QR tags have become the next big thing in interactive marketing. But as smart phone users flock to the trendy, postage-stamp sized bar codes, researchers are warning that they could be used to hijack mobile phones by directing them to malicious Web pages.
In a post on the mobile security blog Kaotic Neutral on Saturday, researcher Augusto Pereyra demonstrated a practical attack that would link a malicious QR tag to an Internet based attack server running an instance of the Metasploit penetration testing. Similar attacks could be used to push malicious programs to vulnerable mobile devices that scan the QR tag, he said.
As mobile devices become a sought after conduit for advertisers, there’s increasing concern about physical world attacks using interactive displays and advertising that could push malicious programs to smart phones. QR – or “Quick Response” – barcodes were first developed by a Toyota subsidiary to streamline supply chain activities, but have since been adopted outside the auto industry because they can easily store and convey large amounts of data and be deployed anywhere that bar codes can be, including product packaging and display advertising.
Researchers have already pointed out vulnerabilities in the implementation of NFC (Near Field Communications) on many smart phones, including mobile devices running Google’s Android operating system. In June, researcher Collin Mulliner of Technische Universitaet in Berlin, Germany, demonstrated a denial of service vulnerability on Nexus S version Android phones that could be used to launch denial of service attacks.
As with the NFC attacks, QR attacks work mainly because users can’t easily vet the content stored in the tags before they are scanned. The data in QR tags – rendered in machine-readable bar codes – must be scanned to reveal the purpose of the tag. That, effectively, creates a ‘run first, ask questions later’ implementation that greatly benefits attackers, says Kaspersky Lab researcher Timothy Armstrong.
“This type of attack is only legit(imate) because in essence it’s a way of fooling people to visit a URL where they can’t necessarily see where they’re going,” he said.
Kaspersky Lab researchers have seen Web based proof of concept attacks that use QR tags successfully against both iPhones and Android phones, Armstrong said.
In his proof of concept attack, Pereyra embedded the URL for an attack server, evilsite.dyndns(dot)org, in a QR tag he created using a free online tag creator. Mobile phones that scanned the tag would be redirected to that domain, from which attacks could be hosted, he said.
The only other task would be putting the attack QR tags out in public in places where users might be tempted to scan them. Pereyra hypothesized that attackers could plaster neighborhoods with phony contest posters asking passersby to scan the QR code for a chance to win, or even manufacture QR stickers that could be applied on top of legitimate tags on already posted advertisements. Researchers in Austria have also developed methods for physically altering existing tags to alter the data transmitted by them. (PDF)
Security for contactless technology like QR tags and NFC transactions is a major area of concern, especially as mobile device makers, carriers and third party firms push ahead with a wide range of services that leverage smart phones as transaction terminals. The U.S., already a laggard in mobile transaction and smart card adoption, is stuck playing catch up in areas related to conctactless devices, according to a recent conference to discuss RFID and other contactless transaction technologies.