Attack of the QR codes
Give it a try with your mobile!
Don’t worry, no barcode on this blog post is malicious
Scary attack underway!
This image is a Quick Response code.
You’ve probably seen one before, as it’s often used to store website addresses to be scanned from a mobile, so that no one has to type the whole address manually.
The obvious risk with QR codes is that they can lead you to a malicious address, for infection or phishing – make sure your scanning app lets you confirm the URL!
However, this QR code hides a secret: it actually contains another barcode (of a different type), inside the QR code. It could be malicious. Not all applications will see it, but some will: very sneaky!
This is the… Attack of the QR codes !!!
(~ scary music playing ~)
How is it possible?
Barcodes use Error Correction, so that even if they are torn or badly printed, the information can be recovered. Even if you overwrite a part of the picture, it may still be valid:
So, in the middle, you can put another kind of barcode, that might still be readable, and will not necessarily be clearly visible to you:
So, be really careful, and really double-check before scanning, and then validating!
A bit more knowledge
- to learn: the Wikipedia page has many technical details, nicely explained.
- to experiment: an online generator, and an online decoder
- to explore: an impressive halftone QR codes generation technic (the image is IN the barcode, not over the barcode)
- the original paper presenting this QR code attack, with detailed experiments
The most important part
In 2015, every security risk needs a logo, so here it is: