17

What are the security risks of scanning a QR code from an untrusted source?

If the QR code was constructed by an attacker, what can the attacker do to me? Do widely used QR scanners have any known vulnerabilities? What information can be stored in a QR code, how is it handled by QR scanners, and how could this be used by an attacker?

I know a QR code can contain a URL, and many readers will launch a browser to that URL, so a QR code could be used as a launching point to mount any attack that can successfully be exploited against my browser. Is there anything else? Can other data be stored in a QR code and automatically processed by the scanner?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • See also this related question: [Malicious QR Code and Mitigation - IT Security - Stack Exchange](http://security.stackexchange.com/questions/11255/malicious-qr-code-and-mitigation) – nealmcb Apr 11 '12 at 05:58
  • 2
    Related: [Cusiosity Pwned the Cat - th3j35t3r blog](https://th3j35t3r.wordpress.com/2012/03/09/curiosity-pwned-the-cat/) – Gurzo Apr 11 '12 at 09:17

4 Answers4

11

This are some risks you can face:

  1. If the QR code linked you to a poisonous website, this site can try to exploit your browser, the danger depends if your browser is secure or have vulnerabilities and of the type of explotation.

  2. The QR code can exploit the scanner application, this exploit can be performed by an intentionally corrupt QR code, this code can affect the process of the scanner application, obviously the exploit only can have success if the scanner application is vulnerable. Like in the first case the danger depends of the type of explotation.

References

QR code - Wikipedia

Dan
  • 126
  • 4
10

You must never trust in user input, no matter if it is a string, a bar code or a QR code.

All of them can exploit your application. Eg. SQL injection.

This paper on QR Code security, the section on "QR CODES AS ATTACK VECTORS" includes more vectors.

Bonus: I don't know if this is a joke or really true, but it makes sense:

enter image description here [picture of SQL injection string on a licence plate]

schroeder
  • 123,438
  • 55
  • 284
  • 319
Victor Casé
  • 281
  • 1
  • 5
  • Thanks, Victor! +1, helpful. That said: I was asking a slightly different question. I know that if *I* were building the code to handle the contents of a QR code, I shouldn't trust its input. Agreed. But I'm still curious: What are the risks associated with deployed systems that happen to use QR codes? What are the issues to beware of, given that I'm not the developer of those systems but merely a user? – D.W. Apr 11 '12 at 04:47
  • 4
    Isn't that Bobby Tables' car? https://xkcd.com/327/ – Iszi Apr 11 '12 at 18:26
1

A QR code can contain a URL with tracking information.

Suppose a malicious party posts leaflets in letterboxes asking people to scan a QR code to sign an online petition. They record the addresses of the signers using tracking codes and can tell which house voted which way.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Timothy Baldwin
  • 121
  • 1
  • @HashimAziz by encoding the house address in the URL parameters or recording which house got which URL... – schroeder Mar 15 '22 at 15:26
0

Samsung USSD remote wipe attack can be performed with a QR code embedding a url/tel link. Eko Party Video.

Or can even pwn your kernel with a url to a pdf. Jailbreakme V3.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ajith
  • 203
  • 2
  • 8