Welcome!

Mobile IoT Authors: Pat Romanski, Elizabeth White, Carmen Gonzalez, Liz McMillan, Peter Silva

Related Topics: Cloud Security, Mobile IoT, Microservices Expo

Cloud Security: Article

Quick Response, Quick Risk?

The risks presented by QR codes are really a new spin on well-established hacking tricks and exploits

Quick Response (QR) codes are intended to help direct users quickly and easily to information about products and services, but they are also starting to be used for social engineering exploits. This article looks at the emergence of QR scan scams and the rising concern for users today.

You don't have to look far these days to spot a QR code. From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.

QR codes are a jumping-off point from the offline to the online world. By simply scanning the code with your smartphone, people can quickly access the digital content triggered by the code - making them a marketer's dream because they make it easy to direct users toward information and services. What's more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.

However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. While the concept of ‘drive-by downloads' is already well established as a stealthy tactic for stealing user data when web browsing, QR codes offer a new method for manipulating mobile users in a similar way.

A Matter of Trust
The issue with QR codes is that it forces users to trust the integrity of the code's provider and assume that the destination it leads to is legitimate. This is almost impossible for individuals to gauge because the QR code actually conceals the site and content it leads to. While social engineering exploits have evolved from the email worms of the early 2000s, they still rely on human curiosity to see what might happen when users click on an attachment or a QR code is scanned, which often leads to security problems.

Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, location-based services and application installations - further extending the potential risks to mobile devices. Let's look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.

Code Read
The first step in mounting a QR exploit is to distribute the code, to get it in front of potential victims. This could happen by embedding the QR code in an email - making it an elaborate phishing exploit - or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.

Once the QR code is distributed, the attacker has a multitude of scam options to choose from. At a basic level, the code could simply redirect users to fake websites for phishing purposes - such as a fake online store or a payment site.

More sophisticated exploits involve hackers using the QR code to direct users to websites that will ‘jailbreak' their mobile device - that is, allow root access to the device's operating system and install malware. This is essentially a drive-by download attack on the device, enabling additional software or applications, such as key loggers and GPS trackers, to be installed without the user's knowledge or permission.

Targeting the Mobile Wallet
Perhaps the biggest potential risk to users is the rising use of mobile banking and payments via smartphones. With the ability of QR codes to jailbreak devices and tap into applications, this could give hackers virtual pick-pocket access to mobile wallets, especially as QR-based payment solutions already exist and are in use. While the uptake of these is currently small, it will grow as public acceptance of QR codes increases.

What can organizations and individual users do to mitigate the risks from QR codes? The most important precaution is being able to establish exactly what link or resource the QR code is going to launch when it's scanned. Some (not all) QR scanning applications give this visibility and - critically - ask the user to confirm if they wish to take the action. This gives users the opportunity to assess the link's validity before the code is activated.

For corporate smartphones, consider deploying data encryption so that even if a malicious QR code manages to install a Trojan on the device, sensitive data is still protected and not immediately accessible or usable by hackers.

In conclusion, the risks presented by QR codes are really a new spin on well-established hacking tricks and exploits. The security basics still apply - be cautious about what you scan, and use data encryption where possible. Or put simply: look before the QR leap.

More Stories By Tomer Teller

Tomer Teller is security evangelist at Check Point. During his six years at Check Point, he has been working as a researcher and developer on variety of large scale projects, as well as a speaker at multiple IT security conferences and lecturer at Check Point headquarters.

Specialized in both high-level and low level software engineering, Teller devotes his free time to various projects and original security research. He holds a BS in computer science and is a proud owner of a patent in the field of browser exploitation.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
"LinearHub provides smart video conferencing, which is the Roundee service, and we archive all the video conferences and we also provide the transcript," stated Sunghyuk Kim, CEO of LinearHub, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Discover top technologies and tools all under one roof at April 24–28, 2017, at the Westin San Diego in San Diego, CA. Explore the Mobile Dev + Test and IoT Dev + Test Expo and enjoy all of these unique opportunities: The latest solutions, technologies, and tools in mobile or IoT software development and testing. Meet one-on-one with representatives from some of today's most innovative organizations
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in Embedded and IoT solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 7-9, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/Big Data, HPC and E...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
"A lot of times people will come to us and have a very diverse set of requirements or very customized need and we'll help them to implement it in a fashion that you can't just buy off of the shelf," explained Nick Rose, CTO of Enzu, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
WebRTC sits at the intersection between VoIP and the Web. As such, it poses some interesting challenges for those developing services on top of it, but also for those who need to test and monitor these services. In his session at WebRTC Summit, Tsahi Levent-Levi, co-founder of testRTC, reviewed the various challenges posed by WebRTC when it comes to testing and monitoring and on ways to overcome them.
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, introduced the technologies required for implementing these idea...
The WebRTC Summit New York, to be held June 6-8, 2017, at the Javits Center in New York City, NY, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 20th International Cloud Expo and @ThingsExpo. WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web co...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all. In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of C...
Who are you? How do you introduce yourself? Do you use a name, or do you greet a friend by the last four digits of his social security number? Assuming you don’t, why are we content to associate our identity with 10 random digits assigned by our phone company? Identity is an issue that affects everyone, but as individuals we don’t spend a lot of time thinking about it. In his session at @ThingsExpo, Ben Klang, Founder & President of Mojo Lingo, discussed the impact of technology on identity. Sho...
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...