QR Codes and NFC Chips: Preview-and-authorize should be default

What do printed QR codes and NFC (Near Field Communication) chips have in common, besides storing instructions that computers can read? They are both hackable and their ability to store and communicate computer instructions is bound to be abused, if not already, then sometime soon. This happens to every new means of communication; QR and NFC are no exception. Call it "Cobb's first law of communications abuse" or just a statement of the obvious: Every new means of communication will be abused. Of course, the second law states that the abuse will include, if at all possible, the spreading of malicious software.

An example of a QR codeThis blog post is not about how to abuse QR codes or NFC chips–sooner or later people are going to figure that out for themselves–we just want to take a moment to urge companies and coders working with these technologies to implement them as sensibly and securely as possible. Failure to heed this warning could mean cool technology being crippled by clumsy protection schemes bolted on to fix security issues created by naive implementations. 

Consider the problem illustrated in the following video called "Card Tricks". This shows some rather worrying behavior by a pair of fairly common smartphones–an iPhone and a Samsung Nexus phone–being used in default configuration, no hacking required. It should be clear that a malicious party can go several steps further with this technology to create a means of infecting mobile devices, stealing data, and accruing ill-gotten gains from bogus phone charges and other scams.

The problem we see in both of the examples–the QR code scanning by the iPhone and the NFC tag reading by the Samsung smartphone–is that the software which interacts with the code/tag proceeds to act on the data in the code/tag without asking permission. While the desire for immediate gratification is understandable, and the ability to deliver it with technology is very cool, I am hoping the video makes it clear why this is not always a good thing.

QR and NFC software should not act upon the instructions in a code or chip without providing the user with an informed choice. A preview-and-authorize process should be the default mode of operation. Otherwise the technology becomes a high tech version of an old party trick: A person wearing a blindfold is told to put their hand into a jar to grab a prize, but what they grab might not be a prize at all.

AT&T QR code scanner/readerRight now there don't seem to be many people exploiting the "instant gratification" mode of QR and NFC scanners for evil purposes (although some cases have been reported). So you might ask: Why talk about the problem now?

My hope is that we can get ahead of the curve in terms of user education by convincing people to exercise caution when they use this technology. For example, if you use an iPhone you know it doesn't come with a QR code reader installed. Choose one that has a preview-and-authorize mode and set that as the default.

The QR app that I installed for the video demonstration–called QR Reader for iPhone–was picked at random from the app store. It is a free download, made by TapMedia and has an almost 5 star rating, so it is reasonable to assume that a lot of people are using it. This app does have a preview and authorize mode but that is not the default setting.

The QR scanner that AT&T offers, also free and a solid 4 star rating, has preview-and-authorize set as the default mode of operation which earns AT&T bonus points in my opinion. As NFC chip readers become more widely deployed in smartphones I'm hoping all of the associated software will have preview-and-authorize as the default setting. (This does not appear to be the case on the Samsung Nexus that I tested.)

Another reason to talk about this problem now, rather than later, is that a lot of of QR codes are showing up in stores and a ton of new NFC-enabled smartphones will be hitting the streets this year, opening up the possibilities for those who would seek to abuse them. On the Android platform I have already noticed "Control Near field Communication: Full internet Access" as one of the permissions sought by mainstream apps like Google Earth and YouTube.

A further aspect of the emerging NFC story will be phones like the Sony Xperia S. Announced with much fanfare a few months ago, this product features matching NFC tags that allow you to alter the settings on the phone, as illustrated in this frankly scary Sony video. Even if you give Sony the benefit of the doubt and assume that the Xperia tags are somehow bound to each phone by unique identifiers, it is a fair bet that before long someone will announce that they can craft which are able to change the settings on other people's phones.

Another fair bet is that one or more of the following will happen before the end of the year:

  • Pirate NFC chips: Will be deployed to divert traffic or execute other unexpected instructions in order to compromise smartphones.
  • Pirate QR code stickers: As foreseen last year by my colleague Cameron Camp, people will try sticking their own QR codes over existing codes to divert traffic or execute other unexpected instructions.
  • QR code seeding: People will include malicious QR codes in cheap flyers and distribute them to find and target victims.
  • QR Sharpie hacking: People will figure out how to alter public QR codes with a Sharpie to break the code or divert traffic.

Although QR codes and NFC chips are technically quite different they suffer the same potential weakness: Trusting that the person who programmed them has good intentions. I see them as a new attack vector for mobile devices and another reason to protect those devices with appropriate malicious code, app, and URL detection.

Finally, to the last piece of the card trick: How do people make QR codes and encode NFC tags. The software to create QR codes is readily available on the web and there are a lot of websites that will generate the code for you (if you need QR codes for a legitimate project I strongly suggest you test the code before deploying). As for NFC tags, I will go into this in a separate blog post about Near Field Communications that will appear in the near future, but the short version is that acquiring and encoding NFC chips is cheap and easy. Stay tuned.

Author Stephen Cobb, ESET

  • Roger

     
    "Preview-and-authorize" doesn't work as a security option because the observed URL can be redirected. Better security options are discussed here
     
    You may not be aware that the scanner you recommend (AT&T Code Scanner) is one of those that sends details of every QR Code you scan to one of its servers (id2att.com). At the same time it sends details of your mobile device and anything else it can discern such as location, zipcode, age etc. Some of the other scanners that spy on you can be found here
     
    "Pirate QR code stickers" have been used for years, the first recorded in the West was in 2009

  • Stephen Cobb

    Good points Roger, which we will cover in more detail in further posts. I agree that basic or "literal" preview is of limited practical security value but it is a principle to build on. Obviously a really good scanner would do a lot more to analyze the instructions in the QR or NFC object, and it would NOT disclose unformation in the manner you attribute to AT&T. If we can verify that AT&T is doing what you say then we will withdraw our praise and warn people that this is happening.

    If there is a QR scanner out there which you think is on the right track, please let me know.

    As for pirate QR code stickers, we have not talked about them in the past because the average consumer in America has not been exposed to QR codes to such an extent as we see now, when they suddenly seem to be "everywhere."

  • Stephen Cobb

    Here are several useful links that Roger has kindly provided:

    Article on safe scanning of QR codes

    Some very clever research on QR code scanning used to record information about you

    There is a lot more interesting QR code info at http://2d-code.co.uk/

  • Thomas Stevinson

    In the UK it seems we haven't really picked up on QR codes as much as stateside, are they still a big thing over there? As a webmaster I have wanted to start doing QR code advertising but the majority of people over here dont know what they are, or if they do then they do not have the software to scan them. Maybe NFC will be a UK thing

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
23 Apr 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.