El Reg recently reported on a QR code sticker scam that had featured in a talk at the recent Ovum Banking Technology Forum 2012 in London, which resulted in users being directed to sites other than the one they expected when they scanned the code - and in particular to malware or phishing sites.

According to comScore there were over 3.3 million active QR code users in the UK by September this year, and many more in other countries in the EU, so this is potentially problem for a lot of people.

These set me thinking about the background to QR codes, both technically and also how they are typically used, and how both of these seem to make them fundamentally vulnerable to this sort of problem.

A QR code is a type of 2D barcode originally developed by Denso Wave in the 90s for tracking of parts in automated car production systems. Their ability to directly encode a wide variety of content, robustness against read errors, and suitability for reading by poor quality cameras has led to them becoming widely used in consumer mobile propositions.

On the IP side Denso Wave specifically chosen not to exercise their patent rights. There are a number of free generic QR code reading apps in the market for the end user to choose from if they are not already pre-installed. There are also a wide range of free tools available to create the codes themselves. It is an entirely open ecosystem.

The content of the code is typically a phone number or a URL - though arbitrary textual content can be encoded. Most readers will try to interpret what sort of content has been read and offer sensible options based on that - e.g. to visit a URL or call/message a phone number etc.

See the Wikipedia page on QR codes for more detail.

The typical use-case for a QR code in the UK is to provide a bridge between between physical media (or products) and associated digital content, roughly analogous to simply printing a URL which the user can manually type in, but obviously vastly more acceptable and accessible.

They are being rolled out in marketing activities by a wide range of major brands and you now see them in many magazines and posters out there.

Putting all this together we get the following very scary but very real scenario. Consider a major brand running a poster campaign using QR codes to link the user through to some associated digital content.

The bad guys then create stickers with an alternative QR code which fit exactly over the original and use them to alter the codes on some of the posters. The altered code takes the user to a site controlled by the bad guys that is dressed up to look like it is associated with the brand, and which encourages the user to enter their details to receive some cool brand content for their PC. The bad guys then email out some content packed up with a keylogger trojan.

From the user’s viewpoint they have responded to a call-to-action associated with a trusted brand, the QR code has linked them to a site which looks right, and then they have received the email they were expecting and so they have no qualms about opening the attached content. A few days later, after their next online banking session, they find that their bank account has been cleared out. A few days after that the brand find themselves being associated with entirely the wrong sort of news in the tabloids.

Given the combination of general purpose readers, payload being entirely local to the code, and the codes typically appearing as a “patch” on the main graphic, I don’t see any effective way of combatting this problem.

Of course there are other alternatives approaches out there including visual search, augmented reality, NFC, and digital watermarking etc - though they are typically not quite as easy to deploy. In the context of the problems explored here that might be seen as a good thing!

When I was last involved with premium SMS services back in 2004-6ish the Crazy Frog debacle and the sudden surge in rather questionable premium SMS subscription services gave rise to a new regulator ICSTIS - now PhonepayPlus - who amongst other things created what is now a pretty universally accepted code of practice for managing SMS services.

On particular feature of that code was a standardised “STOP” command for unsubscribing from a service which is specified in section 2. This mechanism is now implemented in pretty much every SMS subscription service out there whether premium or not.

This sort of easy mechanism to exit a service is key on SMS which is hugely intrusive if abused - much more so than email - and where there are far fewer options for filtering etc.

With all that in mind I was hugely surprised and disappointed by my interactions with T-Mobile over the last few days:

1. I started to receive unsolicited marketing SMS from T-Mobile’s new You Choose marketing service from shortcodes like 400004, 400044 and 400444 - several of which ended with “ …opt out by texting Stop to 400000”.
2. I texted “Stop” (note that is the default capitalisation in the iPhone message editor - and matches what was asked for in the messages I had received) to 400044 and got a reply telling me to “…confirm your opt-out, please send STOP to 400000”.
3. I texted “Stop” to 400000 and received no reply at all.
4. I continued to receive SMS and so asked T-Mobile support on twitter why that was happening. Their response was that I should try sending “STOP” in capitals to 400000!
5. I texted “STOP” to 40000 and got a response saying that I had asked to opt-out but to “…confirm your opt-out, please send STOP to 400000”. I texted “STOP” to the same code again and got a confirmation that I was unsubscribed.
6. On querying the necessity for all upper case (which is relatively awkward to produce on iPhone anyway) T-Mobile stated that it is “usually typed in capitals”!

I think most folks would agree that this was an unnecessarily awkward and unhelpful process - which the conspiracy theorist might think was aimed to make it as hard as possible to unsubscribe.

Beyond the question of why they subscribed me in the first place the key questions are:

• the need to send STOP to a shortcode other than that the message originated on. The code says that this should only be done if there is a good reason e.g. the original code has premium charges associated with it.
• the need to send STOP in capitals in order for it to be recognised. Section 2.1 of the code clearly states that it should work with *any* combination of case - and in more practical terms String.equalsIgnoreCase() has been around for quite a long time!
• the need to send it a second time as confirmation. It is hardly likely to be sent accidentally and there is a real danger the user doesn’t bother reading the first reply and assumes the job is done.

While this is not a premium service (as far as I know?) and so they aren’t strictly absolutely bound to follow the code, these are really basic issues of SMS service design and it is bizarre that a mobile operator can’t get this right in 2012!

I had a fun weekend at Beltchley Park taking part in Over The Air. There were plenty of interesting talks as well as a 24 hour hackathon to create an interesting mobile app/service over a variety of categories.

In my day job at Mobile Acuity Ltd. we regularly provide large scale mobile visual search services over a range of customer provided media. I was interested to look beyond that and explore how visual search can be used to form a bridge between objects that people encounter in the real world and the digital conversations about those objects.

This is not an entirely new idea, and in fact Mobile Acuity was formed off the back of a project called Spellbinder which set out to provide something similar using MMS prior to smartphones coming on the scene.

Modern smartphones provide the opportunity to do something similar but with a much lower friction experience for the end user, and so I decided to create Spellbinder2 based on a combination of an Android app and Mobile Acuity’s image search backend.

The concept is visual graffiti - allowing the user to leave digital graffiti on any object they wish, which can then be discovered by the next user who looks up the same object. To keep things simple it only allows a single graffiti on each recognized object - and thus only allows graffiti to be added to objects that it doesn’t yet recognize.

If you want to try it out you can download the app (Android 1.6+ only) from:

http://spellbinder.mobileacuity.net/download/Spellbinder2-0.1.apk

The best way to install it is to allow installs from untrusted sources and then enter that URL directly into the device browser.

Once you have it installed select something nice and recognizable (flat-ish and relatively high detail) and take a pic of it in the app. If someone has already added graffiti the app will display it blended over the image, and otherwise it will allow you to add your own. It should work nicely on most print media, boxed products, books/CDs/DVDs and similar.

Have fun and let us know how you get on,

Geoff.

PS. Caveat emptor - this app is provided purely as a toy for interested folks who saw or heard about my OTA12 presentation to play with, and both the app and the visual search service behind may be withdrawn at any time at Mobile Acuity’s discretion.

The first iteration of this blog is still available to read on Blogger.