Microservices Expo Authors: Hollis Tibbetts, Liz McMillan, Elizabeth White, Yeshim Deniz, Ian Khan

Related Topics: Cloud Security, Mobile IoT, Microservices Expo

Cloud Security: Article

Quick Response, Quick Risk?

The risks presented by QR codes are really a new spin on well-established hacking tricks and exploits

Quick Response (QR) codes are intended to help direct users quickly and easily to information about products and services, but they are also starting to be used for social engineering exploits. This article looks at the emergence of QR scan scams and the rising concern for users today.

You don't have to look far these days to spot a QR code. From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.

QR codes are a jumping-off point from the offline to the online world. By simply scanning the code with your smartphone, people can quickly access the digital content triggered by the code - making them a marketer's dream because they make it easy to direct users toward information and services. What's more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.

However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. While the concept of ‘drive-by downloads' is already well established as a stealthy tactic for stealing user data when web browsing, QR codes offer a new method for manipulating mobile users in a similar way.

A Matter of Trust
The issue with QR codes is that it forces users to trust the integrity of the code's provider and assume that the destination it leads to is legitimate. This is almost impossible for individuals to gauge because the QR code actually conceals the site and content it leads to. While social engineering exploits have evolved from the email worms of the early 2000s, they still rely on human curiosity to see what might happen when users click on an attachment or a QR code is scanned, which often leads to security problems.

Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, location-based services and application installations - further extending the potential risks to mobile devices. Let's look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.

Code Read
The first step in mounting a QR exploit is to distribute the code, to get it in front of potential victims. This could happen by embedding the QR code in an email - making it an elaborate phishing exploit - or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.

Once the QR code is distributed, the attacker has a multitude of scam options to choose from. At a basic level, the code could simply redirect users to fake websites for phishing purposes - such as a fake online store or a payment site.

More sophisticated exploits involve hackers using the QR code to direct users to websites that will ‘jailbreak' their mobile device - that is, allow root access to the device's operating system and install malware. This is essentially a drive-by download attack on the device, enabling additional software or applications, such as key loggers and GPS trackers, to be installed without the user's knowledge or permission.

Targeting the Mobile Wallet
Perhaps the biggest potential risk to users is the rising use of mobile banking and payments via smartphones. With the ability of QR codes to jailbreak devices and tap into applications, this could give hackers virtual pick-pocket access to mobile wallets, especially as QR-based payment solutions already exist and are in use. While the uptake of these is currently small, it will grow as public acceptance of QR codes increases.

What can organizations and individual users do to mitigate the risks from QR codes? The most important precaution is being able to establish exactly what link or resource the QR code is going to launch when it's scanned. Some (not all) QR scanning applications give this visibility and - critically - ask the user to confirm if they wish to take the action. This gives users the opportunity to assess the link's validity before the code is activated.

For corporate smartphones, consider deploying data encryption so that even if a malicious QR code manages to install a Trojan on the device, sensitive data is still protected and not immediately accessible or usable by hackers.

In conclusion, the risks presented by QR codes are really a new spin on well-established hacking tricks and exploits. The security basics still apply - be cautious about what you scan, and use data encryption where possible. Or put simply: look before the QR leap.

More Stories By Tomer Teller

Tomer Teller is security evangelist at Check Point. During his six years at Check Point, he has been working as a researcher and developer on variety of large scale projects, as well as a speaker at multiple IT security conferences and lecturer at Check Point headquarters.

Specialized in both high-level and low level software engineering, Teller devotes his free time to various projects and original security research. He holds a BS in computer science and is a proud owner of a patent in the field of browser exploitation.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@MicroservicesExpo Stories
A completely new computing platform is on the horizon. They’re called Microservers by some, ARM Servers by others, and sometimes even ARM-based Servers. No matter what you call them, Microservers will have a huge impact on the data center and on server computing in general. Although few people are familiar with Microservers today, their impact will be felt very soon. This is a new category of computing platform that is available today and is predicted to have triple-digit growth rates for some ...
Without lifecycle traceability and visibility across the tool chain, stakeholders from Planning-to-Ops have limited insight and answers to who, what, when, why and how across the DevOps lifecycle. This impacts the ability to deliver high quality software at the needed velocity to drive positive business outcomes. In his general session at @DevOpsSummit at 19th Cloud Expo, Eric Robertson, General Manager at CollabNet, will discuss how customers are able to achieve a level of transparency that e...
SYS-CON Events announced today that Enzu will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their online busine...
@DevOpsSummit has been named the ‘Top DevOps Influencer' by iTrend. iTrend processes millions of conversations, tweets, interactions, news articles, press releases, blog posts - and extract meaning form them and analyzes mobile and desktop software platforms used to communicate, various metadata (such as geo location), and automation tools. In overall placement, @DevOpsSummit ranked as the number one ‘DevOps Influencer' followed by @CloudExpo at third, and @MicroservicesE at 24th.
24Notion is full-service global creative digital marketing, technology and lifestyle agency that combines strategic ideas with customized tactical execution. With a broad understand of the art of traditional marketing, new media, communications and social influence, 24Notion uniquely understands how to connect your brand strategy with the right consumer. 24Notion ranked #12 on Corporate Social Responsibility - Book of List.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, will discuss the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docke...
The reason I believe digital transformation is not only more than a fad, but is actually a life-or-death imperative for every business and IT executive on the planet is simple: there will be no place for an “industrial enterprise” in a digital world. Transformation, by definition, is a metamorphosis from one state to another, wholly new state. As such, a true digital transformation must be the act of transforming an industrial-era organization into something wholly different – the Digital Enter...
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
In his session at 19th Cloud Expo, Claude Remillard, Principal Program Manager in Developer Division at Microsoft, will contrast how his team used config as code and immutable patterns for continuous delivery of microservices and apps to the cloud. He will show the immutable patterns helps developers do away with most of the complexity of config as code-enabling scenarios such as rollback, zero downtime upgrades with far greater simplicity. He will also have live demos of building immutable pipe...
Application transformation and DevOps practices are two sides of the same coin. Enterprises that want to capture value faster, need to deliver value faster – time value of money principle. To do that enterprises need to build cloud-native apps as microservices by empowering teams to build, ship, and run in production. In his session at @DevOpsSummit at 19th Cloud Expo, Neil Gehani, senior product manager at HPE, will discuss what every business should plan for how to structure their teams to d...
When we talk about the impact of BYOD and BYOA and the Internet of Things, we often focus on the impact on data center architectures. That's because there will be an increasing need for authentication, for access control, for security, for application delivery as the number of potential endpoints (clients, devices, things) increases. That means scale in the data center. What we gloss over, what we skip, is that before any of these "things" ever makes a request to access an application it had to...
SYS-CON Events announced today that Transparent Cloud Computing (T-Cloud) Consortium will exhibit at the 19th International Cloud Expo®, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. The Transparent Cloud Computing Consortium (T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data proces...
The evolution of JavaScript and HTML 5 to support a genuine component based framework (Web Components) with the necessary tools to deliver something close to a native experience including genuine realtime networking (UDP using WebRTC). HTML5 is evolving to offer built in templating support, the ability to watch objects (which will speed up Angular) and Web Components (which offer Angular Directives). The native level support will offer a massive performance boost to frameworks having to fake all...
In many organizations governance is still practiced by phase or stage gate peer review, and Agile projects are forced to accommodate, which leads to WaterScrumFall or worse. But governance criteria and policies are often very weak anyway, out of date or non-existent. Consequently governance is frequently a matter of opinion and experience, highly dependent upon the experience of individual reviewers. As we all know, a basic principle of Agile methods is delegation of responsibility, and ideally ...
Today every business relies on software to drive the innovation necessary for a competitive edge in the Application Economy. This is why collaboration between development and operations, or DevOps, has become IT’s number one priority. Whether you are in Dev or Ops, understanding how to implement a DevOps strategy can deliver faster development cycles, improved software quality, reduced deployment times and overall better experiences for your customers.
Apache Hadoop is a key technology for gaining business insights from your Big Data, but the penetration into enterprises is shockingly low. In fact, Apache Hadoop and Big Data proponents recognize that this technology has not yet achieved its game-changing business potential. In his session at 19th Cloud Expo, John Mertic, director of program management for ODPi at The Linux Foundation, will explain why this is, how we can work together as an open data community to increase adoption, and the i...
JetBlue Airways uses virtual environments to reduce software development costs, centralize performance testing, and create a climate for continuous integration and real-time monitoring of mobile applications. The next BriefingsDirect Voice of the Customer performance engineering case study discussion examines how JetBlue Airways in New York uses virtual environments to reduce software development costs, centralize performance testing, and create a climate for continuous integration and real-tim...
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of So...
Virgil consists of an open-source encryption library, which implements Cryptographic Message Syntax (CMS) and Elliptic Curve Integrated Encryption Scheme (ECIES) (including RSA schema), a Key Management API, and a cloud-based Key Management Service (Virgil Keys). The Virgil Keys Service consists of a public key service and a private key escrow service. 

SYS-CON Events announced today that eCube Systems, the leading provider of modern development tools and best practices for Continuous Integration on OpenVMS, will exhibit at SYS-CON's @DevOpsSummit at Cloud Expo New York, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. eCube Systems offers a family of middleware products and development tools that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...