Difference between revisions of "QR Codes"

Revision as of 18:46, 18 March 2021 (view source) Emuth (Talk | contribs) (Edited some sentence structure/grammar/punctuation, reformatted wording to improve readability and decrease wordiness, more edits to come) ← Older edit		Revision as of 15:45, 19 March 2021 (view source) Emuth (Talk | contribs) (Edited some sections to have a more neutral voice, altered some grammar structures, added the final two references, reworded cited portions to be more distinct from article of origin) Newer edit →
Line 14:		Line 14:
	==Ethical Implications==		==Ethical Implications==
−	QR codes have a variety of uses and can connect users to information very easily and quickly. Since they require minimal technical skills to utilize, they can be applicable to a variety of settings as mentioned above <ref name="Education"/>. However, it is crucial to note the ethical implications of QR codes, particularly because they can be used for malicious intent and phishing.	+	Since QR codes require minimal technical skills to utilize, they are a versatile and quick method of connecting users to information.<ref name="Education"/> However, there are ethical concerns surrounding QR codes, such as phishing.
−	Attackers that intend to override QR codes in some fashion are likely doing it for malicious intent. The most frequently reported attack is social engineering, which is the art of manipulating people to reveal confidential information to the social engineer for the engineer to in turn steal their data <ref name="Security"/>. A common practice utilized by these hackers is phishing, which is when the attacker attempts to steal information by impersonating a trustworthy entity <ref> Jagatic, T., Johnson, N. et al. (2007, October). Social Phishing Volume 50 Issue 10. Communications of the ACM. https://dl.acm.org/doi/fullHtml/10.1145/1290958.1290968?casa_token=aKPSW2sVqnMAAAAA:OH7v7hXko3P8lyga-GNd8zQMqD_AS_QcAULLPg3M7Ln17OeJ9uLZHogaIJhtgc97saukLp3-A8up</ref>. Information that could be stolen could include but is not limited to usernames, passwords, addresses, contacts, and credit card information.	+	Individuals that attempt to override QR codes are likely doing it with malicious intent. Social engineering, the act of convincing people to disclose confidential information that is then stolen, is the most common type of attack.<ref name="Security"/> Phishing is a type of social engineering and a common practice used by hackers in which the attacker attempts to steal the information by pretending to be an organization or person that the subject trusts.<ref>Jagatic, T., Johnson, N. et al. (2007, October). Social Phishing Volume 50 Issue 10. Communications of the ACM. https://dl.acm.org/doi/fullHtml/10.1145/1290958.1290968?casa_token=aKPSW2sVqnMAAAAA:OH7v7hXko3P8lyga-GNd8zQMqD_AS_QcAULLPg3M7Ln17OeJ9uLZHogaIJhtgc97saukLp3-A8up</ref><ref>Cybersecurity and Infrastructure Security Agency. (2020, August 20). <i>Avoiding Social Engineering and Phishing Attacks</i>. https://us-cert.cisa.gov/ncas/tips/ST04-014</ref> Information that could be stolen includes but is not limited to usernames, passwords, addresses, contacts, and credit card information.
	===Two Forms of Attack===		===Two Forms of Attack===
−	The two main attack vectors to exploit QR codes are where the attacker replaces the entire QR code and when the attacker modifies individual modules of the QR code <ref name="Security"/>. When the attacker replaces the entire QR code, they create a new QR code with a malicious link encoded and paste it over an already existing QR code <ref name="Security"/>. The other form of attack involves modifying the encoded content by changing the color of specific modules of the QR Code, where the user will be directed after scanning the code <ref name="Security"/>.	+	The two primary attack strategies are 1) replacing the entire QR code and 2) modifying individual parts of it.<ref name="Security"/> When the attacker replaces the entire code, rather than eliminate the old one entirely, they layer a new QR code with the malicious link encoded over the pre-existing one.<ref name="Security"/> The second form of attack involves modifying the encoded content by changing the color of specific parts of the QR Code which affects where the user is redirected after scanning the code.<ref name="Security"/>
	===Twitter Incident 2012===		===Twitter Incident 2012===
−	[[File:Jestertwitter.png|thumb|right|350px||center|The Jester's Current Twitter Profile<ref>https://twitter.com/th3j35t3r</ref>]]	+	[[File:Jestertwitter.png|thumb|right|350px|center|The Jester's Current Twitter Profile<ref>https://twitter.com/th3j35t3r</ref>]]
−	The Jester, a self-described patriotic hacker (@th3j35t3r on Twitter), claimed to have executed a multilayered attack where he broke into mobile phones of various leaders and copied incriminating data <ref name="NBC">Wagenseil, Paul. (2012, March 13). Anti-Anonymous hacker threatens to expose them. NBC News. SecurityNewsDaily. https://www.nbcnews.com/id/wbna46716942</ref>. Data is valuable, hence why there are hackers who try to steal it. The Jester’s main targets were English-language websites that recruit followers for al-Qaida (a militant Islamic movement) <ref name="NBC"/>. To execute his hack, he changed his Twitter profile picture to a QR code. When users went to the website from the QR code, it connected the user to a server network named Netcat <ref name="NBC"/>. Further, Netcat would see if the user’s device had Twitter and if it was a target phone, then it would send the username to the Jester’s server. The Jester used these usernames to analyze if they were associated with Anonymous news sites and chat rooms, Islamist recruiting sites, and WikiLeaks <ref name="NBC"/>. Lastly, the Jester would try to steal the data from the targeted phone, which could include messages, call logs, emails, and contacts <ref name="NBC"/>. This invasion of privacy is unethical and the convenience of making and implementing a QR has potential dangers and harms for smartphone users.	+	The Jester, a "self-described patriotic hacker" (@th3j35t3r on Twitter), used QR code technology in an alleged multi-layered attack against world leaders in which he broke into their mobile phones and copied incriminating data.<ref name="NBC">Wagenseil, Paul. (2012, March 13). Anti-Anonymous hacker threatens to expose them. NBC News. SecurityNewsDaily. https://www.nbcnews.com/id/wbna46716942</ref> NBC reported that the Jester’s main targets were websites that recruited followers for [https://en.wikipedia.org/wiki/Al-Qaeda Al-Qaeda]. According to NBC, to execute the attack, he changed his Twitter profile picture to a QR code. When users went to the website from the QR code, it connected them to a server that determined if the user had a Twitter account and if their device was a target phone. The Jester's server then received the target usernames and used them to analyze if the usernames were associated with "Anonymous news sites and chat rooms, Islamist recruiting sites and WikiLeaks." The Jester then attempted to steal phone data, including messages, emails, contacts, and call logs, from the targeted phones.<ref name="NBC"/> These "hacktivists" have been surrounded by ethical questions about its morality, with some arguing they have no moral code and some claiming they follow their own societal norms.<ref>Scott, T., Cupp, O. (2018). <i>Ethics of Hacktivism.</i> The Simons Center. https://thesimonscenter.org/wp-content/uploads/2018/05/Ethics-Symp-pg143-148.pdf</ref>
	===Conclusion of Ethical Implications===		===Conclusion of Ethical Implications===
−	While the ethical implications presented could, unfortunately, reveal confidential information to a malicious hacker, QR codes provide a fast and convenient means to give information from one user to the next. Instead of having to type in a long URL, the users can hold their phone over a QR code at any angle for a moment and the link is brought up. The primary challenge associated with harmful QR codes is informing the user of the incident, and it would be beneficial to add a verification process that is transparent to the user and/or warnings to let the user know of possible threats before they enter the dangerous URL or open the media <ref name="Security"/>.	+	While the ethical implications presented could, unfortunately, reveal confidential information to a malicious hacker, QR codes provide a fast and convenient means to give information from one user to the next. Instead of having to type in a long URL, the users can hold their phone over a QR code at any angle for a moment and the link is brought up. The primary challenge associated with maliciously compromised QR codes is informing the user of the incident. Krombholz et. al suggest that it would be beneficial to add a verification process that is transparent to the user, or warnings to let them know of possible threats before they open dangerous URLs or media.<ref name="Security"/>
	==References==		==References==

---

Revision as of 15:45, 19 March 2021

A QR (Quick Response) code is a unique, two-dimensional barcode.^[1] This code is a form of information technology that stores alphanumeric characters as text or URLs, allowing smartphone users to be redirected to a link provided by an organization or person. Whereas barcodes only use horizontal information, QR codes can contain information that is both horizontal and vertical. ^[2] During the COVID-19 pandemic, QR codes experienced a rise in popularity as a solution to avoid multiple customers handling the same menus or employees having to sanitize menus in between customers.^[3] They allow customers to use their phones to scan these black-and-white codes and get taken to the menu within a few seconds. While they are convenient, many argue this form of information technology also has ethical implications.

Background

History

In 1994, under lead developer Masahiro Hara, the company Denso Wave invented QR codes.^[6]. People found that regular barcodes could not store enough information, which led to limitations on their usage.^[2] For example, a code 129 barcode, as seen on the right, is a high-density, one-dimensional barcode that can encode letters, numbers, special characters, and control codes. These barcodes can only hold 48 characters of information. Even the most sophisticated one-dimensional barcode can only hold up to 85 characters.^[5] In contrast, a QR code can hold up to 7,089 characters— almost 150 times as much information as a one-dimensional code 129 barcode.^[6].

Usage

QR codes are read by mobile phones with camera capabilities or QR scanners. Humans cannot manually interpret QR codes, nor can they be read by traditional laser scanners.^[8][9] In their article QR Codes in Education, Law and So describe how position detection patterns at three corners of the code are used to read them at any orientation and direction. They describe how QR codes can even be tilted or on a curved surface and still successfully display the information embedded within the code. The device used to read the code then interprets the message and displays information or performs an action on the user's device.^[6] QR codes can be used to link to URLs, for payment, to log in to a website, to view a restaurant menu, to display multimedia content, and more.^[10]

Types of QR Codes

There are many types of QR codes. The original QR code was called Model 1, able to store up to 1,167 numerals.^[11]. The most commonly used version today is the Model 2, with a limit of 7,089 characters.^[6] Additionally, there is a smaller version of the standard QR code called the Micro QR code which is limited to 35 numeric characters. Its benefit is in its smaller size, allowing it to be displayed in smaller spaces as compared to the Model 1 and Model 2. Though organizations typically use the Model 2, there are forty different varieties of QR code with distinct data capacities, such as: iQR, Frame QR, Secure QR Code, and LogoQ.^[12].

Ethical Implications

Since QR codes require minimal technical skills to utilize, they are a versatile and quick method of connecting users to information.^[6] However, there are ethical concerns surrounding QR codes, such as phishing.

Individuals that attempt to override QR codes are likely doing it with malicious intent. Social engineering, the act of convincing people to disclose confidential information that is then stolen, is the most common type of attack.^[12] Phishing is a type of social engineering and a common practice used by hackers in which the attacker attempts to steal the information by pretending to be an organization or person that the subject trusts.^[13][14] Information that could be stolen includes but is not limited to usernames, passwords, addresses, contacts, and credit card information.

Two Forms of Attack

The two primary attack strategies are 1) replacing the entire QR code and 2) modifying individual parts of it.^[12] When the attacker replaces the entire code, rather than eliminate the old one entirely, they layer a new QR code with the malicious link encoded over the pre-existing one.^[12] The second form of attack involves modifying the encoded content by changing the color of specific parts of the QR Code which affects where the user is redirected after scanning the code.^[12]

Twitter Incident 2012

The Jester, a "self-described patriotic hacker" (@th3j35t3r on Twitter), used QR code technology in an alleged multi-layered attack against world leaders in which he broke into their mobile phones and copied incriminating data.^[16] NBC reported that the Jester’s main targets were websites that recruited followers for Al-Qaeda. According to NBC, to execute the attack, he changed his Twitter profile picture to a QR code. When users went to the website from the QR code, it connected them to a server that determined if the user had a Twitter account and if their device was a target phone. The Jester's server then received the target usernames and used them to analyze if the usernames were associated with "Anonymous news sites and chat rooms, Islamist recruiting sites and WikiLeaks." The Jester then attempted to steal phone data, including messages, emails, contacts, and call logs, from the targeted phones.^[16] These "hacktivists" have been surrounded by ethical questions about its morality, with some arguing they have no moral code and some claiming they follow their own societal norms.^[17]

Conclusion of Ethical Implications

While the ethical implications presented could, unfortunately, reveal confidential information to a malicious hacker, QR codes provide a fast and convenient means to give information from one user to the next. Instead of having to type in a long URL, the users can hold their phone over a QR code at any angle for a moment and the link is brought up. The primary challenge associated with maliciously compromised QR codes is informing the user of the incident. Krombholz et. al suggest that it would be beneficial to add a verification process that is transparent to the user, or warnings to let them know of possible threats before they open dangerous URLs or media.^[12]

References

1. ↑ Encyclopedia Britannica. (n.d.). QR Code. In britannica.com. Retrieved March 18, 2020, from https://www.britannica.com/technology/QR-Code.
2. ↑ ^{2.0 2.1} Stein, Adriana. (2020, January 1) How QR Codes Work and Their History. QR Code Generator. https://www.qr-code-generator.com/blog/how-qr-codes-work-and-their-history/
3. ↑ Luna, N. (2020, July 14). Tech tracker: restaurants are turning to QR codes during the coronavirus pandemic for digital menus and contactless payment. Restaurant Hospitality. https://www.restaurant-hospitality.com/technology/tech-tracker-restaurants-are-turning-qr-codes-during-coronavirus-pandemic-digital-menus
4. ↑ http://qrcode.meetheed.com/question7.php
5. ↑ ^{5.0 5.1} Premier Electronics Inc. (n.d.). Barcode Types - Identification and Understanding. Premier Electronics Inc. https://www.premierelectronics.com/blog/barcode-types-identificaton-understanding#
6. ↑ ^{6.0 6.1 6.2 6.3 6.4} Law, Ching-yin and So, Simon (2010) QR Codes in Education. Journal of Educational Technology Development and Exchange (JETDE): Vol. 3 : Iss. 1 , Article 7. https://aquila.usm.edu/cgi/viewcontent.cgi?article=1011&context=jetde
7. ↑ https://www.cgap.org/blog/inside-qr-codes-how-black-white-dots-simplify-digital-payments
8. ↑ Rouillard, José. (2009, October 11). Contextual QR Codes. 2008 The Third International Multi-Conference on Computing in the Global Information Technology (iccgi 2008), Athens, Greece, 2008, pp. 50-55. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4591344
9. ↑ name="Premier"
10. ↑ QR Code. (2021, February 7). Wikipedia. https://en.wikipedia.org/wiki/QR_code
11. ↑ Chang, Jae Hwa. (2014, July 30) An introduction to using QR codes in scholarly journals. Science Editing. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.986.6494&rep=rep1&type=pdf
12. ↑ ^{12.0 12.1 12.2 12.3 12.4 12.5} Krombholz K., Frühwirt P., Kieseberg P., Kapsalis I., Huber M., Weippl E. (2014). QR Code Security: A Survey of Attacks and Challenges for Usable Security. Human Aspects of Information Security, Privacy, and Trust. https://link.springer.com/content/pdf/10.1007%2F978-3-319-07620-1_8.pdf
13. ↑ Jagatic, T., Johnson, N. et al. (2007, October). Social Phishing Volume 50 Issue 10. Communications of the ACM. https://dl.acm.org/doi/fullHtml/10.1145/1290958.1290968?casa_token=aKPSW2sVqnMAAAAA:OH7v7hXko3P8lyga-GNd8zQMqD_AS_QcAULLPg3M7Ln17OeJ9uLZHogaIJhtgc97saukLp3-A8up
14. ↑ Cybersecurity and Infrastructure Security Agency. (2020, August 20). Avoiding Social Engineering and Phishing Attacks. https://us-cert.cisa.gov/ncas/tips/ST04-014
15. ↑ https://twitter.com/th3j35t3r
16. ↑ ^{16.0 16.1} Wagenseil, Paul. (2012, March 13). Anti-Anonymous hacker threatens to expose them. NBC News. SecurityNewsDaily. https://www.nbcnews.com/id/wbna46716942
17. ↑ Scott, T., Cupp, O. (2018). Ethics of Hacktivism. The Simons Center. https://thesimonscenter.org/wp-content/uploads/2018/05/Ethics-Symp-pg143-148.pdf