Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

FBI Sounds Alarm as QR Code Usage Soars (axios.com) 71

Posted by msmash from the security-woes dept.
The pandemic has accelerated the usage of QR codes, taking them from niche status to an essential tool for businesses and marketers. From a report: Look no further than Sunday's Super Bowl commercial of nothing but a floating QR code sending users to the website of Coinbase. [...] Law enforcement officials are sounding the alarm about the risks. The FBI issued an alert in January warning Americans that cybercriminals "are tampering with QR codes to redirect victims to malicious sites that steal login and financial information." If you're scanning a physical code, make sure it hasn't been tampered with. For example, watch out for "a sticker placed on top of the original code," the FBI advises.
This discussion has been archived. No new comments can be posted.

FBI Sounds Alarm as QR Code Usage Soars More

FBI Sounds Alarm as QR Code Usage Soars

Comments Filter:
  • Not saying there are not serious security issues being discussed, but I have definitely created QR codes that when scanned create a repeating calendar event (with no end date specified). If you do not know what you are scanning, you should beware of any QR code.

    • Re:Prank QR Codes (Score:4, Insightful)

      by GameboyRMH ( 1153867 ) <gameboyrmh AT gmail DOT com> on Friday February 18, 2022 @12:41PM (#62280663) Journal

      The entire problem here is actually QR code apps that automatically act on QR code content without further user input - sadly this is the most common way that these apps work. They should show the content to the user and require the user to confirm any further actions, similar to browser app launch/xdg-open activity on desktop OSes.

      • I use the Trend Micro app, which shows the contents, and for URLs, it does a safety check. It does not follow a URL until you click that it's OK.

      • Re: (Score:1)

        by mshieh ( 222547 )

        I use the default camera app, and it'll show me the beginning of the URL.

        Definitely something to consider with QR code menus becoming popular.

        • So how do you differentiate l from I, let alone A from Alpha. I'll be dammed.

          And no user can do that.

          Just mindlessly execute anything that the camera sees. What could possibly go wrong!

          All QR URLs should start with qr. (or similar).

    • Re: (Score:3)

      by shanen ( 462549 )

      I think it was a good FP, but I'm still unclear on what your point was... The QR code design isn't intrinsically bad, just another morally neutral tool, but it puts the onus on the decoder to avoid doing anything stupid, and you can be sure that there are plenty of stupid QR decoders out there. Some of the pranks are quite annoying and even dangerous.

    • Re: (Score:2)

      by shanen ( 462549 )

      Actually I should have responded with a solution approach. Here's mine.

      I use an app with a built-in QR decoder. If the app recognizes the QR code as part of the app, then it might execute, but it can only execute functions within the scope of the app. That's still a bit dangerous, since the app is fairly popular and too powerful for its britches, too, which makes it a kind of security through obscurity.

      However the protection is that any QR code which is not part of the app is only displayed as text and it a

      • A blacklist/whitelist solution would be good here too.

        Maybe a huge warning banner that the code may be malicious with details of why, with multiple "are you sure?" prompts in order to execute it. If the user goes ahead and does it, well the responsibility falls on the user.

    • Re: (Score:2)

      by Megane ( 129182 )

      If you do not know what you are scanning, you should beware of any QR code.

      Especially ones you might find in YouTube videos. [youtube.com]

    • It's only a matter of time before someone slams a sticker over the QR code at Hooters (or better, like a Chucky Cheese) that autoplays some kind of raunchy rape-fantasy porn or something equally offensive. In fact, I'm sure that's already happened, or worse. I remember an S3M (when that was a thing) where the song was intentionally designed to be offensive to every group on the planet.

  • Use a scanner/decoder that'll just show you the contents, not try to follow any URL it finds. Always know where you're going before you go there.

    • Re:Use just a scanner/decoder. (Score:5, Interesting)

      by Rosco P. Coltrane ( 209368 ) on Friday February 18, 2022 @12:39PM (#62280641)

      Yeah, only that's not gonna work for most people. Ever seen a typical Google link? it run several hundred characters long and it's unreadable. Fill your QR code with an unreadable Google-style URL, and by the 3rd such URL, people just tap "Yes, take me there" and don't bother to check anymore. Which is also partly why Google does it incidentally.

    • better yet just carry a black marker and block out a pixel or three from any QR codes in train stations, election signs, etc. Just as safety measure, it might be a bad one.

      • That won't work as QR codes have multiple levels of error correction [wikipedia.org] available. Even at Level L (Low), 7% of data bytes can be restored. So if your plan of attack is to disable one to three dots of a QR code, that won't be enough.

        • seriously, takes much less than that if you whack a single corner position block.

          • I have never tried to disable a QR code. Would simply filling out the white inside outline of a corner position block be enough to prevent scanning?
             

            • haven't seen that one in tests, loss of the black block inside just one prevented scan.

              I was only joking about marker though, now we're talking of carrying white-out? I've never done any kind of graffiti in my life 8D

              • Not white-out, a black marker as you suggested. I'm talking about "deleting" the inside white outline of a position block by using the marker to fill it out, making the position block a full black square instead of a tiny black square with white padding and a black outline around it.

        • There is also the very off chance of turning the code into one that is malicious. It's remote but not impossible.

          • There is also the very off chance of turning the code into one that is malicious. It's remote but not impossible.

            That's exactly how the URL to the furry porn site got into my search history. I swear it, babe, I'd never *want* to go there! Malicious QR code, definitely!

        • Re: (Score:2)

          by Megane ( 129182 )
          If you can block the basic framing detection of a QR code, the error correction is useless. I had one on a register receipt that I wanted to scan just to find out what it encoded, and it wouldn't scan until I filled in gaps in a bullseye where one column of the receipt printer failed to blacken the image, about a third of a "pixel" wide. I suspect all you need to do is fill in one bullseye, depending on the decoder.

    • Re: (Score:3)

      by Entrope ( 68843 )

      People want small QR codes, so they typically use URL shortening services that make the URL effectively opaque. Then one has to trust the URL abbreviation service as well as the software that opens the URL.

      • I just use a tool that tells me where the shortener is redirecting me to. Give it a URL and it prints a list of URLs it was redirected to until it hits a non-redirect, then it tells me what kind of data the final destination claims it was trying to send me.

    • Re: (Score:2)

      by RobinH ( 124750 )
      Hard to believe there's any QR code not using a URL shortener like bitly or something.

      • Re: (Score:2)

        by Megane ( 129182 )
        A few weeks ago I saw one stickered on the door of a mall that was supposed to be for a directory of the mall or something like that. It had either 4x4 or 5x5 bullseyes on it. I was baffled as to how they could need so much information for that purpose, while still fitting within with in the size limit. (And also how to handle updates if you put most of it into the code.) Apparently for the largest "Version 40" QR code, the limit is just over 4K bytes.

        • It's actually 2953 bytes. I once made a such QRCode as a gift for a musician friend. I composed a MOD file with a single, extremely basic instrument (a square wave! haha), trimming as much as I could, removed the unnecessary tracks, using good ol' Impulse Tracker, and got it to fit in under 2800 bytes. At first he was puzzled by the odd data in the QRCode, but after some tinkering he figured out that it was a MOD file and managed to play it. I was happy :-).

          I don't think a phone would be able to play the da

          • Re: (Score:2)

            by Megane ( 129182 )
            That 4K must be the "raw" size, before error correction, so that would make about 25% of the data be for error correction. And compact formats like MOD would be great for that size of data, especially if you used pre-defined instruments like in General MIDI.
    • Have you met people? That is mostly not going to happen.

      • I have met people. That's why I far too often repeat "Vacation resorts on Venus. Kornbluth was right, someone really needs to start marketing those.".

  • If you scan QR codes attached to commercials or Superball articles, you deserve everything you get.

    • It costs us all when we let criminals prey on the handicapped. We should be stopping criminals, not punishing the inept.

      • We should be stopping criminals

        I'm for getting rid of the criminals so they can't criminal again, but some people have a problem with that idea.

        not punishing the inept.

        Considering how much they punish the rest of us with their ineptness, punishment is necessary.

      • Re: (Score:1)

        by rgmoore ( 133276 )

        Hard agree, though I would say it's more than just "the handicapped". Lots of people who are smart in other aspects of their lives can be fooled by a well crafted fake. But any time our response is "you shouldn't have been fooled", we're giving permission for criminals to steal.

        • Yup. Sometimes it's even cognitive dissonance, holding two or more opposing beliefs at the same time. As in "they wouldn't put this on the air if it wasn't safe", or "they couldn't sell it if it was't safe", followed by "we should get rid of all this regulation", followed shortly by "you can't believe anything on the news".

      • its the criminals punishing the inept

        my conscience is clear

        obvious attack vectors are obvious - bad software is bad - criminals should be punished - fuck the inept

      • Re: (Score:2)

        by EvilSS ( 557649 )

        It costs us all when we let criminals prey on the handicapped.

        So if we just eliminate the handicapped, no more crime? And that will save the rest of us money in the long run? I think I like your idea here.

    • Re: The stupids get it (Score:5, Insightful)

      by Malays2 bowman ( 6656916 ) on Friday February 18, 2022 @01:24PM (#62280869)

      If someone sees a QR code on a commercial that cost millions of dollars to air, they are going to assume that it's one they can trust.

      Really, all of this superiority, holier than thou thinking solves nothing and causes problems.

  • So I saw that Super Bowl commercial with the floating QR code. My immediate reaction was "No Way! There is no way i am scanning a code without knowing something about it"

    Now, even if presented with the trappings of legitimacy the obvious answer is to never put any info into any site you reach through a QR code unless you don't care about the details. Like dinner reservations or something like that.

    • I didn't see the commercial, but I am imagining a huge QR code with a generic background, and instrumental music.

        This kind of thing was popular back in the 90s and 2000s, when we had that stupid "IDIYIG" (or whatever) commercial that did not tell you what they were actualy advertising. An appeal to curiosity in an attempt to drive up sales.

        Those kinds of ads died out for a reason.

  • I'm surprised I haven't heard of people posting qr codes around public places that lead to goatse or similar

  • Are you telling me that this JavaScript thing was a big mistake? That simply clicking a link or inputting a URL electronically can instantly execute an arbitrary application on your personal device? OOPS!

    Work-around for QR codes:
    * HTTPS only. No visiting sites that are lacking certificates, at least through a QR.
    * On top of that, a QR system shouldn't visit directly load site, instead the software should consult a central white list. Not on the list, then the user gets a warning dialog. Black listed sites g

    • Simply visiting a page is pretty safe. Such exploits are discovered occasionally but these days they are rare and valuable. The bigger problem is tricking people into thinking they're entering sensitive info (like payment for a takeout meal) into a fake version of the site. I realize some of your suggestions address that. But I don't think losing JavaScript would be worth the tradeoffs since it won't stop the main attack vector.

    • Sounds like a lot of work. How about just "don't follow QR codes"?

  • Comment removed based on user account deletion

  • This will be interesting... (Score:5, Insightful)

    by ctilsie242 ( 4841247 ) on Friday February 18, 2022 @12:58PM (#62280757)

    With QR codes not human readable, there isn't any real way to tell if a sticker on a band's sign on a nightclub is theirs, or someone else's. Especially if the band is accepting cryptocurrency. With the fact that URLs tend to be long and obfuscated, there is no way to know if the band will be getting the donation, or some random joker who slapped a sticker on the wall.

    To boot, there is a good chance of this taking someone to a 0 day site. A ransomware group with a 0 day exploit that is about to go away on smartphones can make a mint by having some guy slap stickers everywhere with a cool, astroturfing slogan, and many people would check it out.

  • Only $99 a year and no way to cancel without calling and waiting on hold for 4 hours.

  • why are you still online? And why are you using a QR code scanner that doesn't show you the contents of the code before it does anything with it? Why do people not understand anything if a computer is involved? Everything you can do with a QR code you could just as well do with a short URL that you type in. Are you scared of short URLs too? Don't type Google into Google!

    • why are you still online? And why are you using a QR code scanner that doesn't show you the contents of the code before it does anything with it? Why do people not understand anything if a computer is involved? Everything you can do with a QR code you could just as well do with a short URL that you type in. Are you scared of short URLs too? Don't type Google into Google!

      Not sure of what your point is. I click on plenty of unknown web pages, and gotta say, there is a reason to be concerned. That's why I wrap my computers in several layers of ad blockers and script blockers. Multiples of each, because not all are caught by any single one. Install at least a script blocker, then look up who is behind the scripts it tells you about.

      Problem is, that level of safe computing isn't available on phones. And most people don't want to have to go through enabling scripts so that a

      • The point is that none of it is particular to QR codes. A QR code is a small machine readable blob of data, nothing more, nothing less. Any link on a web site poses at least the same risk. A sticker with a short URL poses the same risk. It has absolutely nothing to do with QR codes or them not being human readable. If you're afraid of QR codes, you're afraid of being online.

        • The usage patterns and context for a QR code are a little bit different from a url, which creates an opening for bad actors to exploit the current naive assumptions average joe makes when seeing a QR code in a place that appears to be from a known/trusted entity.

          For example, a QR code on a parking kiosk for making payment to the city. While a url can also be used, the fact that the QR code is scannable makes it more appealing to average joe.

          • So remove the QR code then. What do you put instead? An NFC tag? Same problem. A short URL? Same problem. It's a silly warning. Don't scan the code on the parking meter? Then what?

  • You never know what you are going to get.

    It's neat on face value, until abused.

  • They are a convenience; for both legit and hackers. Better to make it harder on the illegitimate folks, especially as text links or even just text information is not that inconvenient for the user. Businesses trying to be too clever are, as always, fucking over Darwinian levels for their own end; turning to sociopathy when their 'essential practices' end up at the fucking part.

  • I predicted this as well. Never was there a more destructive or ill-conceived plan than to add yet another layer of impossibly obscure misdirection to the already risk-laden workflow of fetching a document remotely by URL.

  • "Hey, look at this hypercard filled with what looks like white noise!" *brain gets bricked*

Slashdot Top Deals

It is wrong always, everywhere and for everyone to believe anything upon insufficient evidence. - W. K. Clifford, British philosopher, circa 1876

Close