Update – Today, March 9, a hacktivist blogger “th3j35t3r” Jesters Court revealed that for the last 5 days, they had replaced their Twitter profile picture with a QR code that sent users to a specially crafted malicious website. The malware on the site actually took advantage of a modifified and updated version of the Webkit vulnerability CVE 2010-1807 and for those susceptible to the issue, it created a back channel from their device back to a remote server that simply waited and listened with NetCat on port 37337.
As noted in the blog post of the 1,200 people that scanned the QR code, over 500 devices reverse shelled back to the listening server. A significant number of those that had inadvertently established a back channel were treated as “valid targets”. The web page HTML code and sanitized shell code are detailed within the blog post.
At this time when the adoption of BYOD continues to accelerate unabated, the writing is on the wall (or blog) that QR Codes are undoubtedly poised to become a very popular malware delivery mechanism. Most all of today’s smart phones are simply defenseless and as-such they clearly represent a significant risk to the enterprise.
Read the original post, dated January 3…
In the simplest of terms a QR code (or Quick Response code) is a two dimensional barcode that can contain up to 4,296 alphanumeric characters. A great marketing tool, QR codes drive prospective customers to a website and interestingly, they can be placed virtually anywhere. Their popularity has of course exploded – one recent study showed that in June of 2011 over 14 million Americans scanned QR Codes with their mobile phone.
But what about the inherent risk of a QR code?
QR codes take URL obfuscation to the next level – the large amount of data they can contain as well as their ability to contain binary data opens a new frontier in URL obfuscation for the bad guys.
Obfuscation of a URL is nothing new – back in 2007 according to Gartner, “URL filtering suffers a fundamental flaw to be an effective security filter: It does not monitor threats in real time.” URL filtering products at that time were missing over 30% of malware-laden websites. Current generation browser URL filtering capabilities with reputation databases and heuristics for the performance of URL filters has markedly improved. However at best the leader still only provides 90% effectiveness and some products still afford a dismal 13% effectiveness.
We have been losing the battle of obfuscated URLs for over a decade and QR codes are yet another tool in the bad guys seemingly unlimited obfuscation arsenal.
But wait, your not scanning QR codes with your desktop PC and its well equipped browser, you’re using your mobile device. Unless you have purposely added a third party product, in all likelihood its browser has no URL filtering capability at all.
Talk about bad timing:
- Malicious URLs are at all time highs – from Q2 2011 to Q4 2011 they are up an additional 89%
- QR scanning growth is exploding – the Mobile Barcode Trend Report provides interesting statics:
o Active users of QR codes is up 525%
o Average number of scans per code is up 39%
- Mobile Marketer reports QR code scanning is up 4,549%
- It’s easy for anyone to create a QR code with any kind of content
- Mobile devices such as iPhones and Androids out of the box are poorly equipped to deal with filtering QR codes and their underlying URLs
- Malicious QR codes are already in use and are making money for the bad guys. It is a certainty that the use of malicious QR codes will expand.
As the use of QR codes gains critical mass, the inherent risks must be addressed sooner than later. Where to begin?
- Educate users to the risks of malicious QR code scanning – most people don’t think twice about it,
- Only use QR code readers that allow the user to confirm any action taken by scanning a QR code and,
- Equip your mobile devices with URL filtering as a second layer of security