• United States



by David Geer

The dangers of QR codes for security

Aug 19, 20136 mins
Application SecurityCybercrimeData and Information Security

A large number of end-user computers are mobile devices and the lion’s share of those are smartphones. APTs are increasingly targeting the mobile market.

“Mobile malware increased more than 1,000-percent in 2012 alone,” said Catalin Cosoi, Chief Security Researcher, BitDefender. BitDefender bases this data on analyses of mobile threats it collects via honeypots.

Criminal hackers use malicious QR codes for the same reasons they use any attack on mobile devices: the mobile market is outpacing PCs, creating a bigger target; and, these newer, mostly end-user devices (especially smartphones) are the least likely to carry any security software.

Dissecting malicious QR codes

A malicious QR (Quick Response) code contains a link to a website embedded with malware.

“It doesnt matter how the user scans or collects the QR code, eventually the device translates it to a link,” said David Maman, Founder and CTO, GreenSQL, who also speaks at conferences on the dangers of malicious QR codes.

The web link then infects the user device with a Trojan.

“It’s typically a JavaScript Trojan. When the website comes up, the JavaScript automatically runs, embedding the Trojan into your system,” said Dave Chronister, Lead Hacker, Parameter Security, which enterprises contract to perform penetration (pen) tests to audit network security.

Once a Trojan infiltrates a mobile device, it typically reports to the hacker’s servers, which automatically transmit any number of other threats through that opening to leach data and wreak havoc.

Freely available tools automate QR code creation so criminal hackers do not have to roll their own.

“The Social Engineering Toolkit has a QR code generator. You can use it to create malicious QR codes,” said Chronister. The intent of The Social Engineering Toolkit is that ethical hackers use it to test systems for security vulnerabilities with the enterprises blessing. However, whether it is good or bad really depends on whose hands it is in.

Attack vectors / infection points

Criminal hackers could distribute malicious QR codes and/or malware through marketing firms that create legitimate codes, through malicious QR code tools, and when people access bogus QR codes unawares. Hackers can compromise systems belonging to marketing firms that create QR codes for their enterprise clients. They can then substitute the legitimate codes with malicious ones before the firm distributes them. This creates obvious liabilities for the enterprise that ordered the QR code.

There are also many free apps for creating QR codes already available.

“What would stop someone from putting an app out that adds a JavaScript to the QR codes, which sends people to a secondary site to inject malware on the device?” noted Chronister.

In addition, if malicious QR codes infect smartphones and the enterprise permits these devices to connect to the company network, they can become bridges to the enterprise for malware via the phones data connection.

Hot new attack vectors, chilling results

Attackers use malicious QR codes in phishing attacks. An attacker could create thousands of business cards purporting to be from Subway that say, ‘Free footlong if you join our QR Club’ printed next to the malicious code. When they scan the code and enter the link, the site could simply respond, ‘Thank you for joining the club’ while silently installing a Trojan.

[Phishing: The basics]

“So many companies are using QR codes, how can a consumer tell whether the QR code is from a company they trust or is a forgery?” asked Chronister.

In another attack, APTs can use a cross-site scripting vulnerability on a legitimate website to open a hole to insert a malicious QR code in place of a legitimate code.

“When a web browser pulls up the legitimate site, the QR code referencing the hacker’s site is now part of the otherwise benign site and the browser will pull them up together,” said Chronister.

Malicious QR codes can also enable a hacker to control cell phones to access messages and GPS, turn on the camera(s), and listen in on phone conversations.

“Even botnet software is showing up on phones, allowing APTs to enlist them into botnets for attacking other systems, says Chronister. The attacker can use the phone as part of an SMS botnet or an Internet botnet to attack countless targets.

What CSOs should do now

The best way to avoid malicious QR codes and protect the enterprise is simply to not use them.

“The codes are really not valuable enough to any company to afford the risk. If the enterprise must use them, ensure they are set up in a way that enables the enterprise to continually validate them as legitimate,” said Chronister.

Instruct employees not to use QR codes on phones that also attach to the company network.

“If the company uses BYOD, instruct employees of the risks of QR codes,” Chronister advised.

Enterprises should already be segregating the wireless guest network from the rest of the infrastructure as well as segregating internal networks with core data from other internal networks. Unfortunately, this is often not the case.

“When we do pen testing, we find that though the enterprise has a guest network, smartphones are connected to the corporate network,” said Chronister.

Make sure smartphones as well as mobile devices have anvi-virus and other anti-malware software installed and updated.

“In the course of our pen testing, we’ll see that the network policy says every system that connects to the corporate network is supposed to have anti-virus software installed. Then I will ask to see someone’s iPhone. It doesn’t have anti-virus software installed, but it’s a system and it’s on the corporate network,” said Chronister.

Long-term Solutions

Ultimately, enterprises will have to continue to refine fine-grained policies and rules that examine log files in depth for network events.

‘These help to determine whether, for example, an authorized smartphone connecting to an internal system belongs to someone who happens to be off sick that day,” says Maman. Then the network can automatically drop the connection and IT can investigate further.

But, even such policies cannot detect everything.

“There may not be enough evidence or detail to detect,” said Maman.