Security expert warns smartphone users of the risks in scanning cybercoding
Armed with a sheet of black-and-white stickers resembling a cross between traditional USB barcodes and a Rorschach test, security expert Eric Mikulas embarked on a mission to protect the city's smartphones.
He knew all too well the increased use of Quick Response codes -- two-dimensional barcodes that can send users coupons or link them to websites with a quick scan from a smartphone app -- has made it easier for businesses to market instant savings and future promotions to customers.
What he didn't know was whether customers understood that scanning a QR code is an act of trust equivalent to opening a locked door before checking the peephole.
The general design of QR codes makes it impossible to distinguish one from another with the human eye, meaning that anyone can replace legitimate codes with their own using a sheet of $7 QR coded stickers. In Russia, cybercriminals used imposter QR codes to siphon cash and personal information from hundreds of smartphone owners in 2011 and were refining their methods to dupe even more users.
Anyone who isn't aware of the risks, at least in Pittsburgh, may soon find out whether they want to or not.
"[QR codes] are being talked about more and more as a potential attack vector, so I just wanted to see how feasible it was if I could bait somebody into scanning them and taking them somewhere they don't expect," Mr. Mikulas said.
Created in Japan in 1994 as a means of tracking cars during the manufacturing process, the use of QR codes has exploded across the commercial market since that time. Today, most smartphones allow users to download QR Code readers that transform cameraphones to scanners that translate the code into text or URLs that send users directly to a website.
Retailers as large as Macy's and as small as the neighborhood ice cream shop accompany traditional ads with QR codes that link customers to discount coupons and contests.
Mr. Mikulas kicked off the QR Code Experiment -- a plan to place his QR-coded stickers in high traffic areas -- throughout Downtown and the East End last month, but said he's planning to hit the entire region for the experiment's second phase. The QR stickers link scanners to a Wordpress.com site that informs them of the experiment, warns them of dangers such as the risk of linking to malicious sites and lightly chides them for scanning an unknown code.
"First off, I'd like to thank you for scanning that random QR code and visiting this site. You've helped an awful lot. Now the bad news. You've been had," reads the website's introduction.
A tepid response from the 80 stickers he used the first month of his experiment has encouraged Mr. Mikulas to step things up for phase two. Instead of using the QR-coded stickers by themselves he said he may attach them to fliers offering a false incentive or even place his stickers on top of existing advertisements and QR codes.
He plans to enlist volunteers to place the stickers in communities across the region when he discusses the project during the B-Sides Pittsburgh Security Conference, a community-driven conference that is part of the Security BSides, a global series of conferences on Internet security issues. B-Sides Pittsburgh kicks off today at the Left Field Meeting Space on the North Side near PNC Park.
"People seem to have a little bit of trust where they won't just scan random QR codes, but they'll scan it if they think they'll get something. That's probably what I'm going to manipulate with the next round of things," he said.
While Mr. Mikulas is practically guaranteed to spark some smartphone owners' ire with the amped-up manipulation, he maintains that it's much less than the anger any user would feel if they scanned a truly malicious QR code.
According to the 2011 Community Powered Threat Report by Amsterdam-based security software provider AVG, the world should expect a drastic increase in malicious QR codes, which they call "printed malware," this year and beyond.
Techniques such as linking QR codes to malicious sites with shortened Web addresses, replacing legitimate QR codes on Web pages with fakes and Mr. Mikulas' sticker technique will all spike in conjunction with the number of people who begin to regularly scan QR codes, AVG warns. A legitimate concern, considering that 14 million of the country's smartphone users scanned a QR or bar code last June, according to a study by Reston, Va.-based digital marketing research company comScore.
Yuval Ben-Itzhak, chief technical officer for AVG, said there is software to protect smartphones from viruses and malware, but he was not aware of any products designed to specifically protect QR code scanners.
Carnegie Mellon University Distinguished Career Professor Michael Shamos, director of the MSIT eBusiness Technology Program, said overall security protections are probably consumers' best bet since it's so difficult to know whether a QR code is legitimate or not.
"In most cases, QR Codes look like they've been produced for print and people think they're legitimate. But if somebody clever comes along and puts a sticker up or creates something that looks legitimate, what can you do about it?" he said.
Both Mr. Shamos and Mr. Ben-Itzhak suggested that smartphone users install security protections and take extra care to make sure they're clicking on legitimate ads.
Mr. Mikulas, for his part, suggests a more direct approach.
"Look out for me," he said with a laugh.
First Published June 1, 2012 12:00 am