Quick response, quick risk?

You don’t have to look far these days to spot a QR code. From their humble beginnings in labeling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.

They’re a jumping-off point from the offline to the online world – you just scan the code with your smartphone to launch the digital content triggered by the code. This makes them a marketeer’s dream because they make it easy to direct users toward information and services. What’s more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.

However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. The concept of “drive-by downloads’ is already well established as a stealth weapon for stealing users’ sensitive details, and QR code offers a new angle on this old trick.

A matter of trust
The issue is that users have to trust the integrity of the code’s provider, and assume that the destination it leads to is legitimate. This is almost impossible for individuals to gauge, because the QR code actually conceals the site and content it leads to. And as we’ve seen in social engineering exploits from the email worms of the early 2000s, triggering human curiosity to see what might happen when an attachment is clicked, or a QR code is scanned, often leads to big security problems.

Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, and application installation – further extending the potential risks to mobile devices. Let’s look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.

Code read
The first step in mounting a QR exploit is to distribute the code itself, to get it in front of potential victims. This could happen by embedding the QR code in an email – making it an elaborate phishing exploit – or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.

Once the QR code is distributed, then the attacker has a multitude of scam options to choose from. At a basic level, the code could simply redirect users to fake websites for phishing purposes – such as a fake online store or payment site. This exploits smartphones’ small screens, and the fact that the user may be in a rush, to obscure the difference between the fake and real site in the hope of capturing more user details.

More sophisticated exploits involve hackers using the QR code to direct users to websites that will “jailbreak’ their mobile device – that is, allow root access to the device’s operating system, and install malware. This is essentially a drive-by download attack on the device, enabling additional software or apps such as keyloggers and GPS trackers to be installed without the user’s knowledge or permission.

Targeting the mobile wallet
Perhaps the biggest potential risk to users is increasing uptake and use of mobile payments via smartphones. With the ability of QR codes to jailbreak devices and tap into applications, this could give virtual pickpockets access to mobile wallets, especially as QR-based payment solutions already existing and in use. While uptake of these is currently small, it will grow as public acceptance of QR increases.

So what can organisations and individual users do to mitigate risks from QR codes? The most important precaution is being able to establish exactly what link or resource the QR code is going to launch when it is scanned. Some (not all) QR scanning apps give this visibility and – critically – ask the user to confirm they wish to take the action. This gives the opportunity for users to assess the link’s validity before the code is activated. For corporate smartphones, consider deploying data encryption so that even if a malicious QR code manages to install a Trojan on the device, sensitive data is still protected and not immediately accessible or usable by hackers.

In conclusion, the risks presented by QR codes are really a new spin on well-established hacking tricks and exploits. The security basics still apply – be cautious about what you scan, and use data encryption where possible. Or put simply: look before the QR leap.