service that will decode it for you. With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes. At least with QR the code can be decoded locally, with software that you trust.
It is dangerous to be right when the government is wrong.
Does anyone have a QR code to a Rick Roll?
The QR scanner app that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.
Provide a preview of what is behind it before actually sending off to the url.
When a QR code is scanned, display the link with an option to follow or cancel? Now we're in the same situation as any other link presented to someone.
Google goggles and QR scanner on Android both show the destination.
This just in:
Clicking a hyperlink may result in being directed to a malicious site.
Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.
http://bit.ly/rCBPp7 You don't know where that link goes until you click it. So, what do you do?
Didn't we talk about this before?
So I guess my point is. Who cares?
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
You can do a lot with QR codes that have no destination at all, they are not restricted to web links.
They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.
But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
the content visually before acting on it. They ask if you want to proceed.
Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
these are the same people that no amount of malware/antivirus software can protect. They do the same with
links in email links.
Sig Battery depleted. Reverting to safe mode.
I could just see it now: this gets exploited by some guy with a sharpie, some whiteout and patience...
don't most people not know how to use QR codes, anyway?
This won't deter people, look at the popularity of URL shortening services for a reference. It's a tool and it has a potential for misuse. People are assholes, story at 11.
Man blir trött av att gå och göra ingenting.
I mean, it was just another way to exploit the trust of unsuspecting and most of the time, non-internet-savvy public, armed with the gizmo of the day, called smartphones. What could possibly go wrong ? It is just like giving a loaded gun to the hands of a adolescent child with raging hormones and telling him or her just shoot people who are really-really bad and nobody else. You are just trusting the judgment of totally untrustable person. If you expect a better outcome than this, good luck to you. :)
The problem I see with these QR codes, most of them direct you to a bit.ly or tinyurl.com link. What is it so hard to put the full URL into it ? when I see that bit.ly link on the scanned QR code, first thing I do is to hit back/exit/escape key and run like hell. But give the phone to my 80+ years old mom ar 10 years old child and see where they hit.
I was wondering when this was going to be a headline, until today that is
__________
The more I know people, the more I love animals
A while back, a friend of mine at a university printed up several dozen flyers with a QR code pointing to LemonParty and posted them around campus. Hilarity ensued as he took pictures of people's reactions as they scanned them.
"liberty and justice for all those who can afford it"
How hard is it to sandbox a visit to a URL? Malicious or not, nothing is going to get out if the sandbox is properly designed... and it's not like it's hard to do, it just requires a bit of forethought and planning.
File under 'M' for 'Manic ranting'
Submitter EliSowash, editor Soulskill; please, when you folks put together summaries in the future...
... tell people not to scan them.
this only works if the user knows for a fact that say, cocacola isn't running some sort of viral internet ad campaign as goatse.cx.. it could be animated animals with the new coke X for all people know.
perhaps a better method might be to have the scanner software "cloud based"(wooo buzz words!) and server side pull a thumbnail of the site to be displayed.
sure you get goatse'd.. but you don't get ZOMG I GAWTS YER UDID!!!111'd
They're extremely useful though. Given that QR codes are ultimately text, there really should be a preview of what you're about to execute. Just a simple text preview of the information embedded in the code.
If visiting a "malicious site" can harm your phone, switch to a secure browser. Unless you are locked into Safari, then you are screwed.
The exploit would need to be for mobile devices... Not many known URL exploits for iPhone.. Your mileage may differ.
How... about.... using... an other QR reader that shows the destination first???
Still you don't know if you can trust the link, but at least you know where you're going.
Privacy is terrorism.
There is. And there is.
Hey, another Slashdot summary ended with a forecast of impending doom disguised as a handwringing question, written by someone who doesn't know what he's talking about.
QR codes are a method for encoding text. If your decoder does stupid stuff (like visit links automatically) with that decoded text then get a different decoder.
Forget QR codes, most links on the web are quadruple encoded! They're sent to you in binary (of all things). When you turn that back into decimal you end up with ASCII code (!) and when you sort that out you're left with HTML! Finally, once you get rid of the HTML you're left with a URL! What are we to do?! How are ordinary users supposed to understand this binary-ASCII-HTML-URL witch's brew?
Users don't want protection, they want simplicity. As soon as you try to secure something it makes things "hard" and they go back to doing insecure things for the sake of simplicity, or, they just don't use it at all.
The simple login/pass texfield on a webpage is a great example. It used to be easy and simple but now every one of them has some form of a super-secure captcha that is so secure the human eye cannot even discern it. A simple thing has been bastardized to the point it's to frustrating to use.
Maybe QR codes have simply had their day. Let's not "extend" them.
Join the Slashcott! Feb 10 thru Feb 17!
If the summaries include descriptions of all possible acronyms or phrases included in the discussion, it's not really a summary is it?
http://lmgtfy.com/?q=QR+Code
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.
Some QR codes can store over 4000 alphanumeric characters. Since these codes are used for other stuff as well (e.g., vCards on convention passes) I'm sure there's an exploit somewhere out there which one could use.
http://userscripts.org/scripts/show/40582
I use this Greasemonkey script for similar reasons.
It works on shorteners in addition to bit.ly and displays the real URL automatically
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
QR obfuscates where there's actually a strong desire to know it all.
I have the ATT code scanner on my phone. When you scan a code a dialogue box pops up and says "Do you want to visit...?" and it gives the actual URL. This article is like saying "malicious URLs can be hidden behind seemingly valid URLs by means of redirects so therefore you should be concerned about clicking on links on the internet."
if your life is such a big joke then why should I care?
I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead? Maybe a standard font that's easy for OCR to read, like that MICR font they invented for check numbering in the 1960s. Maybe at first the phone just sends the image up to a server, for 3D->2D reformation and reading. But it would eliminate this problem.
And also the IDN homograph attack that will surely become more widespread with the increase in Unicode in the Web and gradually in URLs. Your phone would be set to decode the URLs as your home character set, that you recognize, for opening as a URL - not the arbitrary URL composed of the similar looking but different valued Unicode characters.
WYSIWYG URLs. An idea whose time has come.
--
make install -not war
Are you sure? Wanna try some Snow Crash?
Why doesn't the gene pool have a life guard?
And given how many exploits are propgated by ads and server hacks of well trusted sites (facebook, drudge, etc, have all been sources of ad-viruses), it gives a false sense of security. Ive had many a user convinced that they could never get a virus because of the sites they visited; they got one, and browser history showed facebook, and I had to explain how virus distribution works to them.
Best way to set your users free from having to think about such things: uninstall Java JRE, uninstall Acrobat reader (and install Foxit), update flash, get them using Chrome. Their browser will autoupdate, and there wont be any plugin 0-days to exploit.
How is this any different than any other situation involving links? What makes this a QR Code specific problem
Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.
It isn't always a browser vulnerability being exploited. For instance, meatspin.com is perfectly safe to browse as it only corrupts your brain.
Hmm. I wonder if the standard code include processing instructions or branches. If so, the code itself could be a program to do something. I would like to see a QR code that is also a Piet program! :D
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
erm ... so you think if your browser is safe, its totally okay to visit goatse?
Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.
Imagine being at the book store with your children, family, friends, etc. and thumbing though magazines to pass away the time. Now I know a streaker could AT ANY TIME run through the place and just wreck the friendly atmosphere, but he would be kicked out, and aside from that you wouldn't expect to randomly turn a magazine page to child porn, a rick roll, snuff film, man's stretched asshole, or other obscenity, unless you went to a place that sold those things.
Is it wrong to want little sanctuaries like that? I could go to another bookstore if I wanted, but I don't like sipping coffee with a book next to a rack of dildos. A little discretion, that's what people want. You can call it censorship or whatever if you want, but people want a little of that in public places, and that's what the Internet is.
I can appreciate the Internet for what it is, a weird private-public place, I do, but it's not being treated by most like the seedy underground cesspool it really is, and that bugs me. You SHOULD worry about clicking on a link - it was designed that way. It is analogous to the kind of physical places that make you want to take a bath after visiting. An AWESOME place for grey/black markets and all sorts of counter-culture memes. Places where you watch your back constantly, and most people rather not go.
Something IS fundamentally wrong with advocating it as a safe place for the public to do business and socialize. And we should stop laughing at people who get ripped off and abused by it. Nobody is "asking for" the kind of abuse you find on this network, and there is no safe alternative provided.
As far as I've been able to make out, while QR codes have different possible applications, the only application for which I've ever seen them used is for encoding URLs in posted advertisements. And in every case, the URL was printed adjacent to the QR code block, and usually was short and obvious, e.g., on a poster for www.example.com, there's the URL, http://www.example.com/ and a QR code, that when scanned and translated, presents the URL, http://www.example.com/. Since I'd have to take a photo of the QR code block, let it analyze the image, and accept the presented URL and open a Web browser from that link, I've ended up taking more time and going through more steps than I would have by just typing in the damned URL to begin with.
In practice, the only reason to bother with QR codes at all is for the sake of novelty, and that wears thin very quickly. If QR codes as a malware vector becomes common, I think everyone will just stop using them entirely.
I've wondered if would be possible to create an app that would tell you which squares to colour in so it redirects a QIR somewhere else
If you can't read the link to know where it leads, how can you possibly avoid phishing attacks with a QR code? This technology is a wet dream for spammers and malware authors! They can send you anywhere, and you can't even see where they're sending you.
URL shortening services are bad enough. I disagree with posting shortened URLs except in a twitter feed.
I do not fail; I succeed at finding out what does not work.
We make the standard expected behavior for any legitimate QR code reading app [...] Your app doesn't do that? MALWARE.
Are you insinuating that people are going to write illegitimate QR code readers that don't display the URL specifically in the hope that someone will use one of them to scan a link to a malicious web page, as opposed to just putting the payload in the reader app itself?
erm ... so you think if your browser is safe, its totally okay to visit goatse?
OK, yes, I think there should be some reasonable expectation of "decency" (however one defines it), much as changing channels on TV might expose you to ideas you don't like but generally won't inflict goatse upon you.
But TFA isn't talking about that - it's talking about using QR codes as an ATTACK vector for malware - essentially tricking people into (virtually) clicking on links which will then perform drive-by-downloads or whatnot upon their PCs.
My point is that the very existence of drive-by-downloads is a damning indictment of browsers, email programs, and the like. It's as if certain TV channels caused your TV to explode, or to become a camera instead of a TV and start watching your every move. Even if I did accidentally click over to the goatse channel, I could click away without the image having changed the basic functioning of my TV set.
"We"? How the fuck are "we" responsible for what security vulnerabilities the browser developers - which most of "us" aren't - leave open? Should I complain to Micheal Schumacher that my Renault is running hot? After all, he's one of the "car people".
Dilbert RSS feed
What the blinkety blank is a QR code? The description in the summary makes it sound like one of those obscure two-dimensional barcode formats, none of which ever caught on to any meaningful extent, but then it starts talking about clicking on it, like it's a link in a web page or something. Wait, what? Who the heck clicks on barcodes? I'm missing something.
Cut that out, or I will ship you to Norilsk in a box.
No doubt. You can put javascript in a QR code (similar to the old 'bookmarklets'). It's not common, so I'm not sure that all mobile QR readers will actually handle the javascript, but it's a possible vector.
By having clicking links never be dangerous or risky.
I don't know about you, but when I load a web page, I expect my browser to display a web page, not download and execute foreign code, nor run that code as with my permissions.
The old advice of "don't click a link if you don't know where it goes" was stupid. Not stupid in the sense that it shouldn't be heeded, but that it was an acknowledgement that peoples' browsers were totally broken and the advice should have been withdrawn a week later after people got the hole fixed. Of course the joke is that the holes don't ever get fixed.
What really sucks is that QR codes are primarily used by mobile users, and they tend to run recent browsers rather than legacy shit. (Seriously, mobile Safari and the Android equivalent are pretty damn good browsers and perversely better than what most people use on their desktops.) Their browsers really ought to not be so broken that loading a page could be risky. Apparently that's not the case? *sigh*
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
with tinurl, you can ALWAYS change the url so if someone gives you a link of
http://tinyurl.com/6qq9399
instead, change it to
http://preview.tinyurl.com/6qq9399
and you'll get this
Preview of TinyURL.com/6qq9399
This TinyURL redirects to:
http://www.youporn.com/search?query=bukkake&a
mp;type=straight
Proceed to this site.
every day http://en.wikipedia.org/wiki/Special:Random
Depending on how your phone scanner app is configured, QR code URL content may be shown on the screen as a link you can choose whether or not to open. But the links are often shortened so as to make for a smaller or less dense QR code box. And that puts this "risk" in the same category and amount as following any other bit.ly "mystery meat" link that resolves on the redirect service in a redirect to the real destination.
If your browser is built like shit and visiting a "maliciously constructed" webpage can cause code execution on your system, well that's still not a problem with the QR code technology.
QR is vulnerable to "spoofing" in the sense that for example a printed advert with a link on it to download an endorsed phone app - could with a cheaply produced sticker placed over the legitimate code become corrupted so the new code points to some other app. With Android's allowance for un-regulated third-party app installations, there is some concern there that this could lead to unwitting users downloading and installing a malicious app that masquerades as the endorsed, legitimate one.
The solution here could be to extend the established Android app signing system to have an "advisory" service that ranks the credibility of the individual app signing developers and publishers and as part of the app installation process can give you a heads-up hey wait a minute this app publisher has a strongly negative trust ranking maybe you shouldn't install it.
I want nothing like Apple's walled garden, but a voluntary model where you can get a "green seal" as a trustworthy app publisher and specifically trusted apps, might go a long way.
Saw that one coming...
*It's not what you can do for the Dark Side but what the Dark Side can do for you!*
What, no Snow Crash references?
It gripped her hand gently. 'Regret is for humans,' it said.
Exactly! And it's not even difficult to make the chain of links explicit or to give people the environment they want. There's software for the first one, which should just be standard and automatic everywhere. And there's also a solution for the second issue. Slashdot has been using it for years. Give people the option to see different levels of grossness. If I want my world squeaky clean, I have my settings at "5." Or, at the other end, at "0." No censorship involved, and yet people can control at least that part of their own world.
Of course, that would require the big 4 browsers and the big search engines to cooperate in open source, transparent rating/moderation schemes, and everyone who puts anything on the web to be at least vaguely honest in their initial self-rating for where they fit in the scheme of things. And, yeah, I know, what are the chances of that?
Sorry. I trimmed the last line. Let me add it back:
How about you don't be a fucking retard and learn how to do a web search?
I'll help even more since you are obviously more retarded than I first thought:
http://lmgtfy.com/?q=QR+decoder
http://lmgtfy.com/?q=QR+decoder+firefox
And for even more help - the first result in each case.
Of course I suspect clicking a link is beyond your mental abilities, so I'm not sure why I'm bothering.
the whole article is about the problem, that tinyurls hide the link target, while good urls speak for themself. Something like domain.tld/messages/inbox ist quite obvious, something like sho.rt/bla is not.
I don't even need to invoke Rule 34 - it's that bloody obvious!
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"