cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Are QR codes threats?

Hi All

 

Here is an interesting topic, everyone uses QR codes - can they be malicious?

 

https://threatpost.com/qr-codes-menu-security-concerns/159275/

 

Regards

 

Caute-cautim

16 Replies
Caute_cautim
Community Champion

@denbestenI agree, however it appears there is great faith and face put behind QR codes both by the private sector and public sector.

 

A case in hand, New Zealand Vaccine Passport - issued centrally, fine, but guess what the PDF they issue is editable - dub.....  So this opens it directly up for fraudulent practices and in fact fake passports are available for $10 per pot on the black market already.

 

Plus there is no means to verify that it is fake or real, unless the outlet insists on seeing a valid identity card or drivers license or passport. 

 

Again, it comes down to the adage "Trust, but Verify", however some people have a tendency to violence, when cornered which puts off outlets from actually doing the right thing i.e. verifying.

 

Regards

 

Caute_Cautim

ericgeater
Community Champion

I don't want to sound like "there's an app for that", but do any of you use apps which can sandbox or otherwise verify the safety of a URL?  As far as myself, it's easy to avoid scanning a QR code.  But I'm thinking about the average person, and whatever defenses they might use, given how widespread QR codes are.

-----------
A claim is as good as its veracity.
denbesten
Community Champion

Veering slightly from QR codes and into verification....

 


@Caute_cautim wrote:

the PDF they issue is editable


Yea, that is a bit messed up.... 

 

Plus there is no means to verify that it is fake or real


... or perhaps completely messed up.

 

Not being in (or near) NZ I do not know how their passport works. Does the QR simply regurgitate the text on the PDF or is it a link to download the original PDF from the issuer? 

 

Sounds like there may be two problems.... verification of identity (e.g. showing the drivers license) and verification of authorization (ensuring it actually came from the issuer).

 

Forgery is always a problem when you let the subject man-in-the-middle you.  The only real answer is some sort of out-of-band communications channel... either for the doc itself or for the the public key if digitally signing.

denbesten
Community Champion

Like you I rarely scan QR codes.  The android app I use is "Barcode Scanner" by XY Labs.  I have had it on my phone "forever".  After scanning, it displays the URL with  an "open in browser" button (and a product search button if UPC).

 

Pros:

    Prompts for next step after scanning.

 

Cons:

    No risk analysis.

    Last update 2019; my phone warns of Android 11 compatibility concerns.

 

The last "con" is enough for me to withhold my recommendation and to merely report what I have.

 

Caute_cautim
Community Champion

@denbestenGood thoughts, it is worst than that a)  the original source code is available via Github and b) the actual technical specification including the encryption technique used is available in public too.

 

The mind simply boggles open source vs protecting people - it feels like a we did so well, we would like to commercialise it and make some money at the same time moment.

 

It uses the international standards, but what was the point give the above.

 

Regards

 

Caute_Cautim

Caute_cautim
Community Champion

Here is the latest update and warning from the FBI:

 

https://www.zdnet.com/article/fbi-warning-crooks-are-using-fake-qr-codes-to-steal-your-passwords-and...

 

Regards

 

Caute_Cautim

Caute_cautim
Community Champion

Hi All

 

It has been proven you can create games and programs within QR Codes by using the largest format i.e. 3 Kilobytes with compression techniques applied.

 

This is fully demonstrated in the demonstration at the link provided below:

 

https://tinyurl.com/4ey9wzsp

 

A lot of developers and standards suddenly need to be adjusted. 

 

So how quickly will industry respond to this through encryption or other controls?

 

Regards

 

Caute_Cautim