Malicious QR Codes Posted Where There's Lots of Foot Traffic

Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."

This could be really dangerous!

If anyone actually used QR Codes, which they don't, so no harm.

Re:This could be really dangerous!

[MrEricSir]

This is why I'm sticking with my :CueCat.

Re:This could be really dangerous!

[idontgno]

I can only speak for my specific case (Android, using Barcode Scanner app): the app displays the captured image, metadata about the capture, and a decode of the string (recognizing, for instance, that it's a URI QR). BUT does not just hie off to whatever website is indicated. The displayed URI string is clickable, and clicking it does open the URI in the default browser app, but it does take that much human intervention to navigate there.

A few notable specifics to compare with other situations:

(A) No OS-native QR code capability. It required an app from the Google App Store (free, but not Free). One of several, it appears.

(B) There is a configurable option "Retrieve more info" which, when enabled, looks up information about URI/URL QR codes as part of the decode. For instance, after ingesting the sample QR code from the Wikipedia "QR Code" article, the app correctly decodes the URI as "http://en.m.wikipedia.org", but with the "Retrieve more info" option enabled, it adds the descriptor "Wikipedia, the free encyclopedia"... which is the <Title> property at the top of that page, so I guess the app is retrieving the target URL internally and decoding the <Title> at least. Maybe that would be a buffer overflow vector for a well-crafted exploit, so I turn that option off.

Re:This could be really dangerous!

[CanadianRealist]

The problem here is you are being reasonable and thinking logically about what you're doing. I'm sure you've noticed how much the average person hates having to think. Compare your comment with the average YouTube comment and see if you don't notice a difference.

Now, try behaving like the average person for a bit: point at the QR code and then click whatever link pops up. Come on, you've already done more than enough thinking: putting the app on your phone, loading the app and pressing a button while aiming at the QR code. Now you want to have to think some more, think about where that link is going to take you?

I bet the problem makes much more sense now.

Re:This could be really dangerous!

[Eythian]

The source code for the Barcode Scanner app can be found here: http://code.google.com/p/zxing/source/browse/trunk

It is free as in Free, Apache 2.0 license.

Re:This could be really dangerous!

[History's+Coming+To]

There will always be ways around it - imagine a QR which links to a shortened URL (say http://du.rr/7en3if8), which is a link to http://www.myhackedblog.com/1/2/3/4/5/a/b/c/redirect.htm which links to http://www.cnn.com.news.hackeddomain.com/reallyfunnypicture.com

You think anybody is going to be able to check there isn't a malicious script at the end of that? The vast, vast majority of people won't even be able to check the trail beforehand, they either have to click or not click, and it's A FUNNY PICTURE!

Which is why we need a very clear THIS IS THE END POINT protocol, no shortened URLs, no redirect services. Back in the day a redirect or script call to an external URL was seen as being dodgy, now it's de rigeur because of the advertising industry. Now we're going back full circle.

Re:This could be really dangerous!

[chronokitsune3233]

This is my method. Chrome opens up on my mobile, and I open a new tab. Go to "Bookmarks > Desktop Bookmarks" et voilà! Easy peasy! Even better is the ability to open a page that you had been viewing on your phone/tablet in the desktop version of Chrome. I prefer to read with less scrolling and zooming, but that's just a personal preference, I suppose.

Re:This could be really dangerous!

[TheLink]

Include/embed a funny picture/video in addition to the malware payload and people will even spread the link for you.

I don't use QR codes

[dmomo]

No way. Rick Astley? Goatse? Not worth the risk.

Re:I don't use QR codes

[emurphy42]

I love how those two things are like equally heinous in your book. :)

I scan 'em once in a blue moon, but my phone app shows you the URL and asks confirmation, so at least there's that.

Re:Yes, and my /. id is smaller than yours

[SuperKendall]

Now I will need to disable them in Google Glasses or something.

The Glasses! They do something!

Norton Snap QR code reader

[doug141]

It'll check out the site before connecting you, and is one of the few free code readers that doesn't require location permissions.

Obfuscated URLs

[agiacalone]

Any time you obfuscate the underlying address in a URL you pose a security risk.

QR codes are no different than shortened URL services like blt.ly or goo.gl. All of these have the potential to take users to malicious websites because they can't be easily identified to the human reader.

Re:Obfuscated URLs

[tlhIngan]

QR codes can contain more than just a URL.

They can contain a phone number, for example. Like when that Samsung bug was exposed where you dial a specific number and it factory-resets your phone. Scan the QR core, tap "go" and boom, phone's reset and you've lost all your data, games, contacts, etc.

Just do it with something like "call this number to get free minutes" or something...

Malicious QR codes are nothing

[BeerAndLoathing]

I'm far more afraid of vicious gangs of Keep Left signs

Re:Does anyone use QR codes?

[davebarnes]

Yes,
They are very useful on real estate For Sale signs.

Haven't We Known This For Centuries?

[IonOtter]

If you insert your reproductive organs into an unverified orifice, or allow unverified reproductive organs or objects into your orifice, you run the risk of catching an infection.

Why should sticking a QR code into your phone be any different?

I've always thought QR codes were dumb.

[sootman]

At least in the realm of getting a small bit of info from a printed surface into a modern (i.e., powerful) mobile device. Why not just have some human-readable text in a nice machine-readable font inside a distinctly-shaped box? Mobile devices can easily read lots of kinds of text, but a) this one has high reliability and b) the font itself conveys the purpose. For a shape, the existing QR box -- a square with three smaller squares -- would work, or it could be something new.

This would solve THREE problems: 1) much less chance of malicious URLs, 2) you wouldn't need to scan it with a machine to see if you even want it in the first place, and 3) they'd be much easier to generate.