Thursday, March 15, 2012

Know the Code: Paper Malware

Say hello to the new barcode on the block. QR codes (Quick Response Code) is a code that is used to store data much like a barcode, but with the ability to hold exponentially more information. QR codes look a little like a Rorschach test; those ink blots that you stare at while telling a guy in a white lab coat what you think it looks like, then he nods and says something like, "Ah, mmm hmm, yes very interesting, interesting indeed." QR codes are square blocks of black ink (seemingly placed in a random patten on the page) that you are more and more likely to encounter on movie posters, in magazines, and on the packaging of products you buy, etc.

Truth be told, QR codes aren't really that new, they have been around since the mid 1990's having been created by the automobile industry. QR codes continue to evolve. The tighter the spacing of the blocks the more data a code contains. QR Code version 40 is capable of containing 1,852 characters. In contrast, version 4 could only contain up to 50 characters.

These codes have been adopted in the mainstream because of the versatility they offer over traditional barcodes. The inundation of smartphone technology has aided the increase use of QR codes. Every smartphone with a camera instantly becomes a code reader (with an app that can scan these types of codes). Manufacturers include QR codes with their products as a way to tell a customer more about those products, or additional services the company provides. In years past the industry would advertise their web address with the hopes that it would entice potential customers to visit their site. A company would have to bet on the consumer remembering the address, then later entering it into a web browser on their computer. But, once the initial interest wore off, few people would bother to do this. A QR code and smartphone app together makes this process seamless. Simply scanning the barcode can automatically launch your web browser loading the website programmed into the code.

I purposely put the words "paper malware" in the subject of this post to get your attention. As with all things technology, you can't sleep at the switch. There is nothing inherently wrong with scanning QR codes, but you do have to be careful not to let curiosity get the best of you. There is such a thing as a malicious QR code. In September of 2011 the first such malware was discovered. This malware targeted Android phones simply due to the "open" nature of the platform. Open platforms allow anyone to create apps without having to go through a clearing house to vouch for the decency of the app. In contrast, Apple has a basic vetting process for approving apps for their proprietary iOS, in part, to reduce potential malware; this does not mean however, that iPhone users can't be harmed by malicious QR codes.

Cyber crooks will perpetrate their crimes by placing their own QR code stickers over existing marketing materials. They may also place their paper malware on walls, light posts, or other public places. These criminals are betting on social engineering to get you to scan their codes. The curious and unsuspecting consumer will unknowingly scan codes that contain malicious text and website addresses containing hidden malware. Before the end user realizes what happened their device has been compromised and personal data has been stolen. Malicious QR codes can:
  1. Steal your credit card information if you use your smartphone to shop online
  2. Con you into downloading apps containing malware
  3. Send expensive SMS text messages to premium phone numbers effectively running up the charges on your cell phone bill
  4. Ask you to provide your passwords for your email, online banking account, or social networking sites
  5. Steal information from the contact list on your phone
You can take steps to protect yourself from QR code attacks. The most obvious one would be to never to scan them, but if you do want to scan QR codes, and only do it when you have a genuine interest in the product or service beyond a passing fancy, then follow these basic tips:
  1. Look for codes that are printed directly on the packaging of the product of interest
  2. Scan codes only from trustworthy sources
  3. Avoid codes that are printed on stickers
  4. Avoid those that have no explanation or description accompanying the code
  5. Use a QR Code scanner app that supports URL previews, thus allowing you to see if the code matches the product or service it purports to be.
  6. keep your smartphone firmware and apps up to date since they often provide security patches
  7. Avoid entering a username and password for any personal accounts if prompted by a QR code
QR codes are just another example of something that starts with the best of technological intentions but, can be easily corrupted by those who choose to commit crimes. So, while you ready your smartphone to scan a QR code, reflect back on this post.