14 September 2011
You've probably seen QR tags thousands of times, from advertisements in the subway to coupon flyer in the mail to products in the supermarket. They look like stamp-size bar codes, a grid of small black-and-white rectangles and squares, usually with bigger black squares in the corners.
A marketer's dream-come-true, these tiny images are capable of storing and transmitting loads of data directly to the smartphones of interested customers. When a person scans a QR tag with a smartphone, the tag can do any number of things, including taking the user right to the product's website.
But like any technology, they can also be manipulated to bite the hands — or phones — that feed them. On security blog Kaotico Neutral, researcher Augusto Pereyra demonstrated how these innocuous QR tags can be made into cybercrime weapons.
In his proof-of-concept hack, Pereyra took a QR tag he created from a free online tag creator and embedded in it the URL for an attack server called evilsite.dyndns.org. When the target smartphone scanned the tag, the browser was directed to the spoofed site and fed malware.
QR tags are touted for their convenience, but it's that same convenience — coupled with their increasing prevalence — that Pereyra believes could allow them to become dangerous attack vectors. Popular QR tag-scanning software, such as ScanLife, automatically takes to the site embedded within the tag, and while it makes the process quick, it does nothing for its safety.
"This is a serious problem since this is the equivalent of clicking a link with your eyes closed," Pereyra wrote.
Tim Armstrong, researcher for the security firm Kaspersky Lab, said this streamlined process creates a "run first, ask questions later" mentality that benefits attackers.
An attack like his could easily be scaled up, Pereyra said, simply by printing the rigged QR tags and pasting them atop already-existing tags on posters in public places.
As companies and marketers take advantage of the power and ubiquity of mobile devices, and it becomes easier for consumers to carry out financial transactions via smartphones, researchers suspect online attackers will attempt to gain their own foothold in .