Invented by the Toyota subsidiary .Denso Wave in 1994 to track vehicles during the manufacturing process
Quick Response Codes
What are QR Codes?• QR Codes are like barcodes for mobile phones which can contain text, URL’s videos etc.• A barcode can only hold a maximum of 20 digits, whereas as QR Code can hold up to 7,089 characters.• QR Codes allow people to learn more about a product or service, download apps and music, advertise items for sale and even to add people on Facebook.
Where are they found?• They are used in magazines, on food wrappers, t-shirts, selling houses etc.
The Facts• QR codes are viewed as a significant threat by many application security professionals.• QR scanning traffic from 2010 to 2011 alone has increased a huge 4549%.• Users in the 35-44 years age bracket are the most likely to use QR scans (26%) followed by the 55+ age bracket at 13%. SOURCE: http://www.sba-research.org/wp-content/uploads/publications/QR_Code_Security.pdf http://static.aws3.mobioid.com/files/pdf/The-Naked-Facts-Whiplash-Edition-Q1-2011.1.pdf
Recent Reports• A recent article from McAfee in 2011 reported the use of QR codes in malicious attacks.• Consumers were fooled into downloading an malicious Android app called “Jimm”, which sent SMS codes to a premium rate number that charged 6 USD for each message. SOURCE: http://blogs.mcafee.com/mcafee-labs/android-malware-spreads-through-qr-code
How do they work?• Many new mobile devices have the capability to scan a QR code, which uses the camera on the phone to scan the code.• It does this by ‘Auto tagging’, whereby a fixed HTML address can be placed/tagged in a the QR code.• Once a QR code is scanned a mobile web browser directs the user to the URL link within the code.
Mobile Platforms Most at Risk• There are 2 major platforms most at risk, Apple’s IOS and Google’s Android system .• On the iPhone, malware can be installed via jail-break exploits which are typically hosted on the attackers website.• On Android instead of jail breaking, criminals are redirecting users to download malicious applications.
Its easy to generate a QR Code!• The following website generates QR codes based on user input which can be a URL, text, phone number or SMS. In fact, the choices are virtually unlimited. http://qrcode.kaywa.com/• For example, I created a URL link to AltoroMutual.• This is what the HTML code looks like; <imgsrc="http://qrcode.kaywa.com/img.php?s=12&d=http%3A%2F %2Fwww.altoromutual.com%2F" alt="qrcode" />
User Awareness1. Cautious Scanning: As the popularity of QR codes grows, new methods of attack will also grow. Currently the safest way to protect yourself is to be cautious of scanning QR codes and avoid anything that looks suspicious.2. No automatic redirection: Use tested scan tools that don’t automatically direct you to the website. What should appear when automatic redirection is disabled?3. QR Pal Scanner: Users can use SafeScan to check against its internal blacklist which is made up of known bad URLs.4. VPN4ALL: Offers a mobile VPN solutions that encrypt a user’s data through any type of Internet connection and cost $9.95 from http://www.vpn4all.com
Demo• To demonstrate this my Blackberry phone has QR Code Scanner Pro installed. Going to http://qrcode.kaywa.com/ I created a link to AltoroMutual, scanned this and was automatically directed to the site with no user verification needed.
Who’s most vulnerable?SOURCE: http://static.aws3.mobioid.com/files/pdf/The-Naked-Facts-Whiplash-Edition-Q1-2011.1.pdf