QR stands for “Quick Response” and QR codes are square-shaped machine-readable data formats that are useful for anything that needs to be scanned automatically. Before the QR code, there was a bar code and several other variants that are used for the same purpose of aiding faster data read and entry.
QR codes are increasingly being used in more areas of productivity than ever before. They are used on application login pages (WhatsApp, Telegram, Alibaba), business cards, product packaging, Wi-Fi login, and airline tickets amongst others. The increased usage has made QR code a tool for attackers. On the other hand, the systems, users, and devices that scan, process, and use the data encoded in the QR code have become targets for hackers.
There are several tools available that generate malicious QR codes and they even encode custom-made payloads in QR code. QR codes can contain up to 4,296 ASCII characters, therefore, giving attackers the opportunity to encode many malicious data. These attacks are successful because the human eye cannot decode QR codes. We rely on the scanners to decode the QR code and by the time they do, the attacker has probably met her objective because simply scanning the code with the expected device is enough to cause the expected compromise.
As mentioned earlier, the payloads target the scanners and the systems that process the encoded data. The system processing the data could be a database, a web page, or a desktop/server/mobile application so payloads that exploit the major vulnerabilities affecting these systems can be encoded in the QR code. Some of the attacks that can be run using QR codes are SQL injection, cross-site scripting, command injection, format string, XML external entities, string fuzzing, server-side include injection, and directory traversal amongst others.
Apart from delivering payloads, QR code is also used in a social engineering attack now called “QRLJacking”. The primary aim of QRLJacking is to gain unauthorized access to a user account. This is achieved by tricking a user into scanning a QR code relayed by an attacker, therefore, signing the attacker into the user’s account. This attack is successful when chained to other types of attack such as delivering a malicious URL via phishing or a DNS compromise that redirects to an attacker-controlled web page. This attack has so far seen success against users of the following apps and services: WhatsApp, WeChat, QQ Instant Messaging, Alibaba, Aliexpress, and Yandex Money amongst others.
Mitigating QR code Attacks
Mitigating the attacks from QR codes is similar to other forms of controls we already know about. User input should not be trusted so developers should try as much as possible to validate and sanitize all user-supplied QR codes (data) before processing.
The scanning devices and the systems that process the data should be resistant to attacks. This can be achieved by running comprehensive security tests to identify and patch all discovered vulnerabilities.
Users should ensure that the QR code they scan is from trusted sources. The already known measures taken to prevent social engineering are useful here. Users have to be wary of phishing emails, avoid using public Wi-Fi for sensitive transactions, etc.