Security of QR Codes
Abstract
The 2-dimensional barcodes known as QR (Quick Response) Codesare increasing their popularity as they appear in more places in theurban environment. QR Codes can be considered as physical hyper-linksthat give the ability to users to access, through their mobile devicesthat are able to scan QR Codes, additional information located in aweb-page. Apart from marketing, QR Codes have been also adopted indifferent areas such as the on-line payments. This development alongwith the trend that some of the users may follow which indicates toscan unauthenticated data, such as QR Codes located in public places,motivated us to investigate how QR Codes can be used as an attackvector. We first developed an implementation which attempts to brute-force QR Codes by attacking directly the modules, aiming to retrieve analternated URL upon scanning the QR Code and after having appliedthe module changes. Our implementation showed us that such an attackis unfeasible in a real attack scenario. However, the second approachthat we followed, in which we attacked the binary representation of theencoded string, we managed to produce the desired result. Furthermore,we conducted an empirical study aiming to identify the users? level ofsecurity awareness concerning the security issues related to QR Codes.The on-line survey that was accessible through our QR Code stickers,was our mean of interaction with the users. We deployed our stickers in 4European cities (Vienna, Helsinki, Athens and Paris) and we managed toattract 273 individuals that scanned and visited our web pages. Out ofthese visitors, 83 participants completed our online survey. The resultscollected indicate that users are motivated mainly by their curiosity andthey have serious lack of knowledge on the potential threats and the waysto protect themselves.