Monday, 27 October 2014

Secure QR Codes: the next step?

In the last couple of years, we have been seeing a boom in the usage of Quick Response (QR for short) Codes (bit.ly/1psFKTY).

According to Visual.ly (bit.ly/1ko7quq), the number of created QR Codes outside Japan (where they are most popular) will reach 590 million by 2016.
This increase in usage was powered by:
  1. The popularity of smartphones that have the capacity to read and interpret the QR Codes;
  2. As a means of marketing.
According to the marketing guide Heidi Cohen (bit.ly/1ACNGYI), people tend to scan QR Codes to either get some type of discount, purchase products, access additional information, or perform bets.
QR Codes are commonly found in printed media like (magazines, newspapers), public transportation, publicity boards, social events, and many other places.
The most common type of content embedded in a QR Code is a URL. These, are opened in the device’s browser and transport the user to a web page that contains the intended information.
This type of behavior may lead to potential problems if the authenticity of the QR Code is not verified or not present because the user can’t read the encoded information.
Citation from mobilephonesecurity.org (bit.ly/UO2bYx)
A study conducted by AppSec Labs (bit.ly/1koJ0ks) tests fourteen different QR Readers, and concludes that 35% of them are vulnerable to the evilURL vector.
From the tested applications, only one would not execute the malicious code. This shows that it is possible to use evilQR’s as an attack vector to infect user devices.
By leveraging the ease of creating an evilQR (bit.ly/1odERyW) and social engineering techniques or false publicity (ex: mail publicity for promotions, phishing, big sport events, etc.), it would be quite easy to trick people into scanning the malicious QR Code.
In fact, attacks based on evilQR’s are already performed.
An attack called QR-Jacking has appeared in 2011 on Japan.
There are some good practices that try to minimize the possibility of this kind of attacks (bit.ly/UO2bYx). However, since these rely on the prudence of the users, they offer little or no protection.
But, does this mean that we are destined to use “unsecure” QR Codes?
Citation from mobilephonesecurity.org (bit.ly/1s9Zjl0)
Based on a paper published on the 4th International Conference on Computer Engineering and Technology (http://tinyurl.com/ory89en) and on the work performed by Ecert, we are able to answer to the above quotation with: “yes, we can add some security to the QR Codes”.
By providing Authenticity (it was created by the “legit” owner) and Integrity (it was not modified after creation) to QR Codes, we are able to mitigate the QR-Jacking attack.
Once a QR is created with these properties, an attacker will no longer be able to make an evilQR and impersonate a legit one because, the reader will be able to detect that the QR either was modified or replaced.
This is the case of Ecert that, recently started to emit certificates with QR Codes in order to verify their authenticity (bit.ly/1qPQEXW).
The Japanese government is currently issuing passport visas with QR Codes (bit.ly/1nbqW7Z). These codes are encrypted and are used by the country authorities to get information related to the entry.
While the Japanese government is concerned with the confidentiality of the data encoded on the QR Code, the Integrity and Authenticity of the information is key to address other security dependent scenarios.
By creating a digest of the content of the information that we wish to put on the QR Code and then signing it (with the creator’s private key), we are able to provide both Integrity and Authenticity to it.
After signing, the authenticated digest is added to the original information and (if necessary) both are compressed. Then, the output is feed to the QR Code generator thus generating an authenticated QR Code.
The below picture depicts this process.
Authenticated QR Code creation
When the QR Codes that are generated in this manner are scanned, they can be verified for authenticity and integrity by applying the inverse process.
When the QR Code reader scans the code, it will decompress the content, thus obtaining the information and the signed digest.
First, the reader should check the signature (using the creator’s public key), if the signature verification fails, the code has been tampered and the process should be aborted.
If everything is ok with the signature, the reader generates a digest of the information and compares both digests, if they match, then everything is ok, otherwise, the QR Code was altered.
The following picture illustrates the verification of the QR Code.
QR Code content verification
By applying the described processes, we are able to ensure the Authenticity and Integrity of QR Codes.
This processes will provide stronger security properties to them, thus providing enough reliability to encourage new ways of utilization.

So, are you going to take the next step and provide security to your QR Codes?

Are SmartPhones getting too smart?

In the last years, the usage of smartphones has been growing at a steady pace. According to a study conducted by eMarketer (http://tinyurl.com/qcjkkj8), the number of smartphone users will total 1.75 Billion in 2014, which represents almost one quarter of the world population. This number will grow to 5.13 billion by 2017, which is very impressive if we take into account that the previsions for the world population indicate that by 2050 the total population will be 9.6 billion. This means that by 2017, the smartphone users will largely surpass 50% of the world population.
This increase in usage, has driven manufactures to compete between themselves to get the biggest quota of market. To achieve this goal, they are producing smartphones with impressive capabilities. These capabilities are such that, OS manufactures are developing full versions of their systems to work in these small devices (example: Ubuntu for Android http://tinyurl.com/cwh26wa).
For most users, the smartphone is used, aside from normal communications, as a means to access the internet. This access is done either using the web browser or through applications that can be downloaded and installed using stores like Google Play or App Store. According to a research conducted by PewInternet (http://tinyurl.com/lzzsc9z) in 2013, 90% of the North American population own a smartphone, 63% of those, access the internet on the device and, 34% mostly, only use the smartphone as a mean to access the internet.
In many companies, the smartphone is used as tool to work. This way, users are always reachable, they can read their email and consult information from anywhere. The increase in usage of the device, also drains the battery more quickly. To “combat” this “issue”, users tend to charge their phone at work, and most of the times, they connect the smartphone to the computer to do this. So suddenly, computers in controlled networks may have an uncontrolled access to the “outside” world, which can pose a new threat.
In the last couple of years, more and more cases of information theft are happening (Orange case: http://tinyurl.com/qcdw8up, PS Network outage: http://tinyurl.com/3pplxq2, Ebay: http://tinyurl.com/p2vknhc). One particular case that we would like to mention is the one that occurred on AT&T (http://tinyurl.com/m5sg2qf), where employees of a third party provider have accessed and stolen client confidential information from the company. Although with different attack vectors, the fact remains that client information is being targeted and stolen from controlled and protected environments. With this, we arrive at our first case.
By using an internet enabled smartphone connected to a computer in the company’s network, malicious users can access confidential information (depending on the accesses of the user) and send it through an uncontrolled gateway. This theft may not even be noticed if the information that is stolen is part of the BAU (business as usual) of that user. However, users can participate in information theft without realizing it.
The increase in smartphone interest has also attracted the attention of not so well intended people. Since the beginning of the year, several new mobile malwares have been appearing. Among them, maybe the most noteworthy are:
  • The ransomware malware family (example: Cryptowall http://tinyurl.com/kc9n9gp). These malwares encrypt the files of the devices using some type of cryptography (symmetric or asymmetric) and then asks for a ransom in order to provide the decryption key.
  • The BadLepricon malwares (http://tinyurl.com/o64axe8), which check if the devices are connected to a charger and are idle to start mining for cryptocurrency.
  • The Oldboot family (http://tinyurl.com/nllf97c), which is considered the most advanced mobile Trojan ever produced. The latest version was dubbed Oldboot.B and, is able to install apps silently, inject malicious modules in the system processes, prevent Antivirus from removing installed malware, steal data present in the device, receive commands from C&C (command-and-control) servers, encrypt files in the system, among other capabilities. In order to avoid detection, Oldboot.B uses advance techniques like stenography to hide its files.
  • The Android.Claco, which downloads two files to the device's SD card root directory (one executable and one autorun file).  Once the device is connected to a computer in USB mode, if the computer has the autorun functionality enabled, the executable file will be automatically executed. So, rather than targeting the smartphone itself, Android.Claco uses it as a mean to target the computers to which the smartphone will be connected.
The way in which smartphones are infected by malwares varies from one malware to another. For example, in the case of Cryptowall, the users are tricked into downloading the malware via advertisement in very high profile public domains such as Disney, Facebook and so on. BadLepricon and Oldboot are disguised as normal applications that install the malware in background. A different approach is the one used by Trojan.Droidpak (http://tinyurl.com/kz4svsb), which is a Windows Trojan that waits until a smartphone is connected to the computer to infect it with a malware of its choice. From these facts, we have the conditions to present a scenario where the user participates in data theft without realizing it.
In this second scenario, a smartphone is infected with malware that targets the user’s computer to steal information. Although there aren’t reports of such malware, from the examples that we have, it is very easy to imagine a malware that, when connected to a computer tries by every means to drop an executable payload. This payload will then monitor the computer in order to steal information. Once it has completed its purpose, all it needs to do is to send the result back to the creator (or C&C servers). This operation, can be done undetected by using the alternative connection provided by the device connected to the computer.
Well, this last paragraph may seem very “strong”. However, if we take into account that this information may be financially more valuable than targeting smartphones to mine cryptocurrency or to ask a ransom from the user, this may be a scenario that we will see in the near future.
Currently, companies have the “link” between a smartphone (and other such devices) to the user’s computer as an assumed risk. In light of the presented scenarios, the question that they should ask is: Should we keep assuming this risk?