Apple's new operating system for iPhones and iPads contains a Quick Response (QR)-scanning based 'backdoor' that could be used by cyber-criminals according to a new report from Israel-based cyber-security company CyberInt, due to be released next month (Threat Intelligence Report - QR Code Threat Lansdscape).
Users of iOS 11 iphone QR scanning will find it almost impossible to distinguish between legitimate and nefarious content as the QR barcodes are virtually indistinguishable to the naked eye, but can they can now be scanned without the need for third party applications say researchers.
The new Apple software, released 19 September, introduced the ability to use the device's camera to natively scan QR codes on Apple devices without the need for third-party applications. These machine readable matrix barcodes that can also be used for “mobile tagging”.
The QR code itself cannot be hacked or hijacked without visually changing it or taking over its destination, but it is non-human readable which is seen as an inherent vulnerability. In a press statement, the researchers report, “The ability to “authenticate” or “filter” a QR code, such as before following a link, is seriously limited. Users will find it almost impossible to distinguish between legitimate and nefarious content as the QR barcodes are virtually indistinguishable to the naked eye. Given the way that iOS 11 handles QR codes, users are effectively only one tap away from nefarious content.”
QR codes can be used to interact with the calendar, map, phone and browser (Safari) immediately after the initial tap of the QR notification. Because a common application of QR codes is to direct users to marketplace links for a mobile app, CyberInt says cyber-criminals could capitalise on this functionality to direct users to a fake app.
Criminals could also put malicious QR codes on to legitimate advertising sites.
In the physical world, QR codes on road signs and street furniture used by in-car navigation devices could be manipulated to misdirect victim to a specific location for their own dubious purposes.
CyberInt reports that in Asia criminals have been found sticking their own malicious QR code over a merchant's authentic QR stickers.
In a press statement emailed to SC Media UK, Elad BenMeir, CyberInt vice-president of marketing warns, “Having conducted a risk assessment, organisations should determine if there are any benefits to using QR codes outside of specific internal applications such as material tracking. Should the risk outweigh the benefits, QR tracking should be disabled. Another consideration businesses need to consider is their policy/governance of the use of the new iPhone as part of the corporate device network and also as their BYOD policy,”