Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Malicious Images: What's a QR Code - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Images: What's a QR Code

I just wrote a quick note about the Cisco warranty CD mixup. While writing that, it came to me that currently quite a few of our readers may be visiting Las Vegas for this summers security drink fest. Historically, this has been a time to play various pranks on the audience of these conferences. In the past, fake ATMs, odd wifi networks, weird BGP issues and other tricks were mentioned.

One thing to look out for this year may be QR codes. 25% of internet users are now apparently using mobile devices. Many of them have known vulnerabilities the owner didn't bother to patch yet. At Vegas this week, you may prefer using your mobile device via 3G networks to avoid the notoriously unsafe Wifi networks offered at these conferences.

But there is one problem with mobile devices: The keyboard typically stinks. In particular on cell phones. To help you with that, we have "QR" codes. QR codes are bar codes that encode text and are commonly understood by mobile devices. Take a picture of it, and an app will take you to the encoded URL. Sadly, most people are not all that good in encoding barcode, and have no idea what they are entering. Compare it to handing your phone to a "friend" and telling them to type for you.

These barcodes can link directly to browser exploits, or could include other malicious content to manipulate your phone. If you spot a malicious code, let us know ... most of the applications will tell you what URL they are going to open up before they actually load it (similar to some of the short code URLs).


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4507 Posts
ISC Handler
Aug 3rd 2011
I just tried this code above with two different QR readers on my phone. One showed the link with the option to open it, the other just opened the URL.
And I thought it was going to be an invite from Johannes for Google+....

12 Posts
Displaying the URL won't help much if the QR is a shortened URL that in turn refers to the exploit URL, though that might eventually be caught and killed by the shortener service.

It also won't help if the URL is not recognizable as risky. How many people can identify a suspicious URL on sight?

...random evil thought: I wonder how long it would take the QR for goatse to become recognizable by people?

Putting that up various places might be an effective way to train people to not scan random QRs...
John Hardin

62 Posts
I accidentally produced a QR code which crashed Google Authenticator on android which then rendered the application useless until it was reinstalled.

This had the practical effect of destroying any secret keys you had already stored.

They fixed this in version 0.64 which came out as an update on the android market a week or so ago.

No mention in the changelog of the security fix though.

If anyone is interested the bug or qrcode of death, they are shown here:

As a side note, I think the google authenticator app is absolutely awesome and I would recommend it to anyone.
John Hardin
1 Posts
Many URL shoteners don't care that their service is being used for malicious purposes. I've had contact with a few of them in the past regarding spam on twitter, as well as msn im's, and they'll stop one or two, but after a while they'll tell you to p*ss off.
MasterCard is right on time.

4 Posts

Sign Up for Free or Log In to start participating in the conversation!