Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012

Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code

Forget Malicious Links and Fear the QR Code

http://bit.ly/consec2012

Steve WerbySecurity Researcher and ConsultantConSec 2012


The rules Have a question? Ask away! Have a comment? Share! I will ask you some questions too. I will give away Attrition shirts to a subset

of those who participate


Disclaimer

The opinions shared represent my views, the views of my clients, the views of my past employers, and most importantly, the views of my future employers.


Disclaimer

Ahoy, matey! Th' opinions shared represent me views.


Who am I?


Who am I? ISACA Certified Information Security Manager (CISM), 2010 (not quite) (ISC)2 Certified Information Systems Security Professional (CISSP), 2010 GIAC Security Leadership Certification (GSLC), 2008 GIAC Certified Forensics Analyst (GCFA), 2007 GIAC Web Application Security Certificate (GWAS), 2007 GIAC Security Essentials Certification (GSEC), 2007 GIAC Certified Incident Handler (GCIH), 2006 MBA, Virginia Commonwealth University BS, Industrial and Systems Engineering, Virginia Tech


Who am I?


Agenda

1. Overview of QR codes2. Planning the research study3. Deploying the research study4. Analysis of the results5. Education campaign6. Recommendations to reduce risk7. Q&A


Takeaways

1. QR codes pose risk similar to shortened URLs

2. Not all QR code readers created equal3. People easily socially engineered4. Resource for educating users


Overview: Shortened URL risk No visual cue what the destination web

page is May point to a malicious web page May point to a legitimate web page, with

an intermediary malicious web page

bit.ly/a301xD => ?


Overview: QR codes

1. 2-d barcode2. Varies by:

1. Mode2. Version3. Level of error correction


Overview: QR codes


Overview: Target actions

1. URL2. Text3. Calendar entry4. SMS5. Email6. vCard7. Phone call


Overview: Threat

1. Deliver [malicious|undesired] payload2. Funnel to [malicious|undesired] destination3. MiTM


Overview: Threat

1. Deliver [malicious|undesired] payload1. Exploit app vulnerability2. Exploit OS vulnerability

2. Funnel to [malicious|undesired] destination1. Phishing page2. Premium SMS

3. MiTM1. Clickjacking, framesniffing, etc.2. CSRF, XSS


Overview: Examples


Planning: Goals Evaluate QR code readers’ controls and

default behavior Assess user vulnerability to attacks Educate users


Planning Mediums What to measure Granularity


Planning: Mediums Electronic – web, email, Facebook 1:1 print – mailers, newspaper inserts, flyers 1:n print


Planning: Campaigns Classes

Original Added Overlaid

Original No written URL Written shortened URL Written


Planning: Granularity

Granular Campaign Campaign variants Physical location by GPS coordinates Target action performed Education


Planning: What to measure Count people scanning QR code Count people who perform target action

By choice Automatically

Effectiveness of campaign types Effectiveness of context


Planning: Flow qrcoderisk.com spoofed spoofed => qrcoderisk.com innocuous innocuous => qrcoderisk.com Shortened URL => qrcoderisk.com Shortened URL => qrcoderisk.com => real Shortened URL => innocuous => real Shortened URL => spoofed => real


Planning: Attributes to capture

Campaigns Campaign ID Campaign variant ID Campaign description Flow type (direct, shortened URL) URL display type (none, shortened URL,

real)



Deployments QR code ID Campaign variant ID Physical location GPS coordinates Number deployed Type (original, added, overlaid) Date deployed Picture



Tracked Visit ID QR code ID Campaign variant ID IP address (stripped/purged after 72 hours) User agent Date/time



Surveyed Visit ID QR code reader Knowledge of QR code risk

Data backed up QR code reader behavior


Planning: Hosts and services

Hosts qrcoderisk.com the<word>portal.com qrcode<obfuscated>.com (innocuous) bit.ly/qrcodeNNN

Services Amazon EC2 – LAMP platform bitly QRStuff QR Code Generator GPS Status (Android app) Several Android QR code readers


Deploying: Setup Generate shortened URLs using bitly Create unique QR codes pointing to

unique URLs Print documents and stickers


Deploying: Locations Easy to access High foot traffic Low security Unlikely to be removed quickly


Deploying: Campaigns Original

Suspicious Plausible

Added / overlaid Anything went


Deploying: Campaigns


Deploying: Locations Stores (grocery, department, etc.) Schools Events (sporting, conferences) Vehicles (authorized!)


Deploying: Campaigns


Analysis: Capturing bitly tracking (when used) Apache access.log MySQL DB populated from access.log,

user actions, user input

66.87.xxx.yyy - - [14/Sep/2012:12:33:52 +0000] "GET /nnn HTTP/1.1" 200 558 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"


Analysis (preliminary): Campaigns

Ranking

Free iPad (20)Work at home (17)Scan me for recipes (13)Catchall of Added (11)Mystery shopper (9)Scan this I dare you (8)Catchall of Overlaid (7)Don’t scan me (6)Only a QR code (5)Scan me (4)


Analysis: Tools for Android

ToolExpand Shortened URL

Warn if Malicious

Default Post-Scan Actions

Edit Post-Scan Actions

Save Scanned QR Codes

QR Droid No No Ask By Type YesMicrosoft tag No No Open No Yes

Quick Barcode Scanner No No Open No No

Scanlife Barcode & QR Reader

No No Open Yes, Global Yes

QuickMark Barcode Scanner

No No Ask No Yes


Education campaign: Components Risks that QR codes can pose What to look for Tool features Tool recommendations


Education campaign: Measurement Knowledge of the risk QR reader used What gained

New knowledge Intent to change behavior


Reducing risk: Publishers Describe in detail what the QR code does Do not use shortened URLs for QR codes


Reducing risk: App developers Give user control over QR code actions Set default settings to lowest risk


Reducing risk: Users Be cautious Use QR code readers with adequate

controls and enable them


Reducing risk: Infosec practitioners Make constituents aware of risk Deploy/configure/recommend adequate

tools


Takeaways

1. QR codes pose risk similar to shortened URLs

2. Not all QR code readers created equal3. People easily socially engineered4. Resource for educating users


Thanks @itandmore for helping come up with the

research idea @tbwerby for assisting with copywriting,

graphics, and deployment Volunteers for deployment assistance wtfqrcodes.com for many of the

interesting QR code examples ConSec for selecting my presentation


Next steps Continue research (volunteers?) Implement qrcoderisk.com as an ongoing

security awareness site (possibly)


Q&A

Ask now, ||Track me down later ||<EMAIL ADDRESS STRIPPED> ||@stevewerby ||DerbyCon ||SecTor ||Hack3rcon

Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012

Technology

Transcript of Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012