QR Tags Can Hide Malicious Links, Experts Warn

QR tags have become the next big thing in interactive marketing. But as smart phone users flock to the trendy, postage-stamp sized bar codes, researchers are warning that they could be used to hijack mobile phones by directing them to malicious Web pages.

QR CodeQR tags have become the next big thing in interactive marketing. But as smart phone users flock to the trendy, postage-stamp sized bar codes, researchers are warning that they could be used to hijack mobile phones by directing them to malicious Web pages.

In a post on the mobile security blog Kaotic Neutral on Saturday, researcher Augusto Pereyra demonstrated a practical attack that would link a malicious QR tag to an Internet based attack server running an instance of the Metasploit penetration testing. Similar attacks could be used to push malicious programs to vulnerable mobile devices that scan the QR tag, he said.

As mobile devices become a sought after conduit for advertisers, there’s increasing concern about physical world attacks using interactive displays and advertising that could push malicious programs to smart phones. QR – or “Quick Response” – barcodes were first developed by a Toyota subsidiary to streamline supply chain activities, but have since been adopted outside the auto industry because they can easily store and convey large amounts of data and be deployed anywhere that bar codes can be, including product packaging and display advertising.

Researchers have already pointed out vulnerabilities in the implementation of NFC (Near Field Communications) on many smart phones, including mobile devices running Google’s Android operating system. In June, researcher Collin Mulliner of Technische Universitaet in Berlin, Germany, demonstrated a denial of service vulnerability on Nexus S version Android phones that could be used to launch denial of service attacks.

As with the NFC attacks, QR attacks work mainly because users can’t easily vet the content stored in the tags before they are scanned. The data in QR tags – rendered in machine-readable bar codes – must be scanned to reveal the purpose of the tag. That, effectively, creates a ‘run first, ask questions later’ implementation that greatly benefits attackers, says Kaspersky Lab researcher Timothy Armstrong.

“This type of attack is only legit(imate) because in essence it’s a way of fooling people to visit a URL where they can’t necessarily see where they’re going,” he said.

Kaspersky Lab researchers have seen Web based proof of concept attacks that use QR tags successfully against both iPhones and Android phones, Armstrong said.

In his proof of concept attack, Pereyra embedded the URL for an attack server, evilsite.dyndns(dot)org, in a QR tag he created using a free online tag creator. Mobile phones that scanned the tag would be redirected to that domain, from which attacks could be hosted, he said.

The only other task would be putting the attack QR tags out in public in places where users might be tempted to scan them. Pereyra hypothesized that attackers could plaster neighborhoods with phony contest posters asking passersby to scan the QR code for a chance to win, or even manufacture QR stickers that could be applied on top of legitimate tags on already posted advertisements. Researchers in Austria have also developed methods for physically altering existing tags to alter the data transmitted by them. (PDF)

Security for contactless technology like QR tags and NFC transactions is a major area of concern, especially as mobile device makers, carriers and third party firms push ahead with a wide range of services that leverage smart phones as transaction terminals. The U.S., already a laggard in mobile transaction and smart card adoption, is stuck playing catch up in areas related to conctactless devices, according to a recent conference to discuss RFID and other contactless transaction technologies.

 

 

 

Suggested articles

Discussion

  • Rob on

    "This type of attack is only legit(imate) because in essence it's a way of fooling people to visit a URL where they can't necessarily see where they're going,"

    You mean like bit.ly and friends? It's not particularly new and things haven't really changed with simply making it graphical.

     

  • Anonymous on

    old news? http://isc.sans.edu/diary.html?storyid=11305

  • Anonymous on

    Woulda-coulda-shoulda

    An asteroid "could" destroy all life as we know it.

    Report when it happens not when some "researcher" has a brain cramp.

  • Paul Roberts on

    I think the diff between bit.ly and other URL shortening/obfuscation services is that the QR and RFC/RFID tags can be tied in with interactive advertisements/product packaging/posters, etc. Its not wholly different - but a new attack scenario that we're not that well defended against (yet.)

  • Anonymous on

    My Android phone QR scanner app always prompts with the resolved URL to force the user to decide on 1) launching the web page, 2) sending by SMS, or 3) sending by email. So what's the big deal if you can intercept this and evaluate before it happens?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.