The QR code: A new frontier in mobile attackability
A single poisoned link is all it takes to expose an entire organization to a full-scale attack.
Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they’re going after our mobile phones, which are soon to be the number one way we access the web.
As QR codes have evolved, they now can offer users – and thieves – unlimited information within seconds of scanning.
And we scan them voluntarily.
We’ve already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it’s embedded in looks tempting enough.
The experiment
Over a three-day security conference in London, I created a small poster featuring a big security company’s logo and the sentence “Just Scan to Win an iPad.” Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.
The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers. Remember, this was a conference for security professionals.
As I’m a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated.
To make a long story short: QR codes are becoming more and more prevalent. And most of us don’t have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.
The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.
Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.
Think before you scan.
- Does this QR code seem to come from a reliable source?
- After scanning the QR code and seeing the link, is the link really from whom it claimed to be?
- Would I click on this link if it came through my email?
Even if you miss out on the iPad or the free ice cream cone, you’re probably better off.