ABSTRACT
2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards.
In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in barcode attacks. We furthermore discuss mitigation techniques against this type of attack.
- ISO/IEC 16022: Information technology -- Automatic identification and data capture techniques -- Data Matrix bar code symbology specification.Google Scholar
- ISO/IEC 18004: Information technology -- Automatic identification and data capture techniques -- QR Code 2005 bar code symbology specification.Google Scholar
- Official ZXing ("Zebra Crossing") project home. https://github.com/zxing/zxing, accessed July 18th 2014.Google Scholar
- 3GVision. i-nigma. Apple App Store. https://itunes.apple.com/en/app/id388923203.Google Scholar
- 3GVision. i-nigma Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=com.threegvision.products.inigma.Android.Google Scholar
- A. Albertini. corkami: Reverse engineering and visual documentations. http://code.google.com/p/corkami/#Binary_files, accessed September 6th 2014.Google Scholar
- A. Albertini. This PDF is a JPEG; or, This Proof of Concept is a Picture of Cats. In PoC jj GTFO 0x03. March 2014. http://corkami.googlecode.com/svn/trunk/doc/pocorgtfo/pocorgtfo03.pdf.Google Scholar
- S. Alvarez and T. Zoller. The death of AV defense in depth - revisiting anti-virus software, 2008. http://cansecwest.com/csw08/csw08-alvarez.pdf.Google Scholar
- AT&T Services Inc. AT&T Code Scanner: QR,UPC & DM. Google Play Store. https://play.google.com/store/apps/details?id=com.mtag.att.codescanner.Google Scholar
- M. DeCarlo. AVG: QR code-based malware attacks to rise in 2012, 2012. http: //www.techspot.com/news/47189-avg-qr-code.html, accessed July 18th 2014.Google Scholar
- DENSO WAVE. History of QR Code. http://www.qrcode.com/en/history/, accessed July 13th 2014.Google Scholar
- T. Goodspeed, S. Bratus, R. Melgares, R. Shapiro, and R. Speers. Packets in packets: Orson welles' in-band signaling attacks for modern radios. In Proceedings to WOOT 2011, pages 54--61, August 2011. Google ScholarDigital Library
- M. Inc. Symbol DS6708 Digital Scanner Product Reference Guide, 2009. http://www.motorolasolutions.com/web/Business/Products/Bar%20Code%20Scanning/Bar%20Code%20Scanners/General%20Purpose%20Scanners/_Documents/static_file/ds6708.pdf.Google Scholar
- ISO/IEC 24778: Information technology -- Automatic identification and data capture techniques -- Aztec Code bar code symbology specification.Google Scholar
- S. Jana and V. Shmatikov. Abusing File Processing in Malware Detectors for Fun and Profit. In Proceedings of the 33rd IEEE Symposium on Security & Privacy, San Francisco, CA, May 2012. Google ScholarDigital Library
- Kerem Erkan. Qrafter. Apple App Store. https://itunes.apple.com/us/app/id416098700.Google Scholar
- A. Kharraz, E. Kirda, W. Robertson, D. Balzarotti, and A. Francillon. Optical Delusions: A Study of Malicious QR Codes in the Wild. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 06 2014. Google ScholarDigital Library
- P. Kieseberg, S. Schrittwieser, M. Leithner, M. Mulazzani, E. Weippl, L. Munroe, and M. Sinha. Malicious Pixels Using QR Codes as Attack Vector. In I. Khalil and T. Mantoro, editors, Trustworthy Ubiquitous Computing, volume 6 of Atlantis Ambient and Pervasive Intelligence, pages 21--38. Atlantis Press, 2012.Google Scholar
- K. Krombholz, P. Frühwirt, P. Kieseberg, I. Kapsalis, M. Huber, and E. Weippl. QR Code Security: A Survey of Attacks and Challenges for Usable Security. In T. Tryfonas and I. Askoxylakis, editors, Human Aspects of Information Security, Privacy, and Trust, volume 8533 of Lecture Notes in Computer Science, pages 79--90. Springer International Publishing, 2014.Google Scholar
- B. Naik. QR Code: USSD attack, 2012. http://resources.infosecinstitute.com/qr-code-ussd-attack/, accessed July 18th 2014.Google Scholar
- NeoMedia Technologies, Inc. NeoReader. Apple App Store. https://itunes.apple.com/us/app/id284973754.Google Scholar
- NeoMedia Technologies Inc. NeoReader QR & Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=de.gavitec.android.Google Scholar
- K. Peng, H. Sanabria, D. Wu, and C. Zhu. Security Overview of QR Codes. 2014. MIT Student Paper, available online https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf.Google Scholar
- L. Sassaman, M. L. Patterson, S. Bratus, M. E. Locasto, and A. Shubina. Security Applications of Formal Language Theory. In IEEE Systems Journal, Volume 7, Issue 3, Sept. 2013.Google Scholar
- Scanbuy Inc. ScanLife Barcode & QR Code Reader with Prices, Deals, & Reviews. Apple App Store. https://itunes.apple.com/us/app/scanlife-barcode-reader-qr/id285324287.Google Scholar
- Scanbuy Inc. ScanLife QR & Barcode Reader. Google Play Store. https://play.google.com/store/apps/details?id=com.ScanLife.Google Scholar
- ShopSavvy Inc. QR Code Reader and Scanner. Apple App Store. https://itunes.apple.com/en/app/qr-code-reader-and-scanner/id388175979.Google Scholar
- ShopSavvy Inc. ShopSavvy Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=com.biggu.shopsavvy.Google Scholar
- D. Tam. PayPal offers QR codes for retail-store purchases, October 2013. http://www.cnet.com/news/paypal-offers-qr-codes-for-retail-store-purchases/,accessed July 24th 2014.Google Scholar
- Ubercoders. UberScanner. Google Play Store. https://play.google.com/store/apps/details?id=org.ubercoders.uberscanner.Google Scholar
- ZXing Team. Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=com.google.zxing.client.android.Google Scholar
Index Terms
- QR Inception: Barcode-in-Barcode Attacks
Recommendations
Error-Correcting Codes as Source for Decoding Ambiguity
SPW '15: Proceedings of the 2015 IEEE Security and Privacy WorkshopsData decoding, format, or language ambiguities have been long known for amusement purposes. Only recently it came to attention that they also pose a security risk. In this paper, we present decoder manipulations based on deliberately caused ambiguities ...
QR Panopticism: User Behavior Triangulation and Barcode-Scanning Applications
The increasingly ubiquitous two-dimensional barcodes designed by the Denso Wave company, known as the QR code, were originally intended to track millions of parts as they moved about on high-speed assembly lines. Since then, these increasingly ...
Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityAndroid devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...
Comments