research-article

QR Inception: Barcode-in-Barcode Attacks

Authors:

Adrian Dabrowski,

Katharina Krombholz,

Johanna Ullrich,

Edgar R. WeipplAuthors Info & Claims

SPSM '14: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices

Pages 3 - 10

https://doi.org/10.1145/2666620.2666624

Published: 07 November 2014 Publication History

Abstract

2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards.

In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in barcode attacks. We furthermore discuss mitigation techniques against this type of attack.

References

[1]

ISO/IEC 16022: Information technology -- Automatic identification and data capture techniques -- Data Matrix bar code symbology specification.

[2]

ISO/IEC 18004: Information technology -- Automatic identification and data capture techniques -- QR Code 2005 bar code symbology specification.

[3]

Official ZXing ("Zebra Crossing") project home. https://github.com/zxing/zxing, accessed July 18th 2014.

[4]

3GVision. i-nigma. Apple App Store. https://itunes.apple.com/en/app/id388923203.

[5]

3GVision. i-nigma Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=com.threegvision.products.inigma.Android.

[6]

A. Albertini. corkami: Reverse engineering and visual documentations. http://code.google.com/p/corkami/#Binary_files, accessed September 6th 2014.

[7]

A. Albertini. This PDF is a JPEG; or, This Proof of Concept is a Picture of Cats. In PoC jj GTFO 0x03. March 2014. http://corkami.googlecode.com/svn/trunk/doc/pocorgtfo/pocorgtfo03.pdf.

[8]

S. Alvarez and T. Zoller. The death of AV defense in depth - revisiting anti-virus software, 2008. http://cansecwest.com/csw08/csw08-alvarez.pdf.

[9]

AT&T Services Inc. AT&T Code Scanner: QR,UPC & DM. Google Play Store. https://play.google.com/store/apps/details?id=com.mtag.att.codescanner.

[10]

M. DeCarlo. AVG: QR code-based malware attacks to rise in 2012, 2012. http: //www.techspot.com/news/47189-avg-qr-code.html, accessed July 18th 2014.

[11]

DENSO WAVE. History of QR Code. http://www.qrcode.com/en/history/, accessed July 13th 2014.

[12]

T. Goodspeed, S. Bratus, R. Melgares, R. Shapiro, and R. Speers. Packets in packets: Orson welles' in-band signaling attacks for modern radios. In Proceedings to WOOT 2011, pages 54--61, August 2011.

Digital Library

[13]

M. Inc. Symbol DS6708 Digital Scanner Product Reference Guide, 2009. http://www.motorolasolutions.com/web/Business/Products/Bar%20Code%20Scanning/Bar%20Code%20Scanners/General%20Purpose%20Scanners/_Documents/static_file/ds6708.pdf.

[14]

ISO/IEC 24778: Information technology -- Automatic identification and data capture techniques -- Aztec Code bar code symbology specification.

[15]

S. Jana and V. Shmatikov. Abusing File Processing in Malware Detectors for Fun and Profit. In Proceedings of the 33rd IEEE Symposium on Security & Privacy, San Francisco, CA, May 2012.

Digital Library

[16]

Kerem Erkan. Qrafter. Apple App Store. https://itunes.apple.com/us/app/id416098700.

[17]

A. Kharraz, E. Kirda, W. Robertson, D. Balzarotti, and A. Francillon. Optical Delusions: A Study of Malicious QR Codes in the Wild. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 06 2014.

Digital Library

[18]

P. Kieseberg, S. Schrittwieser, M. Leithner, M. Mulazzani, E. Weippl, L. Munroe, and M. Sinha. Malicious Pixels Using QR Codes as Attack Vector. In I. Khalil and T. Mantoro, editors, Trustworthy Ubiquitous Computing, volume 6 of Atlantis Ambient and Pervasive Intelligence, pages 21--38. Atlantis Press, 2012.

[19]

K. Krombholz, P. Frühwirt, P. Kieseberg, I. Kapsalis, M. Huber, and E. Weippl. QR Code Security: A Survey of Attacks and Challenges for Usable Security. In T. Tryfonas and I. Askoxylakis, editors, Human Aspects of Information Security, Privacy, and Trust, volume 8533 of Lecture Notes in Computer Science, pages 79--90. Springer International Publishing, 2014.

[20]

B. Naik. QR Code: USSD attack, 2012. http://resources.infosecinstitute.com/qr-code-ussd-attack/, accessed July 18th 2014.

[21]

NeoMedia Technologies, Inc. NeoReader. Apple App Store. https://itunes.apple.com/us/app/id284973754.

[22]

NeoMedia Technologies Inc. NeoReader QR & Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=de.gavitec.android.

[23]

K. Peng, H. Sanabria, D. Wu, and C. Zhu. Security Overview of QR Codes. 2014. MIT Student Paper, available online https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf.

[24]

L. Sassaman, M. L. Patterson, S. Bratus, M. E. Locasto, and A. Shubina. Security Applications of Formal Language Theory. In IEEE Systems Journal, Volume 7, Issue 3, Sept. 2013.

[25]

Scanbuy Inc. ScanLife Barcode & QR Code Reader with Prices, Deals, & Reviews. Apple App Store. https://itunes.apple.com/us/app/scanlife-barcode-reader-qr/id285324287.

[26]

Scanbuy Inc. ScanLife QR & Barcode Reader. Google Play Store. https://play.google.com/store/apps/details?id=com.ScanLife.

[27]

ShopSavvy Inc. QR Code Reader and Scanner. Apple App Store. https://itunes.apple.com/en/app/qr-code-reader-and-scanner/id388175979.

[28]

ShopSavvy Inc. ShopSavvy Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=com.biggu.shopsavvy.

[29]

D. Tam. PayPal offers QR codes for retail-store purchases, October 2013. http://www.cnet.com/news/paypal-offers-qr-codes-for-retail-store-purchases/,accessed July 24th 2014.

[30]

Ubercoders. UberScanner. Google Play Store. https://play.google.com/store/apps/details?id=org.ubercoders.uberscanner.

[31]

ZXing Team. Barcode Scanner. Google Play Store. https://play.google.com/store/apps/details?id=com.google.zxing.client.android.

Cited By

Zhang XKlevering GLei XHu YXiao LTu G(2023)The Security in Optical Wireless Communication: A SurveyACM Computing Surveys10.1145/359471855:14s(1-36)Online publication date: 28-Apr-2023
https://dl.acm.org/doi/10.1145/3594718
Goenka RChawla MTiwari N(2023)A comprehensive survey of phishing: mediums, intended targets, attack and defence techniques and a novel taxonomyInternational Journal of Information Security10.1007/s10207-023-00768-x23:2(819-848)Online publication date: 19-Oct-2023
https://doi.org/10.1007/s10207-023-00768-x
Sharevski FDevine APieroni EJachim P(2022)Phishing with Malicious QR CodesProceedings of the 2022 European Symposium on Usable Security10.1145/3549015.3554172(160-171)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1145/3549015.3554172
Show More Cited By

Index Terms

QR Inception: Barcode-in-Barcode Attacks
1. Applied computing
  1. Electronic commerce
    1. Secure online transactions
2. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Software and application security
    1. Domain-specific security and privacy architectures

Recommendations

Error-Correcting Codes as Source for Decoding Ambiguity
SPW '15: Proceedings of the 2015 IEEE Security and Privacy Workshops

Data decoding, format, or language ambiguities have been long known for amusement purposes. Only recently it came to attention that they also pose a security risk. In this paper, we present decoder manipulations based on deliberately caused ambiguities ...
QR Panopticism: User Behavior Triangulation and Barcode-Scanning Applications

The increasingly ubiquitous two-dimensional barcodes designed by the Denso Wave company, known as the QR code, were originally intended to track millions of parts as they moved about on high-speed assembly lines. Since then, these increasingly ...
Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Android devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '14: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices

November 2014

118 pages

ISBN:9781450331555

DOI:10.1145/2666620

General Chairs:
Cliff Wang
Army Research Office, USA
,
Dijiang Huang
Arizona State University, USA
,
Program Chairs:
Kapil Singh
IBM Research, USA
,
Zhenkai Liang
National University of Singapore, Singapore

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

SPSM '14 Paper Acceptance Rate 11 of 29 submissions, 38%;

Overall Acceptance Rate 46 of 139 submissions, 33%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
562
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)5

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang XKlevering GLei XHu YXiao LTu G(2023)The Security in Optical Wireless Communication: A SurveyACM Computing Surveys10.1145/359471855:14s(1-36)Online publication date: 28-Apr-2023
https://dl.acm.org/doi/10.1145/3594718
Goenka RChawla MTiwari N(2023)A comprehensive survey of phishing: mediums, intended targets, attack and defence techniques and a novel taxonomyInternational Journal of Information Security10.1007/s10207-023-00768-x23:2(819-848)Online publication date: 19-Oct-2023
https://doi.org/10.1007/s10207-023-00768-x
Sharevski FDevine APieroni EJachim P(2022)Phishing with Malicious QR CodesProceedings of the 2022 European Symposium on Usable Security10.1145/3549015.3554172(160-171)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1145/3549015.3554172
Syed NShah STrujillo-Rasua RDoss R(2022)Traceability in supply chainsComputers and Security10.1016/j.cose.2021.102536112:COnline publication date: 3-Jan-2022
https://dl.acm.org/doi/10.1016/j.cose.2021.102536
Kumar NJain SShukla MLodha S(2022)Investigating Users’ Perception, Security Awareness and Cyber-Hygiene Behaviour Concerning QR Code as an Attack VectorHCI International 2022 Posters10.1007/978-3-031-06394-7_64(506-513)Online publication date: 16-Jun-2022
https://doi.org/10.1007/978-3-031-06394-7_64
Al-Zahrani MWahsheh HAlsaade F(2021)Secure Real-Time Artificial Intelligence System against Malicious QR Code LinksSecurity and Communication Networks10.1155/2021/55406702021(1-11)Online publication date: 8-Dec-2021
https://doi.org/10.1155/2021/5540670
Wahsheh HLuccio F(2020)Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and SolutionsInformation10.3390/info1104021711:4(217)Online publication date: 16-Apr-2020
https://doi.org/10.3390/info11040217
Kim YHan JKim G(2020)Design of an efficient image protection method based on QR code2020 International Conference on Information and Communication Technology Convergence (ICTC)10.1109/ICTC49870.2020.9289377(1448-1450)Online publication date: 21-Oct-2020
https://doi.org/10.1109/ICTC49870.2020.9289377
El Kabtane HEl Adnani MSadgal MMourdi Y(2020)Virtual reality and augmented reality at the service of increasing interactivity in MOOCsEducation and Information Technologies10.1007/s10639-019-10054-wOnline publication date: 4-Jan-2020
https://doi.org/10.1007/s10639-019-10054-w
Zhou ASu GZhu SMa H(2019)Invisible QR Code Hijacking Using Smart LEDProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33512843:3(1-23)Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1145/3351284
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents