El Reg recently reported on a QR code sticker scam that had featured in a talk at the recent Ovum Banking Technology Forum 2012 in London, which resulted in users being directed to sites other than the one they expected when they scanned the code - and in particular to malware or phishing sites.
According to comScore there were over 3.3 million active QR code users in the UK by September this year, and many more in other countries in the EU, so this is potentially problem for a lot of people.
These set me thinking about the background to QR codes, both technically and also how they are typically used, and how both of these seem to make them fundamentally vulnerable to this sort of problem.
A QR code is a type of 2D barcode originally developed by Denso Wave in the 90s for tracking of parts in automated car production systems. Their ability to directly encode a wide variety of content, robustness against read errors, and suitability for reading by poor quality cameras has led to them becoming widely used in consumer mobile propositions.
On the IP side Denso Wave specifically chosen not to exercise their patent rights. There are a number of free generic QR code reading apps in the market for the end user to choose from if they are not already pre-installed. There are also a wide range of free tools available to create the codes themselves. It is an entirely open ecosystem.
The content of the code is typically a phone number or a URL - though arbitrary textual content can be encoded. Most readers will try to interpret what sort of content has been read and offer sensible options based on that - e.g. to visit a URL or call/message a phone number etc.
See the Wikipedia page on QR codes for more detail.
The typical use-case for a QR code in the UK is to provide a bridge between between physical media (or products) and associated digital content, roughly analogous to simply printing a URL which the user can manually type in, but obviously vastly more acceptable and accessible.
They are being rolled out in marketing activities by a wide range of major brands and you now see them in many magazines and posters out there.
Putting all this together we get the following very scary but very real scenario. Consider a major brand running a poster campaign using QR codes to link the user through to some associated digital content.
The bad guys then create stickers with an alternative QR code which fit exactly over the original and use them to alter the codes on some of the posters. The altered code takes the user to a site controlled by the bad guys that is dressed up to look like it is associated with the brand, and which encourages the user to enter their details to receive some cool brand content for their PC. The bad guys then email out some content packed up with a keylogger trojan.
From the user’s viewpoint they have responded to a call-to-action associated with a trusted brand, the QR code has linked them to a site which looks right, and then they have received the email they were expecting and so they have no qualms about opening the attached content. A few days later, after their next online banking session, they find that their bank account has been cleared out. A few days after that the brand find themselves being associated with entirely the wrong sort of news in the tabloids.
Given the combination of general purpose readers, payload being entirely local to the code, and the codes typically appearing as a “patch” on the main graphic, I don’t see any effective way of combatting this problem.
Of course there are other alternatives approaches out there including visual search, augmented reality, NFC, and digital watermarking etc - though they are typically not quite as easy to deploy. In the context of the problems explored here that might be seen as a good thing!