Sunday, May 20, 2012

Danger in the proliferation of QR Codes


You might have noticed more and more of these graphics popping up everywhere from your packages you receive in the mail, to the backs of toys, games, electronics, consumables, and even on billboards and ads throughout our societies around the world. They're everywhere and without the proper software you can't tell what they say until they've been decoded. QR codes are a relatively new way to encode information usually for mobile devices, so the lazy masses can open a URL without having to type anything (it's one of the little things we're doing for the kids so their lives aren't as complicated as ours).

This could have been a virus.

This one specifically (above) is a QR code that I created with the website at qrcode.kaywa.com that says "This could have been a virus." And that would be correct. It could have been a virus, a link to a Trojan, or a link to who knows what, and in the wrong place at the wrong time, it could cause a lot of trouble. Let's say it's to an illegal website and you're on your network at work, and you open a webpage with one of your devices that you have been authorized to use on the company network. It could cost you your job. You could open a backdoor to your corporate network. If it's placed for you specifically to open, you could give someone your physical location(stalker) or information unknowingly. (Think forms that auto-complete and use AJAX - an acronym for Asynchronous JavaScript and XML for processing)... by the time it opens whoops, it's too late.

The problem is, because your phone, ipad, etc, can open a URL or a bit of code under the assumption it's something else, the codes can't always be trusted. See the graphic itself is harmless. It's just a high contrast collection of squares in a pattern that tell the decoding software which characters are meant to be represented when the code is translated. The problem comes back to people. A malicious individual could place a link to a website with a specially crafted payload or better yet a script that qualifies a device, then delivers a specially crafted payload to the device to take over the device, to steal information, or to simply implant something for the sake of tracking on the device (such as a cookie). This can all happen super fast and then the site can redirect you back to another site. It says flowers.com, I ended up on flowers.com, but what really happened in-between? In actuality the in-between part is commonly referred to as an XSS attack (Cross-Site Scripting) where one website is used to exploit the visitors of another.

So take it from someone with a devious curiosity when it comes to technology. The next time you see one of these things on a package or somewhere in the wild, before you scan it, think about what it is you think you're getting and whether the risk is worth it. If it's on a toy, you're probably okay, they're just going to track you or sell you more stuff, but if it's stuck to a pole next to Wrigley Field, you might be getting more than you bargained for.

No comments:

Post a Comment

I'm going to read this before it goes live if you don't mind.