How resistant are barcodes and QR-codes against attempts to change stored data?

Question

Assume we want to protect a document against manipulating and forging. So, we encode some sensitive information of the document and store it in a QR-code inserted in the document.

Can we be sure that an attacker is not able to change and modify the stored data in the QR-code? And if it is possible to modify it, how difficult is it for an attacker to do so? In other words, how secure is a QR-code?

UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though. — nbering, Sep 23 '18 at 21:58
To echo @nbering's point, completely replacing the barcode is something commonly done by shoplifters in the supermarket, by using a barcode belonging to an item of lesser monetary value, and hoping the cashier doesn't look at the price/description info. _Having_ a barcode, QR code, or any sort of other "validation" data is worthless unless you actually and completely verify the data. — Clockwork-Muse, Sep 24 '18 at 18:05
It’s also commonly done by shop-keepers when a barcode as received is different or in conflict with their inventory system. Makes it even easier to exploit. I remember a case where a teenager was replacing iPod barcodes for a $299.99 item with a iPod accessory for $29.99. He’d then pick a young girl cashier and flirt with her while she rang in the sale so she wouldn’t notice the discrepancy. Classic social engineering mixed with a technical exploit. — nbering, Sep 24 '18 at 18:10
It might be more useful to ask a new question on how you can prevent manipulation and forging of documents, rather than to ask a tangential question on an idea you've had to do it. Include why, how motivated you are to do this and what you mean by documents.Tbh, I have ideas on how I'd do it on physical documents, but I'm pretty sure the juice isn't worth the squeeze. — Nathan Cooper, Sep 26 '18 at 10:15

score 113 · Accepted Answer · edited Sep 25 '18 at 09:07

113

... how secure is a QR-code?

Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.

edited Sep 25 '18 at 09:07

Novocaine

103
3

answered Sep 23 '18 at 15:54

Steffen Ullrich

184,332
29
363
424

23

Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature. – 0xSheepdog Sep 23 '18 at 21:25
6

I wonder if anyone ever managed to vandalize QR codes on public billboards by changing a few pixels with black and white markers so the code is still valid but points to an existing different website. – Philipp Sep 24 '18 at 14:46
8

@Philipp: why painfully change an existing code if you can just replace it in full: [QR code scams rise in China, putting e-payment security in spotlight](https://www.scmp.com/business/china-business/article/2080841/rise-qr-code-scams-china-puts-online-payment-security): *"...By replacing the original QR code used to unlock the bicycle with a fake one, they have been able to cheat users into transferring their money into their own bank accounts...."*. – Steffen Ullrich Sep 24 '18 at 15:18

Paul · Answer 2 · 2018-09-24T10:51:19.477

62

QR codes are normally not protected against manipulation. But:

You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.

Such an approach wil typically work like this:

On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.

I don't know if there is any standard or good existing software for digital signatures in QR codes.

edited Sep 24 '18 at 10:51

answered Sep 23 '18 at 21:14

Paul

670
4
6

7

A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what _is_ protected) – MSalters Sep 24 '18 at 09:51
2

@MSalters, I read this answer (and question) as the QR code only protecting itself, not the contents of the rest of the document. The rest of the document would presumably be printed, not electronic, so it's not going to be protected with checksums or signatures or anything else like that. – JPhi1618 Sep 24 '18 at 14:41
I guess the idea would probably to put some information like "version xy, published in zzzz" encode them with the key, so someone can match the table of version in the document with what contain the version history. However this will not work with a simple private key, as you could easily switch the one from the server with your own, you would need to put in the QRCode two section of data : a certificate (like SSL) that you can match against a trusted root, and the encoded data. And you would need to write a little specific application for that. – Walfrat Sep 25 '18 at 13:11
1

The only way in which a QR could meaningfully be authenticated would be if one would know, *without having to refer to anything in the code itself*, who is supposed to have issued it, or if only a small number of entities, *all* of whom are trusted, are allowed to issue "authenticated" codes. Neither is practical for most QR usage scenarios. – supercat Sep 25 '18 at 14:51

score 47 · Answer 3 · answered Sep 24 '18 at 17:11

47

A QR code or barcode is just data written in a non-alphabetic format. It offers no more security than you'd get from writing the same data in ordinary text.

answered Sep 24 '18 at 17:11

David Richerby

1,636
12
13

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/83622/discussion-on-answer-by-david-richerby-how-resistant-are-barcodes-and-qr-codes-a). – schroeder Sep 25 '18 at 12:38

score 8 · Answer 4 · answered Sep 23 '18 at 22:41

QR codes provide no protection against intentional modification.

Document protection can be approached a number of ways depending upon your intent. Verification of content can be done by attaching a digital signature, but there has to be an outside (out of band) verification of your public key to preclude simply replacing the signature key with someone else's signature key. This is common in code downloads where the signature of the code (document) is available via a web site or other out of band check.

Hidden watermarks or other steganographic techniques can help validate a document but it's dependent upon not being detected as opposed to a rigorous cryptographic signature. There are many approaches and their effectiveness is dependent upon distribution and use. For example, custom micro spacing of selected words or letters. Non-standard pie-chart rotations. Extra spaces in selected locations of a digital document. Tiny yellow dots on white paper of a printed document. Many others, but a digital signature is the gold standard.

`> QR codes provide no protection against intentional modification.` Not entirely true. There's redundancy in the QR code, so you can tamper with it up to some amount and it won't even change the value. — RJFalconer, Sep 24 '18 at 19:53
@RJFalconer Fair point but it seems clear that the answer means "no protection against intentional modification by somebody who knows how to write a QR code." After all, you could argue that English also has a lot of redudnancy so you can tampre with it up to sum small amount and it won't much chnage teh value. — David Richerby, Sep 24 '18 at 22:51

score 3 · Answer 5 · answered Sep 25 '18 at 09:50

Barcodes are easy to manipulate. After all, they are just an encoding for a number. Some have redundency, some have checksums, some have no protection at all.

You may like these notes from a talk about barcodes: Jemandem einen Strich auf die Rechnung machen (german title, but english slides).

The speaker had a lot of fun by manipulating different types of barcodes and explains the most basic things how they work, how the manipulation works and which systems were vulnerable and which ones had enough protection against people messing with the barcodes.

score 2 · Answer 6 · answered Sep 25 '18 at 20:42

A QR code and barcodes are nothing more than machine-readable information. Just because a human can't easily read it doesn't mean it's any type of security.

Barcodes aren't put on things for security, but for ease of use. The reason QR codes (and others like it) exist is because you can put more data in it. In the end, data is data and as long as the data itself isn't secure, neither is the representation.

score 1 · Answer 7 · answered Sep 27 '18 at 11:54

If you mean "modifying the printed barcode and QR code", then it's rather hard because barcode usually stops working if modified, and QR code has some sort of "error correction" and therefore survives through small tampering. It's practically impossible to modify a QR code into another arbitrary one.

But it's just too dumb to modify an existing one. You can print some stickers of a malicious QR/bar and stick it directly over your target. There are already several cases where a thief "steal" money from shops by replacing (adhering a sticker over) their "recipient QR code" that people scans to pay money. For example, here's a real news happened some time ago.

How resistant are barcodes and QR-codes against attempts to change stored data?

7 Answers7