Check Point: Quick Response, Quick Risk?
February 2012 by Check Point
QR codes are intended to help direct users quickly and easily to information about products and services, but are also starting to be used for social engineering exploits. Check Point looks at the emergence of QR scan scams and the rising concern for users today.
You don’t have to look far these days to spot a QR code. From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.
QR codes are a jumping-off point from the offline to the online world. By simply scanning the code with your smartphone, people can quickly access the digital content triggered by the code – making them a marketer’s dream because they make it easy to direct users toward information and services. What’s more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.
However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. While the concept of ‘drive-by downloads’ is already well established as a stealthy tactic for stealing user data when web browsing, QR codes offer a new method for manipulating mobile users in a similar way.
A matter of trust
The issue with QR codes is that it forces users to trust the integrity of the code’s provider, and assume that the destination it leads to is legitimate. This is almost impossible for individuals to gauge, because the QR code actually conceals the site and content it leads to. While social engineering exploits have evolved from the email worms of the early 2000s, they still rely on human curiosity to see what might happen, when users click on an attachment, or a QR code is scanned, can often leading to security problems.
Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, location based services and application installations – further extending the potential risks to mobile devices. Let’s look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.
The first step in mounting a QR exploit is to distribute the code itself, to get it in front of potential victims. This could happen by embedding the QR code in an email – making it an elaborate phishing exploit – or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.
Once the QR code is distributed, then the attacker has a multitude of scam options to choose from. At a basic level, the code could simply redirect users to fake websites for phishing purposes – such as a fake online store or a payment site.
More sophisticated exploits involve hackers using the QR code to direct users to websites that will ‘jailbreak’ their mobile device – that is, allow root access to the device’s operating system and install malware. This is essentially a drive-by download attack on the device, enabling additional software or applications, such as key loggers and GPS trackers, to be installed without the user’s knowledge or permission.
Targeting the mobile wallet
Perhaps the biggest potential risk to users is the rising use of mobile banking and payments via smartphones. With the ability of QR codes to jailbreak devices and tap into applications, this could give hackers virtual pick-pocket access to mobile wallets, especially as QR-based payment solutions already exist and are in use. While uptake of these is currently small, it will grow as public acceptance of QR codes increases.
So what can organisations and individual users do to mitigate risks from QR codes? The most important precaution is being able to establish exactly what link or resource the QR code is going to launch when it is scanned. Some (not all) QR scanning applications give this visibility and – critically – ask the user to confirm if they wish to take the action. This gives the opportunity for users to assess the link’s validity before the code is activated.
For corporate smartphones, consider deploying data encryption so that even if a malicious QR code manages to install a Trojan on the device, sensitive data is still protected and not immediately accessible or usable by hackers.
In conclusion, the risks presented by QR codes are really a new spin on well-established hacking tricks and exploits. The security basics still apply – be cautious about what you scan, and use data encryption where possible. Or put simply: look before the QR leap.