Threat

Intelligence Report
QR Code Threat Landscape

September 2017

www.cyberint.com


Table of Contents

Table of Contents ................................................................................................................................... 2

Introduction ........................................................................................................................................... 3
QR Code History ..................................................................................................................................... 3
Application ............................................................................................................................................. 3
Usage ...................................................................................................................................................... 5
One-Tap To Danger? .......................................................................................................................... 6
Threat Landscape ................................................................................................................................... 6
Counterfeit QR Codes ......................................................................................................................... 7
Phishing/Malicious URLs .................................................................................................................... 7
URL Shorteners ................................................................................................................................... 8
Malicious Mobile Apps ....................................................................................................................... 8
Premium Rate Fraud .......................................................................................................................... 8
Mobile Device Exploits ....................................................................................................................... 9
Identity Card Abuse ............................................................................................................................ 9
Mitigations ........................................................................................................................................... 10
Security Awareness .......................................................................................................................... 10
Disable QR Code Scanning ................................................................................................................ 10
Service Blocking ................................................................................................................................ 10
QR Code Data Security ..................................................................................................................... 10

www.cyberint.com

Introduction
Whilst the application and use of Quick Response (QR) codes are nothing new, the official release of
Apple iOS 11 on 19 September 2017 introduced the ability to natively scan QR codes on Apple devices
without the need for third-party applications.

In the past, users wanting to scan QR codes, be that on Apple iOS or Android-based devices, have
typically needed to install a suitable application and therefore, embedding this functionality within
the mobile operating system has the potential to lead to a resurgence or increase in the use of QR
codes in regions where the uptake has fluctuated over the years.

Given a potential increase in QR code usage and user interest, organisations should take time to
consider and familiarise themselves with the potential security ramifications and risks that the use or
application of QR codes could pose. As with any shift in user behaviour, a surge in QR activity prompted
by Apple iOS users exploring the new features may encourage threat actors to capitalise on the trend
and target users with new innovative, or old recycled, QR code-based attacks.

QR Code History
Originally designed for the Japanese automotive industry, a QR code is a machine-readable matrix
barcode that can efficiently store a variety of data types. In addition to being used for commercial
tracking applications as designed, QR codes gained popularity with consumers using mobile devices,
coined ‘mobile tagging’, to interact with codes displayed in a variety of print and digital applications.

Whilst the practice of mobile tagging is widely popular with users in Asia, and will undoubtedly
continue unabated, the need for users to install a third-party application may go some way to explain
low adoption rates in other regions. Given the release of Apple iOS 11, it remains to be seen if a ‘QR
code renaissance’ occurs in other regions with the introduction of novelty and convenience to a new
community of users, particularly with iOS’ large market share in North America and parts of Europe.

Application
In addition to long-term usage within industry for tagging and tracking materials or stock, most
consumers will have seen QR codes on advertising, event/travel tickets and online applications such
as authenticating to the WhatsApp web application or configuring Google Authenticator (Figure 1).

Figure 1 - WhatsApp 'Web' (left); Google Authenticator (right)

Many organisations simply choose to include a QR code that links to their website however, innovative
marketing such as offering coupons, downloads or linking to location-specific information, may further

www.cyberint.com

entice user interaction. QR code use on products such as food and drink also allow the consumer to
obtain detailed information, for example, the origin of fresh produce or nutritional data that would
otherwise be too large to fit onto product packaging.

The use of QR codes is not limited to these ‘traditional’ applications, numerous payment solutions,
such as China’s Alipay and WeChat Wallet, allow payments to be made by scanning the recipient’s QR
code, resulting in temples displaying codes and even beggars adopting this method for donations1.

Whilst QR codes on signs in popular locations worldwide offer tourist and travel information, universal
adoption in cities such as Nanjing (China) and Abu Dhabi (United Arab Emirates) has resulted in ‘smart’
street signs that provide detail of the location, helping both residents and visitors alike. Taking this
one step further, Abu Dhabi’s addressing system ‘Onwani’2 introduces QR codes to building numbers
whilst individual homes in Jinan (Shandong Province, China) are reported as implementing
‘doorplates’ with QR codes that link to information about the area as well as providing homeowners
with a method to update their information without visiting their local police station3.

Figure 2 – Abu Dhabi, UAE ‘Building Number’ (left); Jinan, China 'Doorplate' (right);

The application of QR codes on identity (ID) cards is also gaining popularity as a means to store and
provide additional data in a low cost robust format that is resilient to wear and tear. Corporate
deployments can be used for storing more than a simple employee number, be that for building access
control, cashless catering, credential management. For employees working ‘offsite’, QR codes allow
customers to verify the employees’ identity and, as used in the construction industry, their training
and qualifications. Some government issued ID have also included QR codes along with other tamper-
resistant measures such as the Philippines postal identity card released by PHL Post4 in April 2016.

Figure 3 - Philippine 'PHL Post' Postal Identity Card

1
http://www.ibtimes.co.uk/beggars-china-now-accepting-donations-via-mobile-payments-qr-codes-1618396
2
https://onwani.abudhabi.ae/en/media-center/on-gallery/onwani/
3
http://chinaplus.cri.cn/news/china/9/20170726/11664.html
4
https://www.phlpost.gov.ph/whats-happening.php?id=3823

www.cyberint.com

Usage
Typically, mobile device users have needed to download third-party apps to scan and interpret the QR
code before handing-off the data to an appropriate app, such as the browser, to act on. Many of these
generic ‘scanning’ apps are available from the various app stores and marketplaces, although some
embed QR code scanning capabilities for their own specific use, such as payment service apps or those
supporting QR codes as a form of authentication.

With the release of Apple iOS 11, Apple has chosen to add QR scanning functionality, enabled by
default, within the camera app which allows users to simply launch the camera app and point their
device at a QR code. Dependant on the Apple device used, be that an iPad, iPhone or iPod Touch, once
the camera has detected a QR code within the frame, it will interpret the data and notify the user to
‘tap’ and perform an appropriate action using native iOS apps (Table 1).

QR Code Type Action Example

Calendar Adds an event to the user’s calendar.

Adds a contact, with associated data,

Contacts
to the user’s contact list.

Configures an Apple HomeKit, a
HomeKit ‘smart-home’ framework, device (QR
code scanned within HomeKit app).

Composes a new email with
Mail prepopulated recipient, subject and
message body.

Opens a map centred on the

Maps
specified location.

Composes a new SMS/iMessage
(dependant on recipient) with
;Messages
prepopulated recipient number and
message body.

Dials a predefined telephone

Phone
number.

Searches the web for the provided

Text
text using Safari.

Website Opens the provided URL in Safari.

www.cyberint.com

QR Code Type Action Example
Prompts to join, and subsequently
configures, a wireless network with
Wi-Fi
predefined SSID, encryption and key
(supports ‘hidden’ networks).
Table 1: Apple iOS 11 QR Code Handling

One-Tap To Danger?
Given the way that Apple iOS 11, and many other QR apps, handle QR codes, users are effectively only
one-tap away from nefarious content. This, coupled with the fact that users can become desensitised
to notifications may result in them missing or ignoring the subtle warning indicators.

With the Apple iOS 11 ‘Contacts’, ‘Mail’, ‘Messages’ and ‘Wi-Fi’ QR code actions, the user needs to
complete additional manual steps before the action is performed. However, QR codes interacting with
the calendar, maps, phone and browser (in this case, Safari) are performed immediately after the
initial tap on the QR code notification.

In lieu of more prevalent warnings and security measures, users should be educated and reminded of
the risks associated with interacting with content of an unknown provenance.

Threats
As with any ‘new’ feature, many Apple iOS 11 users will likely be keen to explore QR codes by scanning
anything and everything they encounter. This resultant increase in users within some regions has the
potential to become self-fulfilling, increasing the prevalence of QR codes leading to more usage.

Although this may be regarded as an old technology to some, organisations and mobile device users
should be made aware of the potential attack vectors that QR codes bring, especially as the codes are
not ‘human readable’. Whilst many organisations may seek to address these threats through mobile
device controls, non-corporate device users should also be reminded of the potential risk that their
personal devices pose.

Although the QR code itself cannot be ‘hacked’ without visually changing it or taking over its
destination, the fact that it is non-human readable is an inherent vulnerability. The ability to
‘authenticate’ or ‘filter’ a QR code, such as before following a link, is seriously limited and therefore
users are unlikely to be able to differentiate between legitimate and nefarious content (Figure 4).

Figure 4 – Users are unlikely to spot the difference between a legitimate (left) and a potentially nefarious (right) QR code.

From a threat actor’s perspective, the first objective will be to generate and place the QR code in a
position from which it can be scanned by the victim. Having achieved this, any one of a number of
attack methods can then be leveraged in order to meet their objectives.

www.cyberint.com

Counterfeit QR Codes
Whilst requiring significant effort, an advanced threat actor could theoretically seek to infiltrate and
compromise an organisation that deploys QR codes in order to replace them with illegitimate
‘weaponised’ codes. For example, a threat actor infiltrating an advertising company and replacing QR
codes before they are printed on posters or in a magazine would likely go undetected given the
difficulty in visual inspection, more so if the nefarious action mimics the legitimate action such as using
a URL which appears visually similar.

Resulting in a similar outcome, albeit arguably a low-tech attack, a threat actor could simply prepare
printed QR codes of an appropriate size which are affixed over legitimate codes, be that on an
advertisement, sign or other publicly accessible location. In the case of QR codes used for electronic
payments, this tactic has already been widely reported in China with victims inadvertently making
payments to a threat actor rather than the intended retailer or service provider.5

In addition to QR code replacement, threat actors could generate new material that includes a QR
code and display this in a target area rather than compromising an existing QR code deployment. For
example, displaying fake advertising in public locations or targeting the employees and customers of
a specific organisation by preparing and distributing legitimate-looking business cards containing a
nefarious QR code.

Threats are potentially not limited to cyber-attacks, especially given the application of QR codes in the
physical world. For example, if QR codes embedded into road signs and street furniture were utilised
by automated navigation systems, or even just pedestrians seeking directions, a threat actor could
manipulate the codes to misdirect or divert victims to a specific location for their own nefarious
means.

Phishing/Malicious URLs
Social engineering attacks that coerce victims into scanning a QR code could be used to direct them
to a site mimicking a legitimate brand, stealing their personal data, or to a malicious site that seeks to
exploit their mobile device. Whilst these attacks rely on the victim both scanning the nefarious QR
code and ‘tapping’ on any notification to open the site in their browser, the original source of the QR
code, for example, affixed to legitimate advertising or delivered physically, may lower the victim’s
guard.

Apple iOS 11’s website QR code scanning implementation seeks to somewhat protect users from
common phishing techniques by only displaying the domain in the prompt. By hiding URLs that have
been crafted to appear legitimate through a convoluted subdomain or folder structure, it is hoped
that victims could recognise that the domain is not as expected.

Given this, phishing QR code URLs such as ‘www.phishedbrand.com.security.example.com’ or

‘www.example.com/phishedbrand.com/security/’ would, once scanned, appear in the website QR
code notification as ‘Open “example.com” in Safari’. Furthermore, Apple iOS 11 users can ‘swipe’ the
notification to display a site preview which could provide further indication of its legitimacy or not.

An additional form of QR code-based phishing comes in the form of ‘QRL Jacking’ in which a legitimate
authentication QR code is cloned and delivered to a victim via a phishing page. In a proof-of-concept6
for this attack, a victim scanned a cloned WhatsApp authentication QR code, presented on a phishing

5
http://www.todayonline.com/tech/qr-code-scams-rise-china-putting-e-payment-security-spotlight
6
http://thehackernews.com/2016/07/qrljacking-hacking-qr-code.html

www.cyberint.com

site and automatically updated when the code expires, resulting in the threat actor gaining access to
victim’s WhatsApp account, including messages, via the web-based application. Combining an attack
of this nature with techniques such as ‘DNS poisoning’, leading a victim to an IP address hosting the
nefarious implementation rather than the legitimate, could allow an advanced threat actor to gain
access to mobile devices as part of a larger targeted attack.

URL Shorteners
Phishing or malicious QR codes that make use of URL shortening services such as ‘bit.ly’ or ‘goo.gl’
pose an additional threat due to the additional layer of obfuscation, hiding the true URL of website.

Attackers generating a QR code for a shortened URL, redirecting to the phishing or malicious site, will
arguably negate the benefits of the iOS 11 ‘domain only’ prompt and even the site preview, assuming
the nefarious site appears visually similar to the legitimate site (Figure 5).

Figure 5 - Shortened URL - Legitimate or Nefarious?

This, combined with the method of only displaying the domain to the user when a QR code is scanned,
could allow an attacker to combine techniques to craft a convincing attack.

Malicious Mobile Apps

One common application of QR codes is to direct users to an appropriate app store or marketplace
link for a particular mobile app. In this case, typically a website, or custom URL scheme QR code is
used and recognised by the browser which then launches the app store or marketplace on the
intended app’s page. Threat actors could capitalise on this functionality to direct victims to a malicious
app, preloaded into an app store or marketplace, by distributing QR codes which purport to download
a seemingly legitimate app.

Premium Rate Fraud

Threat actors seeking to easily monetise their attacks may seek to conduct forms of premium rate
fraud be that by running a premium rate telephone number or SMS service. Having configured the
number or service, the threat actor will need to drive victims toward it in order to profit from the
charges levied against them. Mobile malware is often used in this scenario to compromise a mobile
device and cause it to dial-out or send SMS messages to the premium services however, in the case of
nefarious QR codes, a threat actor could masquerade as a legitimate service but redirect victims to a
number or SMS service under their control.

Whilst Apple iOS 11 will not send an SMS message without user intervention when the ‘Messages QR
code’ is scanned, it will dial a ‘phone QR code’ if the user taps on the initial notification. Given that

www.cyberint.com

many premium rate telephone services will incur a charge at the time of connection, this could prove
fruitful for the threat actor without the need to entice the victim into maintaining a lengthy telephone
call.

Taking this attack one step further, a threat actor could theoretically configure a premium rate
telephone number to masquerade as a legitimate service which, once the victim has connected,
redirects them to the legitimate service and leaves them unawares until they receive an unusually
high bill for the call.

Mobile Device Exploits

As with any hardware and software, mobile devices are vulnerable to exploitation and undiscovered
flaws can be used to both take control of the device, escalate privileges or cause undesired behaviour
resulting in a denial-of-service condition.

Given this, the way that QR codes are handled by either the operating system or an application may
make them susceptible to exploitation in order to cause unexpected results. For example, sending
mal-crafted or large amounts of data that cannot be handled without failure may result in buffer
overflow conditions along with their associated security implications. Whilst no specific QR code
threats have been identified at this time, Apple iOS devices have in the past been crashed by specially
created ‘prank’ messages7 and therefore similar attacks delivered by QR code seem plausible.

In addition to threat actors seeking to exploit devices, many users may seek to ‘jailbreak’ or ‘root’ their
Apple iOS or Android devices to remove software restrictions imposed by the manufacturer and in
doing so expose their device to risks such as the ability to execute unsigned code. Whilst new operating
system releases typically seek to patch any vulnerabilities allowing this occur, every release and new
feature potentially introduces new vulnerabilities that can be exploited to this end.

Exploits abusing QR codes are not limited to targeting the QR code handling element of the operating
system or application, especially with the use of ‘custom URL schemes’ within mobile apps. These
schemes allow an app to be launched, and perform specific actions, from within another app. For
example, clicking on a custom URL within the browser could subsequently launch the map application
centred on a specific set of coordinates. Given this, QR codes using a vulnerable app’s custom URL
scheme could serve as a conduit to deliver malicious input directly to that app.

Identity Card Abuse

Whilst the use of QR codes on identity cards present security benefits, for example stored data must
presumably match the person presenting it, cards could be abused, cloned or counterfeited.

Malicious abuse of ID card QR codes could include any one of a number of threats, for example, using
malformed data to exploit or crash the system used to scan the ID card coupled with social engineering
to bypass building security measures. Furthermore, cloned or counterfeit cards could allow a threat
actor to present themselves as someone else, albeit the success will depend on how the QR code data
is encoded. In the case of plain or easily decoded data, the threat actor may be able to craft a QR code
that is, to all intents, valid for themselves, whereas a cloned legitimate card could work if the QR code
does not link to corroborating data such as verifying a photo presented on the card photo versus an
online copy.

7
http://www.telegraph.co.uk/technology/2017/01/18/iphone-message-prank-crashes-phones-single-text/

www.cyberint.com

In instances where the ID card QR code is verified by an untrained person, for example, a customer
verifying an employee’s identity, the threat actor could generate a fake website that presents
‘verifying’ information that matches their counterfeit card.

Mitigations
Security Awareness
Given that many of the QR code threats are based on social engineering, attacks such as these rely on
exploiting the human element within an organisation in order to progress. Through security awareness
training, users should be made aware of the risks and exercise caution and vigilance whenever
scanning QR codes. General guidance should include:

• Ensure that the QR code app displays a preview of the URL before launching the browser;
• Avoid opening suspicious and shortened URLs, particularly if the domain does not reflect the
expected brand;
• Avoid QR codes that are affixed in easily accessible public places as a threat actor could place
their label over a legitimate code;

Disable QR Code Scanning

Having conducted a risk assessment, organisations should determine if there are any benefits to using
QR codes outside of specific internal applications such as material tracking. Should the risk outweigh
the benefits, users should disable QR code scanning features on enterprise devices, potentially
enforceable by a mobile device management solution, whilst bring your own device (BYOD) users
should be reminded of the risks and consider disabling functionality (Apple iOS 11: Within ‘Settings’ >
‘Camera’, disable ‘Scan QR Codes’) or removing QR scanning apps themselves.

Service Blocking
Most mobile telephony service providers will allow users to block or ‘bar’ premium rate telephone
numbers, SMS services and international calls which can be used to thwart premium rate fraud. These
features are both beneficial to enterprises and individuals, in many cases preventing inadvertent
abuse by the user as well as malicious fraudulent activity resulting from a social engineering or
malware attack.

QR Code Data Security

A successful cloning or counterfeit attack will likely require the threat actor to obtain physical access
to, or a high-resolution image of, an ID card. Given this, the encryption or encoding of QR code data
used in sensitive applications, such as identity cards, should be considered in addition to physically
protecting ID cards by not leaving them unattended or displayed publicly.

In addition to securing the data within the QR code, identity verification applications should also
include additional authentication methods such as the verifying biometric or picture data presented
on the card against data stored centrally.

www.cyberint.com