Malicious QR Code and Mitigation

Question

I just started reading a little on QR code, so I'm not entirely familiar with QR Code capabilities, but a thought crossed my mind today.

I scanned a QR Code on a postcard I received, and it immediately took me to a website.

Just like URL shorteners, is there any protection from obscuring a malicious site in the QR code?

I also noticed you can use QR Code for multiple other things such as VCards, Youtube videos, etc...

Can you embed code that then gets executed on the client when scanned?

Again, I just started reading around, so my understanding of this technology is pretty feeble, but primarily what I'm looking for is some ideas of potential threats from scanning QR codes, as well as potential mitigation techniques.

This question was IT Security Question of the Week.
Read the May 4, 2012 blog entry for more details or submit your own Question of the Week.

Answer 1

A QR code is nothing more than an encoding of data. URLs being encoded as QR codes are just one specific usage. As you say, it suffers the same problems as URL-shorteners in that you might never actually know where it goes until it takes you there. However, any decoder could provide a safe landing zone before allowing a browser to be launched.

Because the QR code can encode any data up to a specific maximum, the use of the QR code is only limited by the applications which scan them and make use of the data. This allows a wide and blind attack area. Furthermore, the decoder itself could have a variety of buffer overflows to exploit.

Answer 2

The mitigation is very simple, and some QR code scanners already do this:

Don't go straight to the URL, but display it in full instead, so the user can validate it first.

However this isn't as user-friendly, so often the apps just take you straight to the website. If that URL is malicious (which is very easy - it could take you to any website) then your device could be instantly compromised. Game over.