What do printed QR codes and NFC (Near Field Communication) chips have in common, besides storing instructions that computers can read? They are both hackable and their ability to store and communicate computer instructions is bound to be abused, if not already, then sometime soon. This happens to every new means of communication; QR and NFC are no exception. Call it "Cobb's first law of communications abuse" or just a statement of the obvious: Every new means of communication will be abused. Of course, the second law states that the abuse will include, if at all possible, the spreading of malicious software.
This blog post is not about how to abuse QR codes or NFC chips–sooner or later people are going to figure that out for themselves–we just want to take a moment to urge companies and coders working with these technologies to implement them as sensibly and securely as possible. Failure to heed this warning could mean cool technology being crippled by clumsy protection schemes bolted on to fix security issues created by naive implementations.
Consider the problem illustrated in the following video called "Card Tricks". This shows some rather worrying behavior by a pair of fairly common smartphones–an iPhone and a Samsung Nexus phone–being used in default configuration, no hacking required. It should be clear that a malicious party can go several steps further with this technology to create a means of infecting mobile devices, stealing data, and accruing ill-gotten gains from bogus phone charges and other scams.
The problem we see in both of the examples–the QR code scanning by the iPhone and the NFC tag reading by the Samsung smartphone–is that the software which interacts with the code/tag proceeds to act on the data in the code/tag without asking permission. While the desire for immediate gratification is understandable, and the ability to deliver it with technology is very cool, I am hoping the video makes it clear why this is not always a good thing.
QR and NFC software should not act upon the instructions in a code or chip without providing the user with an informed choice. A preview-and-authorize process should be the default mode of operation. Otherwise the technology becomes a high tech version of an old party trick: A person wearing a blindfold is told to put their hand into a jar to grab a prize, but what they grab might not be a prize at all.
Right now there don't seem to be many people exploiting the "instant gratification" mode of QR and NFC scanners for evil purposes (although some cases have been reported). So you might ask: Why talk about the problem now?
The QR app that I installed for the video demonstration–called QR Reader for iPhone–was picked at random from the app store. It is a free download, made by TapMedia and has an almost 5 star rating, so it is reasonable to assume that a lot of people are using it. This app does have a preview and authorize mode but that is not the default setting.
The QR scanner that AT&T offers, also free and a solid 4 star rating, has preview-and-authorize set as the default mode of operation which earns AT&T bonus points in my opinion. As NFC chip readers become more widely deployed in smartphones I'm hoping all of the associated software will have preview-and-authorize as the default setting. (This does not appear to be the case on the Samsung Nexus that I tested.)
Another reason to talk about this problem now, rather than later, is that a lot of of QR codes are showing up in stores and a ton of new NFC-enabled smartphones will be hitting the streets this year, opening up the possibilities for those who would seek to abuse them. On the Android platform I have already noticed "Control Near field Communication: Full internet Access" as one of the permissions sought by mainstream apps like Google Earth and YouTube.
A further aspect of the emerging NFC story will be phones like the Sony Xperia S. Announced with much fanfare a few months ago, this product features matching NFC tags that allow you to alter the settings on the phone, as illustrated in this frankly scary Sony video. Even if you give Sony the benefit of the doubt and assume that the Xperia tags are somehow bound to each phone by unique identifiers, it is a fair bet that before long someone will announce that they can craft which are able to change the settings on other people's phones.
Another fair bet is that one or more of the following will happen before the end of the year:
Although QR codes and NFC chips are technically quite different they suffer the same potential weakness: Trusting that the person who programmed them has good intentions. I see them as a new attack vector for mobile devices and another reason to protect those devices with appropriate malicious code, app, and URL detection.
Finally, to the last piece of the card trick: How do people make QR codes and encode NFC tags. The software to create QR codes is readily available on the web and there are a lot of websites that will generate the code for you (if you need QR codes for a legitimate project I strongly suggest you test the code before deploying). As for NFC tags, I will go into this in a separate blog post about Near Field Communications that will appear in the near future, but the short version is that acquiring and encoding NFC chips is cheap and easy. Stay tuned.
Author Stephen Cobb, We Live Security