No Winners at QR Code Roulette

Last year a friend had a bright idea for a party game that involved a series of QR codes in a circle on paper. He called it QR Code Roulette. Unlike the gambling game, selecting the right 2D barcode did not make you a winner. It turned out that every QR code contained a URL to an Internet shock site. As soon as I or our other friends scanned a QR code with our phones we witnessed things that probably can’t be unseen. This was a good prank, but fortunately due to my distrust of autoloading and autorunning code I had an app that previewed the URL. If the address were a risky site or malware download I could choose not to visit the URL.

McAfee Download URLs via QR codes arranged in a circle
These QR codes are safe. They point to McAfee mobile security downloads and our Virus Information Library. To verify, download one of the QR code apps mentioned and view the preview URL.

My friend’s little joke drove home the necessity of not blindly scanning every QR code I run across. Some of my colleagues aren’t as lucky. I was discussing a recent threat of malware distributed by QR codes with a couple of coworkers who are penetration testers. They test the security of their clients’ networks and systems nearly daily and are very skilled computer security professionals. Although both of them had QR code-scanning apps on their phone, neither had one that could provide a preview of the URL. I ended up suggesting a couple of free barcode-scanning apps that would keep them from being unpleasantly surprised.

Although distributing mobile malware through QR codes is becoming popular, it’s not a new idea. Security researcher Felix “FX” Lindner described similar attacks about three years ago at the 24th Chaos Communications Congress and DefCon 16. FX claimed that newspaper ads with QR codes are trusted implicitly by readers (“It’s in print; it must be true”) and would make a good vector for exploits and malware. The functionality that enabled the attacks was the automatic loading and following of URLs in QR codes. Point your phone at the QR code and you end up downloading mobile malware.

 

Screenshot of FX at Defcon 16 on barcodes
In 2007-2008 FX publicly painted a number of scenarios in which QR codes could be used maliciously. We have since seen malicious QR codes that link to mobile malware.

The risk from such downloaded malware is still relatively low, as these are not drive-by downloads. Users would still need to choose to install the JAR or APK files on their smartphones. The risk from exploits, though, is one to worry about. An attacker who places a link to a modified Apple iOS jailbreak exploit or an Android root exploit can take over a victim’s device or steal sensitive information (emails, social network credentials, credit card numbers, etc.).

As I told my two colleagues, there are a number of free QR code- and barcode-scanning apps with preview functions for both Android and Apple iOS. The following are my suggestions for safer QR code scanners:

Google Android

App Author
Google Goggles Google
Barcode Scanner ZXing

Apple iOS

App Author
Red Laser Occipital/eBay
Bar-Code Roberto Sonzogni

 

Protecting yourself from malicious QR codes and avoiding shock sites, mobile malware, and exploits doesn’t have to be too difficult.

  • Use a mobile QR code-/barcode-scanning app that previews URLs
  • Avoid suspicious URLs (for example, domains that don’t match ads, shortened URLs)
  • Do not play “QR Code Roulette” 🙂

 

Leave a Comment

8 − 8 =