Friday, August 30, 2019

Potentially malicious use of QR codes and NFC chips

Like any technology,  QR codes and NFC chips can be abused and misused for selfish or criminal purposes. I was reminded of this by a recent Dark Reading article by Chris Franklin, Jr. titled "9 Things That Don't Worry You Today (But Should)."

One of the things that Chris highlighted was QR codes and when I saw this particular page it reminded me that I had written about the abuse of these codes myself (seven years ago). In fact, I not only wrote about them, I did some research on them and an adjacent technology, the NFC chip (both can be used to trigger events in an information system, and they are cheap to implement, easy to program, and also very thin). 

I made a very short video to demonstrate one potential type of abuse - tricking people into visiting a malicious website. Here is the video, with thanks to my former employer, ESET, for giving me the time and resources to make this demo:


As you can see, there is plenty of potential for hijacking or misdirecting people's interests via both QR and NFC technology, and I am indebted to my former ESET colleague, Cameron Camp, for pointing some of these out, way back in early 2012.

(Funny story: about that time, Cameron was in Hong Kong to speak at a security conference and noticed the extensive use of QR codes in public transportation vehicles. He pointed this out to a company exec who was there and said, "How about I write a blog post showing how someone could print their own codes on sticky labels and just plaster them over these legit codes?" Apparently, this produced a lot of head-shaking. ESET decided to go with the more low key demo you see here.)

Back then I wrote a couple of related articles on this blog:
Enjoy!

No comments: