Abstract
The two-dimensional quick response (QR) codes can be misleading due to the difficulty in differentiating a genuine QR code from a malicious one. Since the vulnerability is practically part of their design, scanning a malicious QR code can direct the user to cloned malicious sites resulting in revealing sensitive information. In order to evaluate the vulnerabilities and propose subsequent countermeasures, we demonstrate this type of attack through a simulated experiment, where a malicious QR code directs a user to a phishing site. For our experiment, we cloned Google’s web page providing access to their email service (Gmail). Since the URL is masqueraded into the QR code, the unsuspecting user who opens the URL is directed to the malicious site. Our results proved that hackers could easily leverage QR codes into phishing attack vectors targeted at smartphone users, even bypassing web browsers’ safe browsing feature. In addition, the second part of our paper presents adequate countermeasures and introduces QRCS (Quick Response Code Secure). QRCS is a universal efficient and effective solution focusing exclusively on the authenticity of the originator and consequently the integrity of QR code by using digital signatures.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Lin, P.Y., Chen, Y.H.: High payload secret hiding technology for QR codes. EURASIP J. Image Video Process. 2017(1), 14 (2017)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)
Kharraz, A., Kirda, E., Robertson, W., Balzarotti, D., Francillon, A.: Optical delusions: a study of malicious QR codes in the wild. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 192–203. IEEE (2014)
Sharma, V.: A study of malicious QR codes. Int. J. Comput. Intell. Inf. Secur. 3(5), 21–26 (2012)
Jain, A.K., Shanbhag, D.: Addressing security and privacy risks in mobile applications. IT Prof. 14(5), 28–33 (2012)
Chaffey, D.: Mobile marketing statistics compilation. http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., Weippl, E.: QR code security. In: Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia, pp. 430–435. ACM (2010)
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2011)
Tapellini, D.: Smart phone thefts rose to 3.1 million in 2013 industry solution falls short, while legislative efforts to curb theft continue. http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm
Fedler, R., Schütte, J., Kulicke, M.: On the effectiveness of malware protection on android. In: Fraunhofer AISEC, vol. 45 (2013)
Ramachandran, R., Oh, T., Stackpole, W.: Android anti-virus analysis. In: Annual Symposium on Information Assurance & Secure Knowledge Management, pp. 35–40. Citeseer (2012)
Rouillard, J.: Contextual QR codes. In: The Third International Multi-conference on Computing in the Global Information Technology (ICCGI 2008), pp. 50–55. IEEE (2008)
Chen, W.Y., Wang, J.W.: Nested image steganography scheme using QR-barcode technique. Opt. Eng. 48(5), 057004 (2009)
Liao, K.C., Lee, W.H.: A novel user authentication scheme based on QR-code. JNW 5(8), 937–941 (2010)
Dabrowski, A., Krombholz, K., Ullrich, J., Weippl, E.R.: QR inception: barcode-in-barcode attacks. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 3–10. ACM (2014)
Penning, N., Hoffman, M., Nikolai, J., Wang, Y.: Mobile malware security challeges and cloud-based detection. In: 2014 International Conference on Collaboration Technologies and Systems (CTS), pp. 181–188. IEEE (2014)
Krombholz, K., Frühwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., Weippl, E.: QR code security: a survey of attacks and challenges for usable security. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 79–90. Springer, Cham (2014). doi:10.1007/978-3-319-07620-1_8
Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N.: QRishing: the susceptibility of smartphone users to QR code phishing attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 52–69. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41320-9_4
Deborah, M.: Security expert warns smartphone users of the risks in scanning cybercoding. http://www.post-gazette.com/business/businessnews/2012/06/01/Security-expert-warns-smartphone-users-of-the-risks-in-scanning-cybercoding/stories/201206010228
Chuang, J.C., Hu, Y.C., Ko, H.J.: A novel secret sharing technique using QR code. Int. J. Image Process. (IJIP) 4(5), 468–475 (2010)
Gao, J., Kulkarni, V., Ranavat, H., Chang, L., Mei, H.: A 2D barcode-based mobile payment system. In: Third International Conference on Multimedia and Ubiquitous Engineering (MUE 2009), pp. 320–329. IEEE (2009)
Narayanan, A.S.: QR codes and security solutions. Int. J. Comput. Sci. Telecommun. 3(7), 69–71 (2012)
Paar, C., Pelzl, J.: Understanding Cryptography: A Textbook for Students and Practitioners. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04101-3
Peng, K., Sanabria, H., Wu, D., Zhu, C.: Security overview of QR codes. Student project in the MIT course 6.857,’14 (2014)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Mavroeidis, V., Nicho, M. (2017). Quick Response Code Secure: A Cryptographically Secure Anti-Phishing Tool for QR Code Attacks. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds) Computer Network Security. MMM-ACNS 2017. Lecture Notes in Computer Science(), vol 10446. Springer, Cham. https://doi.org/10.1007/978-3-319-65127-9_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-65127-9_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65126-2
Online ISBN: 978-3-319-65127-9
eBook Packages: Computer ScienceComputer Science (R0)