Introduction

During my graduate studies, I researched QR codes and their many benefits, as well as created malicious QR codes that navigate to credential-stealing websites, just as an example. While we all hate QR codes at a restaurant instead of a menu, they have many uses, such as making signing into a streaming service easier by not having to type in the IP address. I often do not see many security forums talk about QR codes, so I figured I would share a few lessons I have learned.

Quick Response (QR) codes have revolutionized how we interact with information in both personal and professional contexts; they offer a convenient method for accessing websites, facilitating payments, and streamlining various processes. However, as many of us know, navigating to a random website without knowing anything about the destination can lead to unfortunate situations, and QR codes have made this a real problem. QR codes’ widespread use also introduces significant security concerns, with little in the way to defend against them. This post delves into the nature of QR codes, their history, recent advances, diverse applications, and associated risks, including best practices for secure use.

What is a QR Code?

A Quick Response (QR) code is a type of matrix barcode that encodes data in both horizontal and vertical dimensions. Developed by Denso Wave in 1994 for the automotive industry, QR codes can store a variety of data types and are read by devices with cameras and QR code reading software; this two-dimensional encoding allows QR codes to hold more information compared to traditional barcodes, making them highly versatile.

History of QR Codes

Origins and Early Development

The concept of QR codes was developed by Masahiro Hara and his team at Denso Wave to streamline inventory management in the automotive industry. Traditional barcodes, limited to linear data storage and alignment requirements, were inadequate for the growing data needs of manufacturing processes.

Expansion and Adoption

In the late 1990s and early 2000s, QR codes began to be adopted beyond automotive applications. Their capacity to store more data and their ability to be scanned from any angle led to widespread use in advertising, retail, and logistics. The proliferation of smartphones with built-in cameras further accelerated the adoption of QR codes.

Global Integration

By the early 2010s, QR codes had become a global phenomenon, used in various sectors including marketing, consumer goods, and healthcare. Their integration into mobile devices and increasing visibility in everyday life solidified their role in digital and physical interactions.

Recent Advances and Updates of QR Codes

Enhanced Data Capacity

Recent advancements have significantly increased QR codes’ data capacity. New versions like Micro QR codes and iQR codes offer more compact designs and greater storage capabilities, accommodating more complex information.

Dynamic QR Codes

Dynamic QR codes allow for changes in the encoded information after the code has been distributed. This feature is particularly useful for marketing and promotional purposes, enabling updates to content without needing to generate new codes.

Increased Security Features

Modern QR codes incorporate enhanced security features such as encryption and authentication mechanisms. Secure links and advanced QR code readers help detect and prevent interactions with potentially malicious codes.

Integration with Augmented Reality

Recent developments have integrated QR codes with augmented reality (AR) technologies. This allows QR codes to trigger interactive AR experiences, such as virtual product demos or immersive content, enhancing user engagement.

Uses of QR Codes

1. Marketing and Advertising

QR codes bridge offline and online content by providing direct access to websites, promotions, or product information. They are used on print advertisements, product packaging, and billboards to engage consumers and provide additional content.

2. Payments and Transactions

QR codes simplify mobile payments by enabling quick and secure transactions. Services like PayPal and Venmo use QR codes to facilitate fund transfers and payments, enhancing convenience for users.

3. Event Management

Event organizers use QR codes for ticketing and access control. Scanning a QR code at an event can verify entry and provide access to event-related information and features.

4. Healthcare

In healthcare, QR codes improve patient management and administrative efficiency. They can be used on patient wristbands to provide quick access to medical history and other vital information.

5. Product Authentication

QR codes are used to verify the authenticity of products. By scanning a code on a product, consumers can confirm its origin and authenticity, helping to combat counterfeiting.

Potential Areas of Misuse and Abuse

1. Phishing Attacks

QR codes can be exploited for phishing by directing users to fake websites designed to steal personal information or login credentials. This is particularly effective due to the inherent trust users place in QR codes.

2. Malware Distribution

Malicious QR codes can lead to downloads of malware by embedding links to infected files or websites. This poses a significant risk as it can compromise devices and personal data.

3. Data Leakage

QR codes that store sensitive data, if not properly secured, can lead to data breaches. For example, a QR code containing passwords or account details could be intercepted by unauthorized individuals.

4. Physical Tampering

Attackers can physically tamper with QR codes by replacing legitimate codes with malicious ones. This type of attack is particularly concerning in high-traffic or high-visibility areas.

How Cybercriminals Use QR Codes

Phishing Scams

Cybercriminals use QR codes to conduct phishing attacks by leading users to fraudulent websites designed to capture personal information or login credentials. This method exploits the general trust users have in QR codes.

Malware Distribution

QR codes can distribute malware by linking to malicious software or websites. Scanning such codes can lead to downloads that infect devices, posing a threat to both data and system security.

Credential Theft

Fake QR codes can redirect users to counterfeit login pages that mimic legitimate services. Entering credentials on these pages can result in theft of sensitive information.

Data Harvesting

Malicious QR codes can direct users to forms that collect personal data under false pretenses. This harvested information can be used for identity theft or other fraudulent activities.

Best Practices for Secure QR Code Use

Verify QR Code Source

Ensure the QR code is from a trusted source before scanning. Be especially cautious with codes found in public places or received through unsolicited messages.

Use Security Software

Employ security software with QR code scanning capabilities to detect and block malicious codes. Many antivirus and mobile security apps offer features to protect against QR code threats.

Educate and Train Users

Educate users about the risks associated with QR codes and promote awareness of safe scanning practices. Training can help users recognize and avoid potential threats.

Monitor and Analyze QR Code Activity

For businesses, monitoring QR code usage can help identify unusual or suspicious activity. Implementing analytics can provide insights into potential misuse or security issues.

Implement Secure Design Practices

When creating QR codes, use secure URL protocols and avoid embedding sensitive data directly in the code. Consider encryption and access controls to protect the information conveyed by QR codes.

QR Code Attack Example

If we take everything we have learned in this post, what would a QR code attack look like? Well, I will take some creative freedom here, but let’s give it a try!

So, in this educational scenario, our target is a healthcare organization (ABC Medical) that has hired us to perform some intrusion tests on their systems, and at this stage of the project, we have found that their protocols and policies are so well orchestrated that we could not penetrate (I know this is never the case, but just bear with me). So, while we have exhausted all other options, as we were walking towards our meeting to inform the client that their security stack is perfect, we see a flyer on the wall with information on an upcoming time-tracking software update that requires users to change their passwords to something longer and more complicated; this task is made simpler by including a QR code that sends the user to the specific site that asks for the user’s SSO Google login credentials. This moment is crucial to this project as we just saw a potentially unguarded path to this client’s systems.

So, with any hack, information is king. Proper information gathering and reconnaissance should be made against the client’s organization, collecting any public-facing data we can find (including employee social media accounts). Then, with a little social engineering, we can fabricate a story to gain access to the building by say, the receptionist at the front desk, Linda, who has a wedding coming up and loves her dog (easily found via social media). Then, a quick stop at the flower shop will allow me to bring a bouquet to Linda, gaining an initial talking point and breaking the ice, which would then lead me to go into the story of how Bob in accounting asked me to bring him my dog’s unused ointment creme for his dog’s injured feet, which would hopefully allow me to at least get close enough to the wall with the QR code flyer to replace it with one of our own crafting.

The replacement QR code flyer will have a custom QR code generated on it (using many of the free websites out there), for example, the following QR code was generated for ABC Medical, and the link no longer sends to ABC Medical’s time-tracking site, and instead, I included my websites address. While this is a hastily crafted quick example, the actual version would mimic the original’s layout, including ABC Medical’s logos and such. The QR code will now send users to a fraudulent site that looks similar to the time-tracking app’s landing page, and will immediately ask for the user’s Google SSO login, which when entered, would store it for our own use. As the user is the one asking for the sign-in, they should approve any MFA prompt, but if not, we could set up a false MFA prompt asking for the MFA number, then use that when we attempt to login to the user’s now-extracted login information.

So, if we succeeded by replacing the QR code flyer with our own, all we need to do now is wait for someone to copy the QR code and input their credentials into the fraudulent SSO login; after this, we can use this data to access some systems in ABC Medical and hopefully use that access to get access to someone with admin credentials. This attack can be quite effective as many policies won’t protect against it, such as using country or IP restrictions (as the sign-in will be from within their actual building while the user is connected to ABC Medical’s Wi-Fi). At this stage, we can now go back to our client and recommend security improvements such as either restricting or placing policies on the use of QR codes (such as using a company-wide style, code, or other identifying aspect), enhanced Wi-Fi protocols (if the fraudulent site didn’t use HTTPS, for example,) and other tips.

It is important to note why this attack would be rather hard to prevent. As most of the intrusion part relies on social engineering and the human element, we can pretty much bypass much of the security stack of ABC Medical and instead, target the weakest link of the chain of cybersecurity (users). Also, the QR code will not look fraudulent via the flyer, as the IP address and such aren’t shown, including the security status of that site (HTTPS). The only way for that user to tell if that QR code is malicious is by navigating to it, and by then, the damage could have already been done (not in our case, but just as an example). The attack will also appear to not be such, as we gathered data on an already-existing QR code flyer, so the user shouldn’t be surprised by having to sign into anything, and due to the planned upgrade of this software (of which the flyer mentions), any security pop-ups while we are attempting to maliciously gain access to the user’s account should be more likely to be ignored.

Conclusion

QR codes have transformed many aspects of modern life by providing an efficient means of accessing and interacting with information; while their benefits are substantial, the associated security risks require vigilance. Understanding the history, recent advancements, and potential misuse of QR codes is crucial for mitigating security threats. By following best practices and staying informed about emerging threats, individuals and organizations can effectively harness the advantages of QR codes while minimizing risks.

QR codes, and their misuse, should be a part of every admin’s knowledgebase, as it is often the small, overlooked attack vectors that are what cybercriminals require, including Susan in HR’s inability to recognize that she didn’t win a lottery online, especially since she never signed up for it.