In my last blog post I talked about the merits of QR codes and their use in forensics. I’m going to talk about the risks of QR codes now, as with everything, there are always issues with new technology. There are three main risks with QR codes:
- The QR code may point to a malicious URL.
- The QR code may be used to exploit flaws in the application used interpret the QR code’s data.
- The QR code may exploit the QR code reader application.
The first risk is no more dangerous in theory than clicking a link in a web browser that is malicious. However as the URL is inherently encoded into the QR code; you don’t know what you are opening. I would argue that (most?) PC & laptop users would be deterred from clicking a link that claimed to be something, but the underlying URL from the hover-over text provided by the browser was something else. This however is harder on mobiles and tablets, as there isn’t really a way to show what the link is actually pointing with a touch screen, so the risk here is on a par with regular mobile browsing.
QR code data that is associated with a particular application (e.g. browser, smart phone App store or particular App) can be coded to try and exploit that particular application. And finally, QR codes can try and exploit the QR code reader itself. If the reader is badly designed it can have privileged access on the smart phone, such as use of the camera, GPS, read/write of local storage and make system changes. This type of attack is called attagging, a portmanteau of attack and tagging. A great example is of how an Android can be compromised using Metasploit.
As with most things, if the QR code is on an official advert or printed in a newspaper, then it’s likely to be ok, as you’d think that the publishers and editors would check (although sometimes that goes very wrong…). Make sure that your App does not have privileges it shouldn’t have and download it from the official App stores, and don’t go scanning any old code!