topic Re: Arrrre QR codes threats? in Threats

Are QR codes threats?

Caute_cautim — Mon, 09 Oct 2023 09:38:23 GMT

Hi All

Here is an interesting topic, everyone uses QR codes - can they be malicious?

https://threatpost.com/qr-codes-menu-security-concerns/159275/

Regards

Caute-cautim

Re: Arrrre QR codes threats?

rslade — Tue, 15 Sep 2020 21:51:22 GMT

Aye, matey, there be QR codes that can tear the VPN out of your firewall like a shark going after a bucket o' guts!

I've taken to posting my details in a QR code on the first slide of my presentations, as:

Oddly, when people find out I am a malware researcher, nobody actually scans the code ...

Re: Arrrre QR codes threats?

Caute_cautim — Tue, 15 Sep 2020 22:05:31 GMT

@rsladethey could be a little cautious - especially I wonder that COVID-19 code will take me when I register at a shop? Does your QR code take people's devices to /dev/null or to the Dark Web to an obscure place?

How can we verify a QR safely without compromise?

Are there tools available in portable mode, so one does not compromise oneself?

Regards

Caute_Cautim

Re: Are QR codes threats?

Radioteacher — Wed, 16 Sep 2020 01:24:02 GMT

The biggest issue I have seen with QR codes and for that matter link shorteners like bit.ly is that today they could go to a legitimate site and tomorrow they could point you to malware.

Be very careful....

Paul

Re: Are QR codes threats?

ericgeater — Wed, 16 Sep 2020 02:20:19 GMT

I read recently that you can add a + sign to the end of a bit.ly link, and it will preview the link safely.

https://bit.ly/1sNZMwL+, for example (and it should point to the Bitly Wikipedia article)

Can't say the same for QR codes, however...

Re: Are QR codes threats?

Caute_cautim — Wed, 05 Jan 2022 22:37:30 GMT

Hi All

This subject has come up previously, now they are being used to entice people to scan for their parking meters, what is next Vaccine passports?

https://www.bitdefender.com/blog/hotforsecurity/us-police-parking-meters-phishing-qr-codes

Regards

Caute_Cautim

Re: Are QR codes threats?

Caute_cautim — Fri, 14 Jan 2022 04:07:36 GMT

Hi All

Well time has caught up and now QR codes are used for verification purposes on COVID-19 vaccine passports and many other items these days. They are now being exploited, so perhaps some practical ways to identify whether it is safe or not to scan?

https://www.cnet.com/tech/services-and-software/qr-code-scams-are-on-the-rise-heres-how-to-avoid-getting-duped/?ServiceType=linked_in_page&ftag=COS-05-10aaa0d&UniqueID=16BCAA0C-7478-11EC-8344-1DF115F31EAE&PostType=link&TheTime=2022-01-13T13:52:46

I don't think we are going to avoid, this unless better means of verification and ensuring the QR Code is strictly limited and authorised via key management for instance and digital identity systems.

Regards

Caute_Cautim

Re: Are QR codes threats?

denbesten — Fri, 14 Jan 2022 20:38:44 GMT

No, the code itself is not a threat. However, the QR app on your phone may be.

I see little risk in *scanning* the code. Fundamentally, a QR code is just a text string with a funky encoding. I can read anything without dying (buffer overflows not withstanding).

The danger comes about when the QR app decides to automatically take action after the scan... be that interpreting the text as HTML, opening a URL in a browser or passing it off to the WiFi Settings page. Before doing anything with the "input", it needs to perform a series of validation checks (highlighting oddball/risky characters, checking cert authenticity, showing the text to the user, etc.), only if everything looks OK and after the user authorizes the action should the input be passed anywhere.

Also merchants need to earn the customer's trust by using URLs with official hostnames and clear/concise/meaningful arguments. For example:

Trustworthy: https://parking.austin.tx/payments?meter=78342
Questionable: https://payments-r-us.com/austin/78342
Not gonna do it: https://bit.ly/DeeFXR6t3

Re: Are QR codes threats?

Caute_cautim — Sat, 15 Jan 2022 05:31:08 GMT

@denbestenInteresting point of view - however the action of scanning the code, most people automatically assume it will take them to the destination expected. We are lulled into a false sense of security.

So it comes down to the developers again, with good SDLC with security & privacy by design principles?

Who verifies and checks the developers or as most assume it is secure and trusted - security awareness to the fore again? There is no legislation to support this approach, although USA is thinking about it.

Trust, but verify - but often these are rushed out the door by the requestor i.e. organisation, government etc.

Regards

Caute_Cautim

Re: Are QR codes threats?

denbesten — Sun, 16 Jan 2022 20:04:08 GMT

@Caute_cautim wrote:
... the action of scanning the code, most people automatically assume it will take them to the destination expected....

Agreed. Pretty much the same problem as "homonym" URLS (e.g. chase-bank.com instead of chase.com). The first defense may be slowing bad actors from doing bad things, but that is not enough.

As I see it, the next step is Linus' Law -- "Many eyes make all bugs shallow". Omnibar search helps because it is curated (even if just crowdsourced). As I type a URL, it continually guides me to the popular (and presumably correct) site. We need similar "3rd-party" feedback during the critical moments after scanning a QR.

Beyond that, we can take steps to protect creds from homonym sites. Password managers are a great defense because they use the URL to look up the creds. If the URL is in its database, they autofill*. Since a homonym is not in the DB, it does not autofill. This altered workflow hopefully triggers that oh-so-important spidey-sense.

* "autotype" is a bit generous. I do have to click the little shield and potentially unlock the manager.

Re: Are QR codes threats?

Caute_cautim — Mon, 17 Jan 2022 19:09:31 GMT

@denbestenI agree, however it appears there is great faith and face put behind QR codes both by the private sector and public sector.

A case in hand, New Zealand Vaccine Passport - issued centrally, fine, but guess what the PDF they issue is editable - dub..... So this opens it directly up for fraudulent practices and in fact fake passports are available for $10 per pot on the black market already.

Plus there is no means to verify that it is fake or real, unless the outlet insists on seeing a valid identity card or drivers license or passport.

Again, it comes down to the adage "Trust, but Verify", however some people have a tendency to violence, when cornered which puts off outlets from actually doing the right thing i.e. verifying.

Regards

Caute_Cautim

Re: Are QR codes threats?

ericgeater — Tue, 18 Jan 2022 15:11:41 GMT

I don't want to sound like "there's an app for that", but do any of you use apps which can sandbox or otherwise verify the safety of a URL? As far as myself, it's easy to avoid scanning a QR code. But I'm thinking about the average person, and whatever defenses they might use, given how widespread QR codes are.

Re: Are QR codes threats?

denbesten — Tue, 18 Jan 2022 18:23:12 GMT

Veering slightly from QR codes and into verification....

@Caute_cautim wrote:
the PDF they issue is editable

Yea, that is a bit messed up....

Plus there is no means to verify that it is fake or real

... or perhaps completely messed up.

Not being in (or near) NZ I do not know how their passport works. Does the QR simply regurgitate the text on the PDF or is it a link to download the original PDF from the issuer?

Sounds like there may be two problems.... verification of identity (e.g. showing the drivers license) and verification of authorization (ensuring it actually came from the issuer).

Forgery is always a problem when you let the subject man-in-the-middle you. The only real answer is some sort of out-of-band communications channel... either for the doc itself or for the the public key if digitally signing.

Re: Are QR codes threats?

denbesten — Tue, 18 Jan 2022 18:27:25 GMT

Like you I rarely scan QR codes. The android app I use is "Barcode Scanner" by XY Labs. I have had it on my phone "forever". After scanning, it displays the URL with an "open in browser" button (and a product search button if UPC).

Pros:

Prompts for next step after scanning.

Cons:

No risk analysis.

Last update 2019; my phone warns of Android 11 compatibility concerns.

The last "con" is enough for me to withhold my recommendation and to merely report what I have.

Re: Are QR codes threats?

Caute_cautim — Tue, 18 Jan 2022 20:16:45 GMT

@denbestenGood thoughts, it is worst than that a) the original source code is available via Github and b) the actual technical specification including the encryption technique used is available in public too.

The mind simply boggles open source vs protecting people - it feels like a we did so well, we would like to commercialise it and make some money at the same time moment.

It uses the international standards, but what was the point give the above.

Regards

Caute_Cautim

Re: Are QR codes threats?

Caute_cautim — Thu, 20 Jan 2022 20:05:55 GMT

Here is the latest update and warning from the FBI:

https://www.zdnet.com/article/fbi-warning-crooks-are-using-fake-qr-codes-to-steal-your-passwords-and-money/?ftag=TRE49e8aa0&bhid=%7B%24external_id%7D&mid=%7B%24MESSAGE_ID%7D&cid=%7B%24contact_id%7D&eh=%7B%24CF_emailHash%7D

Regards

Caute_Cautim

Re: Are QR codes threats?

Caute_cautim — Thu, 27 Jan 2022 22:32:32 GMT

Hi All

It has been proven you can create games and programs within QR Codes by using the largest format i.e. 3 Kilobytes with compression techniques applied.

This is fully demonstrated in the demonstration at the link provided below:

https://tinyurl.com/4ey9wzsp

A lot of developers and standards suddenly need to be adjusted.

So how quickly will industry respond to this through encryption or other controls?

Regards

Caute_Cautim