Difference between revisions of "QR Codes"

From SI410
Jump to: navigation, search
Line 17: Line 17:
  
 
Individuals that attempt to override QR codes are likely doing it with malicious intent. Social engineering, the act of convincing people to disclose confidential information that is then stolen, is the most common type of attack.<ref name="Security"/> Phishing is a type of social engineering and a common practice used by hackers in which the attacker attempts to steal the information by pretending to be an organization or person that the subject trusts.<ref>Jagatic, T., Johnson, N. et al. (2007, October). Social Phishing Volume 50 Issue 10. Communications of the ACM. https://dl.acm.org/doi/fullHtml/10.1145/1290958.1290968?casa_token=aKPSW2sVqnMAAAAA:OH7v7hXko3P8lyga-GNd8zQMqD_AS_QcAULLPg3M7Ln17OeJ9uLZHogaIJhtgc97saukLp3-A8up</ref><ref>Cybersecurity and Infrastructure Security Agency. (2020, August 20). <i>Avoiding Social Engineering and Phishing Attacks</i>. https://us-cert.cisa.gov/ncas/tips/ST04-014</ref> Information that could be stolen includes but is not limited to usernames, passwords, addresses, contacts, and credit card information.
 
Individuals that attempt to override QR codes are likely doing it with malicious intent. Social engineering, the act of convincing people to disclose confidential information that is then stolen, is the most common type of attack.<ref name="Security"/> Phishing is a type of social engineering and a common practice used by hackers in which the attacker attempts to steal the information by pretending to be an organization or person that the subject trusts.<ref>Jagatic, T., Johnson, N. et al. (2007, October). Social Phishing Volume 50 Issue 10. Communications of the ACM. https://dl.acm.org/doi/fullHtml/10.1145/1290958.1290968?casa_token=aKPSW2sVqnMAAAAA:OH7v7hXko3P8lyga-GNd8zQMqD_AS_QcAULLPg3M7Ln17OeJ9uLZHogaIJhtgc97saukLp3-A8up</ref><ref>Cybersecurity and Infrastructure Security Agency. (2020, August 20). <i>Avoiding Social Engineering and Phishing Attacks</i>. https://us-cert.cisa.gov/ncas/tips/ST04-014</ref> Information that could be stolen includes but is not limited to usernames, passwords, addresses, contacts, and credit card information.
 +
 +
===Two Forms of Attack===
 +
The two primary attack strategies are 1) replacing the entire QR code and 2) modifying individual parts of it.<ref name="Security"/> When the attacker replaces the entire code, rather than eliminate the old one entirely, they layer a new QR code with the malicious link encoded over the pre-existing one.<ref name="Security"/> The second form of attack involves modifying the encoded content by changing the color of specific parts of the QR Code which affects where the user is redirected after scanning the code.<ref name="Security"/>
  
 
===Security Concerns===
 
===Security Concerns===
 
 
QR codes pose significant risks to both end users and enterprises. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Also, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.
 
QR codes pose significant risks to both end users and enterprises. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Also, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.
 
===Two Forms of Attack===
 
The two primary attack strategies are 1) replacing the entire QR code and 2) modifying individual parts of it.<ref name="Security"/> When the attacker replaces the entire code, rather than eliminate the old one entirely, they layer a new QR code with the malicious link encoded over the pre-existing one.<ref name="Security"/> The second form of attack involves modifying the encoded content by changing the color of specific parts of the QR Code which affects where the user is redirected after scanning the code.<ref name="Security"/>
 
  
 
===Twitter Incident 2012===
 
===Twitter Incident 2012===

Revision as of 07:26, 1 April 2021

A QR (Quick Response) code is a unique, two-dimensional barcode.[1] This code is a form of information technology that stores alphanumeric characters as text or URLs, allowing smartphone users to be redirected to a link provided by an organization or person. Whereas barcodes only use horizontal information, QR codes can contain information that is both horizontal and vertical. [2] During the COVID-19 pandemic, QR codes experienced a rise in popularity as a solution to avoid multiple customers handling the same menus or employees having to sanitize menus in between customers.[3] They allow customers to use their phones to scan these black-and-white codes and get taken to the menu within a few seconds. Despite that they are convenient, many argue this form of information technology also has ethical implications.
QR Codes and their amount of data.[4]

Background

History

A standard one-dimensional barcode.[5]

In 1994, under lead developer Masahiro Hara, the company Denso Wave invented QR codes.[6]. People found that regular barcodes could not store enough information, which limited their usage.[2] For example, a Code-129 barcode, as seen on the right, is a high-density, one-dimensional barcode that can encode letters, numbers, special characters, and control codes. These barcodes can only hold 48 characters of information. Even the most sophisticated one-dimensional barcode can only hold up to 85 characters.[5] In contrast, a QR code can hold up to 7,089 characters— almost 150 times as much information as a one-dimensional Code-129 barcode.[6].

Usage

Position Detecting Patterns on a QR Code[7]

QR codes are read by mobile phones with camera capabilities or QR scanners. Humans cannot manually interpret QR codes, nor can they be read by traditional laser scanners.[8] In their article QR Codes in Education, Law and So describe how position detection patterns at three corners of the code are used to read them at any orientation and direction. They describe how QR codes can even be tilted or on a curved surface and still successfully display the information embedded within the code. The device used to read the code then interprets the message and displays information or performs an action on the user's device.[6] QR codes can be used to link to URLs, for payment, to log in to a website, to view a restaurant menu, to display multimedia content, and more.

Types of QR Codes

There are many types of QR codes. The original QR code was called Model 1, able to store up to 1,167 numerals.[9]. The most commonly used version today is the Model 2, with a limit of 7,089 characters.[6] Additionally, there is a smaller version of the standard QR code called the Micro QR code which is limited to 35 numeric characters. Its benefit is in its smaller size, allowing it to be displayed in smaller spaces as compared to the Model 1 and Model 2. Also, there are forty different varieties of QR code with distinct data capacities including the mentioned ones, such as: iQR, Frame QR, Secure QR Code, and LogoQ.[10].

Ethical Implications

Since they require minimal technical skills to utilize, QR codes are a versatile and quick method of connecting users to information.[6] However, there are ethical concerns surrounding QR codes, such as phishing.

Individuals that attempt to override QR codes are likely doing it with malicious intent. Social engineering, the act of convincing people to disclose confidential information that is then stolen, is the most common type of attack.[10] Phishing is a type of social engineering and a common practice used by hackers in which the attacker attempts to steal the information by pretending to be an organization or person that the subject trusts.[11][12] Information that could be stolen includes but is not limited to usernames, passwords, addresses, contacts, and credit card information.

Two Forms of Attack

The two primary attack strategies are 1) replacing the entire QR code and 2) modifying individual parts of it.[10] When the attacker replaces the entire code, rather than eliminate the old one entirely, they layer a new QR code with the malicious link encoded over the pre-existing one.[10] The second form of attack involves modifying the encoded content by changing the color of specific parts of the QR Code which affects where the user is redirected after scanning the code.[10]

Security Concerns

QR codes pose significant risks to both end users and enterprises. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Also, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.

Twitter Incident 2012

The Jester's Current Twitter Profile[13]

The Jester, a "self-described patriotic hacker" (@th3j35t3r on Twitter), used QR code technology in an alleged multi-layered attack against world leaders in which he broke into their mobile phones and copied incriminating data.[14] NBC reported that the Jester’s main targets were websites that recruited followers for Al-Qaeda. According to NBC, to execute the attack, he changed his Twitter profile picture to a QR code. When users went to the website from the QR code, it connected them to a server that determined if the user had a Twitter account and if their device was a target phone. The Jester's server then received the target usernames and used them to analyze if the usernames were associated with "Anonymous news sites and chat rooms, Islamist recruiting sites and WikiLeaks." The Jester then attempted to steal phone data, including messages, emails, contacts, and call logs, from the targeted phones.[14] These "hacktivists" have been surrounded by ethical questions about its morality, with some arguing they have no moral code and some claiming they follow their own societal norms.[15]

Conclusion of Ethical Implications

While the ethical implications presented could, unfortunately, reveal confidential information to a malicious hacker, QR codes provide a fast and convenient means to give information from one user to the next. Instead of having to type in a long URL, the users can hold their phone over a QR code at any angle for a moment and the link is brought up. The primary challenge associated with maliciously compromised QR codes is informing the user of the incident. Krombholz et. al suggest that it would be beneficial to add a verification process that is transparent to the user, or warnings to let them know of possible threats before they open dangerous URLs or media.[10]

References

  1. Encyclopedia Britannica. (n.d.). QR Code. In britannica.com. Retrieved March 18, 2020, from https://www.britannica.com/technology/QR-Code.
  2. 2.0 2.1 Stein, Adriana. (2020, January 1) How QR Codes Work and Their History. QR Code Generator. https://www.qr-code-generator.com/blog/how-qr-codes-work-and-their-history/
  3. Luna, N. (2020, July 14). Tech tracker: restaurants are turning to QR codes during the coronavirus pandemic for digital menus and contactless payment. Restaurant Hospitality. https://www.restaurant-hospitality.com/technology/tech-tracker-restaurants-are-turning-qr-codes-during-coronavirus-pandemic-digital-menus
  4. http://qrcode.meetheed.com/question7.php
  5. 5.0 5.1 Premier Electronics Inc. (n.d.). Barcode Types - Identification and Understanding. Premier Electronics Inc. https://www.premierelectronics.com/blog/barcode-types-identificaton-understanding#
  6. 6.0 6.1 6.2 6.3 6.4 Law, Ching-yin and So, Simon (2010) QR Codes in Education. Journal of Educational Technology Development and Exchange (JETDE): Vol. 3 : Iss. 1 , Article 7. https://aquila.usm.edu/cgi/viewcontent.cgi?article=1011&context=jetde
  7. https://www.cgap.org/blog/inside-qr-codes-how-black-white-dots-simplify-digital-payments
  8. Rouillard, José. (2009, October 11). Contextual QR Codes. 2008 The Third International Multi-Conference on Computing in the Global Information Technology (iccgi 2008), Athens, Greece, 2008, pp. 50-55. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4591344
  9. Chang, Jae Hwa. (2014, July 30) An introduction to using QR codes in scholarly journals. Science Editing. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.986.6494&rep=rep1&type=pdf
  10. 10.0 10.1 10.2 10.3 10.4 10.5 Krombholz K., Frühwirt P., Kieseberg P., Kapsalis I., Huber M., Weippl E. (2014). QR Code Security: A Survey of Attacks and Challenges for Usable Security. Human Aspects of Information Security, Privacy, and Trust. https://link.springer.com/content/pdf/10.1007%2F978-3-319-07620-1_8.pdf
  11. Jagatic, T., Johnson, N. et al. (2007, October). Social Phishing Volume 50 Issue 10. Communications of the ACM. https://dl.acm.org/doi/fullHtml/10.1145/1290958.1290968?casa_token=aKPSW2sVqnMAAAAA:OH7v7hXko3P8lyga-GNd8zQMqD_AS_QcAULLPg3M7Ln17OeJ9uLZHogaIJhtgc97saukLp3-A8up
  12. Cybersecurity and Infrastructure Security Agency. (2020, August 20). Avoiding Social Engineering and Phishing Attacks. https://us-cert.cisa.gov/ncas/tips/ST04-014
  13. https://twitter.com/th3j35t3r
  14. 14.0 14.1 Wagenseil, Paul. (2012, March 13). Anti-Anonymous hacker threatens to expose them. NBC News. SecurityNewsDaily. https://www.nbcnews.com/id/wbna46716942
  15. Scott, T., Cupp, O. (2018). Ethics of Hacktivism. The Simons Center. https://thesimonscenter.org/wp-content/uploads/2018/05/Ethics-Symp-pg143-148.pdf