Skip to content

WA2. QR code attacks

Statement

A QR code is an image-type barcode that can be read by a digital device. It allows access to the product and service information. Some mobile devices and smartphones have a built-in capability to read and interpret QR codes. QR codes are very popular because they enable a lot of different remote tasks and data access.

For this assignment, it is recommended you conduct independent, online research on QR code attacks; and answer the following questions:

  1. Describe a scenario where the attacker abuses the bar code to commit a cybercrime, such as stealing a bank account.
  2. Identify a vulnerability that enabled this attack, explain its mechanism.
  3. Provide a solution to defeat such an attack.
  4. Support your scenario analysis and solution proposal with external references (appropriate research).

Solution

QR codes have gained popularity due to its ease of use; we started to see them everywhere, from restaurants, to advertisements, and even to financial institutions. There are two types of QR codes, static and dynamic. The data encoded in a static QR code is fixed and cannot be changed after creation. While dynamic QR codes is designed to point to a dynamic data, thus it encodes a short URL that redirects to a different URL after scanning, called destination URL that lives on a server (Schulfer, 2020).

Mobile phones are equipped with a utility that scan and decodes QR codes, the decoded data has its own module type, e.g. URL, text, phone number, etc. and then the phone’s OS will perform appropriate action like opening the URL in a browser, or dialing the phone number, or even adding a contact to the phone’s address book.

Task 1: Cyber-crime scenario that involves QR code

(Willems, 2022) describes an interesting real scenario involving parking meters; where an attacker printed a sticker that includes a QR code where users can scan to pay for parking instead of using cache money. And here is how the attack works:

  • The user will scan the QR code which redirects them to a malicious website crafted by the attacker.
  • The website prompts the user to enter their credit card information to pay for parking.
  • The attacker either steals the credit card information or the money is transferred to the attacker’s account.

In the previous scenario, the parking meter owner company did not use QR codes as a payment method, but the attacker printed the stickers anyway; however, if the company used QR codes as a payment method, the attacker could have printed another sticker on top of the original one, that includes the malicious QR code.

Task 2: Vulnerability that enabled the attack

In the scenario described above, the mechanism was pure social engineering, and crafting the malicious website to grab the user’s credit card information, where the victim willfully entered their bank details; such attack is called Quishing (Violino, 2020).

The problem with QR codes is that they are not human readable, so the user has no idea what the QR code is going to do; also, QR-related cyber attacks involve mobile phones which are usually less secure than laptops and users are usually distracted while on their phones (Violino, 2020).

There are more sophisticated attacks that involve QR codes, such as Qrljacking, where the attacker can hijack the user’s session by convincing them to scan a malicious QR code during authentication (QR login). The attacker then can perform any action on behalf of the legitimate user (OWASP Foundation, 2021).

Task 3: Solution to defeat the attack

(Owasp Foundation, 2021) suggests not to use QR codes for authentication, and if it is necessary, a newly secure methods that involve extra steps must be used.

Users should be aware of the risks of scanning QR codes, and manually audit the URL that a QR code is pointing to before accepting it; but what makes this harder is that the URL is not shown until the QR code is scanned or that malicious QR urls sometimes passes malicious filters that catch traditional URLs (Violino, 2020).

Along with the traditional advice, that if A QR looks altered or modified, the user should never scan it; and if the QR code is printed on a sticker, the user should try to peel it off to see if there is another QR code underneath it.

Task 4: Supporting references

  • The answers to the previous task includes an in-texts citations to the references used.

References