How QR codes caught out the security pros
Posted on 17 Dec 2012 at 11:20
Davey Winder reveals how even experienced security professionals can be snared by rogue QR codes
I recently warned about the hidden security threat posed by QR codes, those giant barcodes used for marketing just about everything these days. I’ve seen them in magazines, on posters and even a giant one on the back of a bus, although I’m still unsure how anyone was meant to scan that. Yet scan them people do, sometimes with the promise of a free something-or-other, but more often than not without any promise of anything (and that includes what web page you’ll end up on).
As I warned in that feature: "QR codes present one of the biggest hidden security threats, precisely because genuine marketing campaigns rely upon the curiosity factor to get consumers to scan them; don’t think for a moment that the bad guys have failed to notice this."
I adopt a simple solution to the QR conundrum by just saying no
Now you might think that such advice wouldn’t be required for those working within the IT industry, who tend to be a bit more security savvy than your average user, and certainly not for those whose particular niche within the industry is information security itself. Well think again, if the results of a little experiment perpetrated by GreenSQL founder David Maman are anything to go by.
During the course of a three-day security conference in London recently, a poster on the wall of the hall featured the logo of a well-known security vendor, the words "Just scan to win an iPad" and a QR code. That poster had been created and stuck there by David, but neither the organisers of the event, nor the security vendor whose logo was featured, bothered to ask what it was doing there or request that it be taken down.
Some 445 people did scan the QR code and browsed the page that it linked to. At this point it’s worth a reminder that this was a conference for IT security professionals. All they actually got when they scanned that QR code was a web page featuring a smiley face, but it could have been a piece of malware, or one of a multitude of poisoned URL attacks.
The scanning was perpetrated via a variety of smartphones and tablets, and as we all know, most people don’t believe that such devices require any kind of antivirus or URL filtering to protect them. Even the usual advice of "don’t scan it unless it comes from a reliable source" wouldn’t help in this case, because it appeared to come from an impeccable source, and bad guys won’t shrink from pretending to be good guys if it will get you to click a link or scan a barcode.
Personally, I adopt a simple solution to the QR conundrum by just saying no. After all, they usually just point to more marketing junk that you can do without...
We use them at work a lot - we provide logistic solutions for large companies; which is what Toyota/Denso developed the codes for in the first place.
The hand scanners scan directly into a database program, so no chance of getting to an infected site - unless they manage to find a 0-day flaw in SAP to allow it to open a browser...
But on my smartphone, I think I have clicked on 1 link to see how it worked - and looked at the preview before opening. Generally I treat them as if they have a nasty disease.
I use NoScript and FlashBlock on the desktop and don't use a mobile browser unless I have no other choice.
By big_D on 18 Dec 2012
not sure how these can be scanned by my HTC Desire HD
By JoFrances on 20 Dec 2012
a barcode scanner. There are several in the Play Store. I have a simple one simply called "Barcode Scanner".
It scans the QR-Code and then displays the string and asks what you want to do with it (send it to someone else, open it in a web browser etc.
By big_D on 21 Dec 2012
If you are avoiding QR codes on security grounds that you can't see where it goes, for the same reason, should you not also avoid all URL shortening services?
By jbarnett on 26 Dec 2012
Yes. Both are dangerous and cannot be trusted.
I tend to avoid them as much as possible and when I "must" follow a link, it is generally with a script blocker running.
By big_D on 27 Dec 2012
take a look at the qr code maker,
By Forceil on 21 Mar 2013
take a look at the qr code generator, http://www.avapose.com/dotnet_barcode/qrcode_gener
By Forceil on 21 Mar 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- Toshiba beats retreat from consumer PC market
- Ellison steps down: but who's really running Oracle now?
- Microsoft set to make more job cuts
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade