by Brandon Laur
What harm can QR codes pose? This is the question presented to a group of participants during Social Media Camp 2012 in Victoria, British Columbia. As a conference dedicated to social media it would be unreasonable for the participants to not address current security concerns with social media. Social media security is a subject area where the average internet user knows little about. It is much easier to believe in a “just-world” online, then to take a few moments to critically assess what is going on behind the user interface. So what is going on?
Communication online is becoming more open and more available and the end users are generally forced to go with the flow of new technologies, without second thought. So again what harm can result through the use of QR codes?
In contemporary society, people manoeuvre throughout daily life on autopilot. From a security standpoint, potential arises for the criminal element to exploit this predictable behaviour, more particularly the cyber criminal aims to exploit the lack of critical thinking. Examples of phishing and scamming websites are a popular instance of how scammers rely on the conditioned response of the user to automatically populate user credentials, because the digital citizen is so accustomed to always logging on. From emails, blogs, websites, and social networks they forget to critically assess how and where before pressing the log on button to what or who this information is being monitored by.
The tinyurl, as the name describes is a shortened web link of its longer source. An example of such links looks much like this http://tinyurl.com/23nrvsz, this link actually leads to http://www.personalprotectionsystems.ca. From the viewpoint of the attacker this provides the perfect opportunity to launch a phishing attack against the user who clicks on the link thinking it actually leads to their social network or online bank. These shortened links provides users the ease of access they insist of having.
Another issue internet users fail to recognize is the data created from just visiting a website. The internet is based on the rates technical devices are connecting to websites. It is in the best interest of the blogger and e-commerce business to collect information on their customers. These businesses collect information on current users when they connect to their website. Sometime the business model of companies online is purely based on collecting and trading information about customers.
A growing trend of social media tools is the use of QR (Quick Response) codes. This tool functions much like a barcode in retail stores. Utilizing the camera of a smartphone, an internet Just-World Phenomenon: the belief that doing good deeds in life will result in good thing happening to oneself connection, and proper software to read the QR code, allows the user to connect onto a website. This connection via camera phone allows the smartphone user to quickly access the website without typing the URL. The risk comes from users not knowing what site QR codes will link to. Much like the tinyurl, a QR relies on the trust of the user to believe what is advertised with the code will convey what is expect when using such tools.
Malicious websites have the potential to inject dangerous code into a smartphone just by connecting to the website known as a “drive-by-download”. Take for example the cyber criminal who has printed off a variety of QR codes linking to a malicious website with the purpose of pasting these codes over legitimate QR codes emulating the genuine code in order to deceive consumers into compromising their devices.
The purpose of the following experiments is to exemplify how consumer expectation and conditioning is dangerous. Two separate experiments were undertaken during the Social Media Camp 2012 in Victoria British Columbia. Each test was proposed as a learning tool for attendees at the conference. The first test was to determine the number of responses of attendees who interacted with seven posters spread throughout clear sightlines in the Victoria Conference Center.
Each poster contained a QR code with the title of the conference and follow-up information below it informing participants on how the technology works (see figure 1).
The second test involved business card sized printouts of a different QR Code linking to a website with the same information as the website for the poster experiment. After users connected online via the QR Code, they are then directed to a web page with a skull and crossbones icon. Further information is provided; vaguely prompting the user about the potential insecurities of QR codes. After the user read the information provided, the user is also encouraged to attend a security talk at the conference that will provide further information to the security threats (see Figure 2).
Experiment one was in progress throughout the full two days the conference took place. The purpose of this strategy was to receive the most participation of the attendees as possible. Experiment Two was directed towards a small subsection of the whole attending population.
The period of time the experiment took place was within a 90 minute presentation on social media security. Most user activity was active before the presentation as everyone was entering the lecture room, and as the presentation was beginning. Each method of the QR websites were setup with an analytics tool to analyse the data user devices provide to internet services, unknowingly from the individual who use such services. Data from the conference can be viewed below (see Chart 1).
Although the data collected was not the initial purpose of the experiments. Examining the information gathered provides an interesting analysis of the majority of users who participated were IPhone users. Although the total attendee count is unknown and the number of handheld devices capable of utilizing such technology is also unknown. The result is that a total of 31 people would have potentially compromised their devices if the QR codes where indeed malicious. Regardless of the sample size there is an issue with accepting technology as it is without considering a “what if” scenario.
The purpose of utilizing QR codes during the social media conference was to demonstrate the insecurities of such technologies to the conference attendees. As the largest social media conference in Canada, this was the perfect setting to launch such experiments. If anything was learned from the experiments examined is that a substantial quantity of information relating to the user is given away when attending websites; furthermore, not knowing what the end user is accepting opens the potential to compromise the users devices. Security is a spectrum between convenience and safety. It is up to the consumer to understand the degrees of the spectrum and place themselves accordingly to where they are comfortable, after they understand the risks involved.
Brandon Laur has written specifically to the Dangers of QR codes. This was based on an Internet and Social Media Safety Presentation that he, along with Personal Protection Systems, conducted at the “Social Media Camp 2012″ which is the largest event of its kind in North America.