In my last blog post I talked about the merits of QR codes and their use in forensics. I’m going to talk about the risks of QR codes now, as with everything, there are always issues with new technology. There are three main risks with QR codes:
The first risk is no more dangerous in theory than clicking a link in a web browser that is malicious. However as the URL is inherently encoded into the QR code; you don’t know what you are opening. I would argue that (most?) PC & laptop users would be deterred from clicking a link that claimed to be something, but the underlying URL from the hover-over text provided by the browser was something else. This however is harder on mobiles and tablets, as there isn’t really a way to show what the link is actually pointing with a touch screen, so the risk here is on a par with regular mobile browsing.
QR code data that is associated with a particular application (e.g. browser, smart phone App store or particular App) can be coded to try and exploit that particular application. And finally, QR codes can try and exploit the QR code reader itself. If the reader is badly designed it can have privileged access on the smart phone, such as use of the camera, GPS, read/write of local storage and make system changes. This type of attack is called attagging, a portmanteau of attack and tagging. A great example is of how an Android can be compromised using Metasploit.
As with most things, if the QR code is on an official advert or printed in a newspaper, then it’s likely to be ok, as you’d think that the publishers and editors would check (although sometimes that goes very wrong...). Make sure that your App does not have privileges it shouldn’t have and download it from the official App stores, and don’t go scanning any old code!
chemistry Itiel Dror styles symposium UK Cyber Security Strategy metaphors self deletion malware sausages wifi CV unicode search terms RHD gardening Christmas Dean Village walks kill chain News of the World East Lothian chocolate General Election Pentlands Post Secret python data flow arts fair dinosaurs Moo alternate data streams Internet Explorer GDPR Google Chrome batch files malware analysis government Webscavator Strathclyde Asda art gallery free courses Geocities link files confirmation bias Demand Five retro cybercrime presents promotion public lecture Mweke New Scientist rabbit nutrition paintings backup lectures Linkin Park favourites training