With QR codes, even security pros play the fool
- By William Jackson
- Sep 12, 2012
Security professionals who would never open an unsolicited attachment and would not think of clicking on a strange URL do not hesitate to scan a QR Code with a mobile device for the chance of winning a free iPad.
“That doesn’t make sense,” said David Maman, CTO of the database security company GreenSQL. But it apparently is true.
Maman made his finding in April at Infosec UK, Europe’s largest information security conference. He created a small poster with the logo of a real security company and a two-dimensional Quick Response Code urging passersby to “just scan to win an iPad.” And 455 of them did. There were 142 iPhone users, 211 Android users, 61 BlackBerrys and 41 unknown browsers. Fortunately, all their gullibility got them was a smiley face.
Managing mobile security: There's no such thing as a free app
The codes originally were developed for use in the auto industry, but because of their ability to encode large amounts of quickly scanned data they have become popular with advertisers as a way of directing traffic to websites from mobile devices. An application scans the code, which is translated into a URL that is sent to the device’s browser.
And therein lies the problem — what is on the other end of that link is anybody’s guess. Usually it’s an advertisement, a coupon or some other legitimate material. But since at least late last year they have been found also to direct users to malicious sites where malware can be downloaded.
Maman discovered one such QR Code in March that directed users to a site in China that delivered a piece of Android malware. It was that discovery that led him to try his experiment.
“Remember, this was a conference for security professionals,” he said.
The first line of defense against malicious QR Codes is common sense, he said. Think before you scan, just as you would before you click. Does the code seem to come from a reliable source? Does the URL it encodes appear to be what it says it is?
But evaluating a code and the link can be difficult because small-screen browsers often do not show the entire URL at once. And URLs can be spoofed or traffic redirected. So mobile devices also need security software, including URL filters to block blacklisted addresses and antivirus engines.
No tool is foolproof, however, and it ultimately is up to the user not to play the fool. So before you scan, ask yourself: Is it really worth it?
William Jackson is freelance writer and the author of the CyberEye blog.