2. What are QR Codes?
• QR Codes are like barcodes for mobile phones which can contain text,
URL’s videos etc.
• A barcode can only hold a maximum of 20 digits, whereas as QR Code can
hold up to 7,089 characters.
• QR Codes allow people to learn more about a product or service,
download apps and music, advertise items for sale and even to add
people on Facebook.
3. Where are they found?
• They are used in magazines, on food wrappers, t-shirts, selling
houses etc.
4. The Facts
• QR codes are viewed as a significant threat by many application security
professionals.
• QR scanning traffic from 2010 to 2011 alone has increased a huge 4549%.
• Users in the 35-44 years age bracket are the most likely to use QR scans (26%)
followed by the 55+ age bracket at 13%.
SOURCE: http://www.sba-research.org/wp-content/uploads/publications/QR_Code_Security.pdf
http://static.aws3.mobioid.com/files/pdf/The-Naked-Facts-Whiplash-Edition-Q1-2011.1.pdf
5. Recent Reports
• A recent article from McAfee in 2011 reported the use of QR codes in
malicious attacks.
• Consumers were fooled into downloading an malicious Android app called
“Jimm”, which sent SMS codes to a premium rate number that charged 6
USD for each message.
SOURCE: http://blogs.mcafee.com/mcafee-labs/android-malware-spreads-through-qr-code
6. How do they work?
• Many new mobile devices have the capability to scan a QR code, which
uses the camera on the phone to scan the code.
• It does this by ‘Auto tagging’, whereby a fixed HTML address can be
placed/tagged in a the QR code.
• Once a QR code is scanned a mobile web browser directs the user to the
URL link within the code.
7. Mobile Platforms Most at Risk
• There are 2 major platforms most at risk, Apple’s IOS and Google’s
Android system .
• On the iPhone, malware can be installed via jail-break exploits which are
typically hosted on the attackers website.
• On Android instead of jail breaking, criminals are redirecting users to
download malicious applications.
9. Its easy to generate a QR Code!
• The following website generates QR codes based on user input which can
be a URL, text, phone number or SMS. In fact, the choices are virtually
unlimited.
http://qrcode.kaywa.com/
• For example, I created a URL link to AltoroMutual.
• This is what the HTML code looks like;
<imgsrc="http://qrcode.kaywa.com/img.php?s=12&d=http%3A%2F
%2Fwww.altoromutual.com%2F" alt="qrcode" />
10. User Awareness
1. Cautious Scanning: As the popularity of QR codes grows, new methods of attack
will also grow. Currently the safest way to protect yourself is to be cautious of
scanning QR codes and avoid anything that looks suspicious.
2. No automatic redirection: Use tested scan tools that don’t automatically direct
you to the website. What should appear when automatic redirection is disabled?
3. QR Pal Scanner: Users can use SafeScan to check against its internal blacklist which
is made up of known bad URLs.
4. VPN4ALL: Offers a mobile VPN solutions that encrypt a user’s data through any
type of Internet connection and cost $9.95 from http://www.vpn4all.com
11. Demo
• To demonstrate this my Blackberry phone has QR Code Scanner Pro
installed. Going to http://qrcode.kaywa.com/ I created a link to
AltoroMutual, scanned this and was automatically directed to the site
with no user verification needed.