The increasing adoption of Quick Response (QR) codes on retail goods, signposts and e-tickets is combining with the latest smartphone operating systems to create a perfect storm.
The official release of iOS 11 on September 19 introduced the ability to use the device's camera to natively scan Quick Response (QR) codes on Apple devices without the need for third-party applications. This increased ease-of-use is in response to the growing popularity of QR codes.
But, with the release of Apple iOS 11, Apple has chosen to add QR scanning functionality, which is enabled by default within the camera app every time the user points their device at a QR code. Depending on the device being used, be that an iPhone, iPad or iTouch, once the camera has detected a QR code in the frame, it will interpret the data and notify the user to ‘tap' to read the QR code.
This effectively makes anyone scanning the increasingly prevalent postage-stamp sized QR code matrices with Apple devices vulnerable to unknowingly uploading malicious code of the kind designed to compromise a corporate network. In terms of cyber-risk, it is broadly equivalent to opening an email attachment from an unknown source. Even in the case of QR codes being scanned in appropriate setting such as retail outlets, airports etc, there can be no absolute way being sure that the QR code has not been corrupted.
Unlike email attachments, QR codes do not merely exist in cyber-space; they frequently have a physical presence is public places which makes them easy to tamper with. Rather than having to navigate his way through cyber-security filters and defences, all the threat actor has to do is use sleight of hand to replace an existing QR code with a spoof one, secure in the knowledge that the small QR matrices are as indistinguishable from one another as snowflakes to the glance of a human eye.
The danger of suffering a major security breach is particularly acute for business travellers and their organisations when visiting those geographies where QR codes are being adopted fastest. Having originally been devised by the Japanese car industry, universal adoption in cities such as Nanjing (China) and Abu Dhabi (UAE) has resulted in ‘smart' street signs that provide details of the location. Abu Dhabi's street addressing scheme “Onwani” introduces QR codes to building numbers; residents of Jinan (Shandong Province) are implementing “door plates” with QR codes that link to information about the area as well as providing homeowners with a way of updating their information without having to visit the local police station. In London, QR codes have already started to appear on advertising posters and in retailers as well on different types of tickets and coupons.
As the codes become more ubiquitous in countries such as the UK, they are increasingly likely to become effective attack vectors. The use of spoof QR codes in electronic payments has been widely reported in China, with victims inadvertently making payments to a threat actor rather than to the legitimate retailer or service provider. Spoof QR codes can also be used to direct people to fake corporate websites or advertising pages and offer them fake “bargains” in exchange for their credit card details.
This threat is one which straddles both the physical world and cyber-space. In some geographies, business travellers will not only risk being hacked, they could also easily be placed in physical danger. If signposts and street furniture were posted with malicious codes, a threat actor could, for example, misdirect a targeted executive to a prepared location for kidnapping.
Socially engineered attacks such as those described rely on exploiting the human element, the weakest part of any defence perimeter. Staff using mobile devices connected to the corporate network should be instructed not to scan QR codes in easily accessible places as a threat actor could easily place a spoof QR code over a legitimate one. Staff using Android and older Apple OSs should also be told to ensure that their QR code app displays the URL to which they are being directed, enabling them to avoid suspicious or shortened URLs.
A more effective option could also be to disable QR scanning features on enterprise devices, apart from those staff who may need to use them to scan specific materials. Companies which employ bring-your-own-devices-to-work (BYOD) policies would be advised to consider disabling QR functionality on their smartphones (Apple iOS 11: within “settings” > “camera” disable “scan QR codes”) or, in the case of devices running an Android OS, simply disable the QR app.
With QR codes already starting to be widely exploited by cyber criminals in some geographies, companies need to start to take charge of their own QR strategies to protect themselves against cyber-attacks as organised criminal gangs and industrial spies start to misuse the rapidly blossoming QR landscape.
Elad Ben-Meir is vice-president of marketing at Israel-based cyber-security company CyberInt.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.