QR Code security
Recent years have seen an increase in the use of QR Codes in marketing and promotions to quickly link people with advertisements as well as software downloads.
This is the problem that we in K7 would like to point out, but most of the user are not aware of: QR codes can be used to carry any information out there. Good, bad, neutral, useless, harmful, tricky, basically anything what ever you can think of and are able to squeeze in to this image. It can be actually pretty large: over 4294 characters (source Wikipedia). But that’s not important how much information it can have, important is what information it holds and will be transferred to your phone after you scan this code.
It can be a link to a website or direct link to download an application. If you are not aware of what exactly it is, it can link to malware or phishing website, to trojan and bogus application. You think that it’s easy to spot the difference. Let say if the link shows up as: “your_winning_ipad.apple.boguswebsite.com” that you will know it’s fake and you won’t click on it. OK. Smart move, this is definitely a fake and bogus looking link. But what if the QR code information contain shortened website link using website shortening tools like any free out there that looks at the end like this: http://goo.gl/RenvT .(shortened by using goo.gl service). So what do you do now? Only way for you to find out is to click on it, because you are curious.
This article can be used as a pretty easy guide for cybercriminals now, but I guess they already thought about this and used it in many occasions.
What is actually more dangerous is QR Code Masquerade. Way how to include dangerous content in the QR code by replacing the original QR code image. What it is? Let say you are a respected and known company and your campaign on your website, in magazine, in the bus station, subway or inside the bus contains QR code that you would like your potential clients to click at so they are entered in to competition for a prices to win. Great tool to spread brand awareness and promote new products or service.
But what “IF” somebody get in to the publishing prior the print and by tiny amendment changes the QR code image, or if somebody places sticker with another QR code over your add in the bus, bus station or subway. What happens then? Your potential customers will be scanning something else, and you will be exposed not only to potential embarrassment by easy link switch to let say “porn website page” or “joke picture”, but potentially to malware or phishing website that can keep storing customers details and therefore affect your reputation and bring to you potential lawsuits from the users of your QR code. And you won’t be able to verify which QR code is the wrong one. Or which media was exposed, because they all looks pretty much the same. If somebody amends the QR code on your website, how long it will take you to figure that out? I guess you will find out with the first phone call from the angry user.
Check what you are scanning if you are the user. If you trust the company that provided QR code you are about to scan, go ahead. But if you don’t like the content of the page you are redirected to, get out of it. What if it’s a link to application? Check the application’s comment board and see what other users have to say about it.
If you are the company that is planning to deploy QR code, I guess be aware of the consequences it may cause. Try to put QR code in the places that you are sure won’t be able to replace or modify. Try to have the campaign only for certain time period, so the time for exposure is not indefinite. This will make sure that your QR code won’t be able to misuses after the campaign is over and you will know that the codes are gone after that.
K7 Computing UK and Ireland
Prepared by Jan Zeleznak