QR Code Security
Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Lindsay Munroe, Sebastian Schrittwieser, Mayank Sinha, Edgar Weippl
SBA Research Favoritenstrasse 16 AT-1040 Vienna, Austria
This paper examines QR Codes and how they can be used to attack both human interaction and automated systems. As the encoded information is intended to be machine readable only, a human cannot distinguish between a valid and a maliciously manipulated QR code. While humans might fall for phishing attacks, automated readers are most likely vulnerable to SQL injections and command injections. Our contribution consists of an analysis of the QR Code as an attack vector, showing diﬀerent attack strategies from the attackers point of view and exploring their possible consequences.
Figure 2: QR Code cards, public transport vehicles, etc. Indeed, this mechanism has a vast number of potential applications [4, 1, 2, 13, 9]. For instance, the sports brand Umbro have embedded QR codes into the collars of England football shirts, sending fans to a secret website where prizes can be won. In this paper, we explore the structure and creation process of QR codes as well as potential attacks against or utilizing QR codes. We give an overview of the error correction capabilities and possible ways to alter both error correction data and payload in order to either modify or inject information into existing codes. Furthermore, we explore numerous vectors that might enable an attacker to exploit either the user’s trust in the content embedded in the code or automated processes handling such codes. Our main contributions are: • to outline possible modiﬁcations to diﬀerent parts of QR Codes such as error correction codes or masking, • to describe resulting attack vectors, both against humans (e.g. phishing attacks) and automated processes...