New Research: QR Codes Threat Landscape
October 15, 2017 | 4 minute read
New Research: QR Codes Threat Landscape
You've been hearing all about all the "hidden features" Apple's new iOS 11 has to offer, but you haven't heard how its new native feature for QR code reading provides a 'backdoor' exploitable by criminals. During Apple's keynote address, Craig Federighi announced that Apple’s new iOS will natively support QR reading. QR code readers/applications are not something new, they have been around for awhile. The difference now, is that this will eliminate the need for 3rd party apps, opening the doors for more innovative mobile interactions. Until now, QR codes were popular with consumers using mobile devices utilizing 'mobile tagging', in order to interact with codes displaying a variety of print and digital applications. Mobile tagging has shown to be very popular in Asia, but the need to install a 3rd party application may explain the low adoption rates in other global regions. So, what's the problem?
The problem is that QR codes are built for scanning with a digital device and are not built for reading with a “human eye”. Making it impossible to distinguish between the legitimate or nefarious content that’s behind them. Based on our QR Code Threat Landscape Report, here are 9 threats that stem from Apple's iOS 11’s native QR reading capabilities.
9 Threats Apple's iOS 11 QR Codes Pose1. We are explorers by nature:
It goes without saying that humans are curious individuals and like to explore their new toys. Many Apple iOS 11 users are likely to be keen on exploring their new hidden QR codes feature by scanning everything and anything they encounter. This increases the chances of more usage. In this situation, it is easy for users to become desensitized to notifications and may result in them missing or ignoring the subtle warning indicators. With the Apple iOS 11 ‘Contacts’, ‘Mail’, ‘Messages’ and ‘Wi-Fi’ QR code actions, the user needs to complete additional manual steps before the action is performed. However, QR codes interacting with the calendar, maps, phone and browser (in this case, Safari) are performed immediately after the initial tap on the QR code notification. As a result of this, it is important for users to be educated and reminded of the potential attack vectors that QR codes bring, especially as the codes are not 'human readable'.
2. Difficulty in differentiating between good and bad:
QR codes themselves cannot be 'hacked' unless they are visually changed or their destination is taken over. But, the fact that it is non- readable by humans, makes it inherently vulnerable. Once a hacker has generated and placed the QR code, their attack methods can then be leveraged and their objectives met. See the image below, here is a prime example of a manufactured QR code that could easily fool users.
Users are unlikely to spot the difference between a legitimate (left) and a potentially nefarious (right) QR code.
3. Counterfeit QR codes:
While difficult, it is possible for an advanced threat actor to infiltrate and compromise an organization deploying QR codes and replacing them with illegitimate 'weaponized' codes. By visually replicating this image, threat actors could potentially use them for electronic payments. This would mean the threat actors receive the payments, instead of the intended retailer or service provider. In addition, new material can be generated including QR codes and they can be distributed in a target area. The potential of threats is not limited to cyber-attacks. Rather, these codes could be used to manipulate automated navigation systems, pedestrians seeking directions or to misdirect victims to a specific location for their own malicious use.
4. Phishing/Malicious URLs:
Social engineering attacks that coerce victims into scanning a QR code could be used to direct them to a site mimicking a legitimate brand, stealing their personal data, or to a malicious site that seeks to exploit their mobile device. These attacks depend on the user scanning the malicious QR code as well as 'tapping' on a notification to open the site in their browser. This is usually accomplished as the code is affixed to legitimate advertising which lowers the victim's suspicions.
It is true that Apple iOS 11's QR code scanning implementation is aimed to somewhat protect users from common phishing attacks by only displaying the domain in the prompt. The hope is that victims will recognize the foreign domain. But, there is also 'QRL Jacking' whereby a legitimate authentication QR code is cloned and delivered to a victim via a phishing page. This type of attack could result in a threat actor gaining access to the victim's WhatsApp account. An attack like this, combined with 'DNS poisoning', can lead a victim to an IP address hosting the nefarious content rather than legitimate. This allows the threat actor to gain access to mobile devices as part of a larger, targeted attack.
5. URL Shorteners:
URL shortening services like 'bit.ly' pose an additional threat, as they hide the true URL of a website. This would negate the benefits of the iOS 11 'domain only' prompt, as well as the site preview, as long the nefarious site is visually similar to the legitimate site. If combined with the method of only displaying the domain to the user it could allow an attacker to combine techniques to execute a successful attack.
6. Malicious Mobile Apps:
Threat actors can take advantage of QR codes directing users to an app store/marketplace by a website, or custom URL scheme QR code which launches the app store store/marketplace on the intended app's page. Victims can be fooled to believing they are downloading a seemingly legitimate app.
7. Premium Rate Fraud:
Threat actors can configure a premium rate telephone number or SMS service to drive victims toward it in order to profit from the charges levied against them. If the user taps on an initial notification when the "Messages QR code' is scanned, the threat actors would initiate a charge at the time of connection enticing a lengthy telephone call. The victim would be unaware of this charge until receiving a high bill for the call.
8. Mobile Device Exploits:
It is possible to send mal-crafted or large amounts of data that cannot be handled without failure resulting in buffer overflow conditions along with their associated security implications. In the past, Apple iOS devices have crashed due to 'prank' messages making similar attacks delivered by QR code a plausible option. It is also possible for users to 'jailbreak' or root their devices removing software restrictions by the manufacturer thereby exposing their device to risks like the ability to execute unsigned code. 'Custom URL schemes' within mobile apps are also an issue. This allows an app to be launched, and perform specific actions, from within another app. With QR codes using a vulnerable app's custom URL scheme, this could opportunity to deliver malicious input directly to that app.
9. Identity Card Abuse:
Despite the fact that QR codes can provide protection on identity cards, they can also be abused, cloned or counterfeited. This can include malformed data to exploit or crash the system. Threat actors can craft a QR code and clone legitimate cards that aren't linked to corroborating data such as verifying a photo. This provides a threat actor with the opportunity to verify the employee's identity with a fake website presenting the 'verifying' information matching the counterfeit card.
What's the Next Step?
First and foremost, organizations should determine if there are any benefits to using QR codes outside of specific internal applications such as material tracking. If you can assess that the risks outweigh the benefits, QR tracking should be disabled. It is also equally important to counter such attacks with security awareness. Many of the QR code threats are based on social engineering, these attacks rely on exploiting the human element within an organization in order to progress. To learn more about these threats as well as how to mitigate them, download our Threat Intelligence Report-QR Code Threat Landscape Report.