QR Tags Can Be Rigged to Attack Smartphones

A blogger has demonstrated how these innocuous tags can be made into cybercrime weapons

The one to the side here says, “Samadhisoft Blog” and is harmless.

You’ve probably seen QR tags thousands of times, from advertisements in the subway to coupon flyer in the mail to products in the supermarket. They look like stamp-size bar codes, a grid of small black-and-white rectangles and squares, usually with bigger black squares in the corners.

A marketer’s dream-come-true, these tiny images are capable of storing and transmitting loads of data directly to the smartphones of interested customers. When a person scans a QR tag with a smartphone, the tag can do any number of things, including taking the user right to the product’s website.

But like any technology, they can also be manipulated to bite the hands — or phones — that feed them. On the mobile security blog Kaotico Neutral, researcher Augusto Pereyra demonstrated how these innocuous QR tags can be made into cybercrime weapons.

In his proof-of-concept hack, Pereyra took a QR tag he created from a free online tag creator and embedded in it the URL for an attack server called evilsite.dyndns.org. When the target smartphone scanned the tag, the browser was directed to the spoofed site and fed malware.

QR tags are touted for their convenience, but it’s that same convenience — coupled with their increasing prevalence — that Pereyra believes could allow them to becomedangerous attack vectors. Popular QR tag-scanning software, such as ScanLife, automatically takes mobile browsers to the site embedded within the tag, and while it makes the process quick, it does nothing for its safety.

“This is a serious problem since this is the equivalent of clicking a link with your eyes closed,” Pereyra wrote.

– More…

Comments are closed.