Secure QR Codes: the next step?

In the last couple of years, we have been seeing a boom in the usage of Quick Response (QR for short) Codes (bit.ly/1psFKTY).

According to Visual.ly (bit.ly/1ko7quq), the number of created QR Codes outside Japan (where they are most popular) will reach 590 million by 2016.

This increase in usage was powered by:

1. The popularity of smartphones that have the capacity to read and interpret the QR Codes;
2. As a means of marketing.

According to the marketing guide Heidi Cohen (bit.ly/1ACNGYI), people tend to scan QR Codes to either get some type of discount, purchase products, access additional information, or perform bets.

QR Codes are commonly found in printed media like (magazines, newspapers), public transportation, publicity boards, social events, and many other places.

The most common type of content embedded in a QR Code is a URL. These, are opened in the device’s browser and transport the user to a web page that contains the intended information.

This type of behavior may lead to potential problems if the authenticity of the QR Code is not verified or not present because the user can’t read the encoded information.

Citation from mobilephonesecurity.org (bit.ly/UO2bYx)

A study conducted by AppSec Labs (bit.ly/1koJ0ks) tests fourteen different QR Readers, and concludes that 35% of them are vulnerable to the evilURL vector.

From the tested applications, only one would not execute the malicious code. This shows that it is possible to use evilQR’s as an attack vector to infect user devices.

By leveraging the ease of creating an evilQR (bit.ly/1odERyW) and social engineering techniques or false publicity (ex: mail publicity for promotions, phishing, big sport events, etc.), it would be quite easy to trick people into scanning the malicious QR Code.

In fact, attacks based on evilQR’s are already performed.

An attack called QR-Jacking has appeared in 2011 on Japan.

There are some good practices that try to minimize the possibility of this kind of attacks (bit.ly/UO2bYx). However, since these rely on the prudence of the users, they offer little or no protection.

But, does this mean that we are destined to use “unsecure” QR Codes?

Citation from mobilephonesecurity.org (bit.ly/1s9Zjl0)

Based on a paper published on the 4th International Conference on Computer Engineering and Technology (http://tinyurl.com/ory89en) and on the work performed by Ecert, we are able to answer to the above quotation with: “yes, we can add some security to the QR Codes”.

By providing Authenticity (it was created by the “legit” owner) and Integrity (it was not modified after creation) to QR Codes, we are able to mitigate the QR-Jacking attack.

Once a QR is created with these properties, an attacker will no longer be able to make an evilQR and impersonate a legit one because, the reader will be able to detect that the QR either was modified or replaced.

This is the case of Ecert that, recently started to emit certificates with QR Codes in order to verify their authenticity (bit.ly/1qPQEXW).

The Japanese government is currently issuing passport visas with QR Codes (bit.ly/1nbqW7Z). These codes are encrypted and are used by the country authorities to get information related to the entry.

While the Japanese government is concerned with the confidentiality of the data encoded on the QR Code, the Integrity and Authenticity of the information is key to address other security dependent scenarios.

By creating a digest of the content of the information that we wish to put on the QR Code and then signing it (with the creator’s private key), we are able to provide both Integrity and Authenticity to it.

After signing, the authenticated digest is added to the original information and (if necessary) both are compressed. Then, the output is feed to the QR Code generator thus generating an authenticated QR Code.

The below picture depicts this process.

Authenticated QR Code creation

When the QR Codes that are generated in this manner are scanned, they can be verified for authenticity and integrity by applying the inverse process.

When the QR Code reader scans the code, it will decompress the content, thus obtaining the information and the signed digest.

First, the reader should check the signature (using the creator’s public key), if the signature verification fails, the code has been tampered and the process should be aborted.

If everything is ok with the signature, the reader generates a digest of the information and compares both digests, if they match, then everything is ok, otherwise, the QR Code was altered.

The following picture illustrates the verification of the QR Code.

QR Code content verification

By applying the described processes, we are able to ensure the Authenticity and Integrity of QR Codes.

This processes will provide stronger security properties to them, thus providing enough reliability to encourage new ways of utilization.

So, are you going to take the next step and provide security to your QR Codes?