QR Code Security – Are we ready to discuss the risks?
The Quick Response codes we see on everything from movie posters to business cards are becoming the ubiquitous contact links of an entire new generation of mobile devices and the people who use them. Originally invented in Asia at the end of the last millennium (circa 1994 Japan, actually), these matrix or 2D (two-dimensional) barcodes are now enjoying broad adoption in North America.
Playing on their coolness factor, their practicality is fully realized when we’re out and about, with only a couple of seconds to take in snippets of information on billboards or posters. From our perspective as users, it’s an intriguing way to exchange contact details and access a wealth of information about different products by simply scanning a digital coffee stain.
For marketers, this is an opportunity to target and track their promotional messages across a wide swath of captive audiences in a very cost-effective manner. The QR-code you see here simply (albeit shamelessly) opens up my Kiva page on your cell phone, but it can just as easily allow me to count the ‘hits’, identify your handset and precisely target my message to your situation. Or push your smartphone towards a completely different web site destination.
Naturally, this presents a few opportunities for malfeasance from geolocating unsuspecting individuals to leading them to malicious Web sites that may infect their phones. The ideal situation would be to target specific phone brands, such as say, jailbroken iPhones (http://bit.ly/aLgncn), while presenting innocent (or differently infected) content to others in a bid to delay detection and maximize attack effectiveness.
While most handsets ask the user to confirm Web site access and to approve the download and installation of all software, such awareness is not as high with smartphones and mobiles as it is with traditional PCs. Most users simply want to install and start using the app, without thinking about the potential for privacy breaches, financial fraud, identity theft and other security mischief. The Australian Privacy Commissioner touched upon the threats posed by rogue applications, including unauthorized address book access, theft of written notes and other data such as passwords and bank account details. For more information see their Scamwatch site (http://bit.ly/cSJ85F).
So where does this leave users? We’re seeing a rapid growth in malware (PDF presentation) for all mobile phone platforms, with infection vectors ranging from web sites to the telecommunications companies themselves (http://bit.ly/cS9FJw). For those phones that don’t yet natively support QR codes, a variety of barcode reader apps are readily available (http://bit.ly/btGEus) and the increasing popularity of these digital calling cards – now used on everything from cartoons to tombstones – is making this functionality all but irresistible. Last but not least, the widespread use of URL shorteners (such as the ones used throughout this article) can help to obscure malicious destinations from being immediately filtered by anti-malware systems.
Unfortunately, it all comes down to awareness. In the near-term users will have to exercise caution when accessing sites, downloading and installing software. The technology to prevent and detect infection on mobile phones is still in its infancy. In the meantime, we can create and enjoy QR codes for what they are: a cool, quasi-steganographic, way to exchange contact details and get people to “Like” our social networking pages.