This is my new T-shirt. In this post I will explain what are QR Codes, why this technology is making some noise now and a couple examples of security issues raised by this useful technology.
Quick Response Codes (QR Codes) are two-dimensional barcodes that have been developed by a japanese corporation called Denso in 1994, a subsidiary of Toyota. In Japan, every cellular uses this codes for many services. Now there is sudden explotion of web sites providing services related to QR Codes, for example BeeTagg, with the idea of all things being tagged and tracked from the Internet.
These codes have the following abilities.
- Can be quickly processed for tagging industrial parts, car industry born.
- Axis information to correct photo orientation.
- Redundant information and Solomon-Reed error correcting codes.
- According to some sources, redundant information can be used for artistical goals (?). No interesting example besides this one, poem Walrus and the Carpenter.
- Maximum content size, 2,953 bytes.
For my experiments I used the online Google Chart API barcode generator. Also the open source Zebra Crossing Project provides and interface to this generator. They are developing a QR Code scanner for various mobile devices. Check the following example.
To decode this barcodes you can use some software from you cellphone, your desktop or any online decoder like the one provided kindly by DrHu.org here.
Attack Vector 1: Embedded URLs with Non-Persistent XSS
The decoded text follows.
location.href = location.href.replace(/^http:\/\/www.drhu.org\/QRCode\/QRDB_Java.php/,'http://mechpoe.blogspot.com');
Notice that DrHu.org's site is not always working because is not an industrial-sized project. These ideas were partly inspired by SQL injections on RFID chips described on paper Is Your Cat Infected with a Computer Virus?.
We conclude that browser executable code can be included inside QR Codes directly or within URLs. Although the examples I present are not very dangerous is possible that more critical examples will appear in the future if QR Codes become more and more used in daily life.
Check below the remarkable video from the Pet Shop Boys's song Integral.