Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012

transcript

Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code

Forget Malicious Links and Fear the QR Code

http://bit.ly/consec2012

Steve WerbySecurity Researcher and ConsultantConSec 2012

The rules Have a question? Ask away! Have a comment? Share! I will ask you some questions too. I will give away Attrition shirts to a subset

of those who participate

Disclaimer

The opinions shared represent my views, the views of my clients, the views of my past employers, and most importantly, the views of my future employers.

Disclaimer

The opinions shared represent my views, the views of my clients, the views of my past employers, and most importantly, the views of my future employers.

Disclaimer

Ahoy, matey! Th' opinions shared represent me views.

Who am I?

Who am I? ISACA Certified Information Security Manager (CISM), 2010 (not quite) (ISC)2 Certified Information Systems Security Professional (CISSP), 2010 GIAC Security Leadership Certification (GSLC), 2008 GIAC Certified Forensics Analyst (GCFA), 2007 GIAC Web Application Security Certificate (GWAS), 2007 GIAC Security Essentials Certification (GSEC), 2007 GIAC Certified Incident Handler (GCIH), 2006 MBA, Virginia Commonwealth University BS, Industrial and Systems Engineering, Virginia Tech

Who am I?

Agenda

1. Overview of QR codes2. Planning the research study3. Deploying the research study4. Analysis of the results5. Education campaign6. Recommendations to reduce risk7. Q&A

Takeaways

1. QR codes pose risk similar to shortened URLs

2. Not all QR code readers created equal3. People easily socially engineered4. Resource for educating users

Overview: Shortened URL risk No visual cue what the destination web

page is May point to a malicious web page May point to a legitimate web page, with

an intermediary malicious web page

bit.ly/a301xD => ?

Overview: QR codes

1. 2-d barcode2. Varies by:

1. Mode2. Version3. Level of error correction

Overview: QR codes

Overview: Target actions

1. URL2. Text3. Calendar entry4. SMS5. Email6. vCard7. Phone call

Overview: Threat

1. Deliver [malicious|undesired] payload2. Funnel to [malicious|undesired] destination3. MiTM

Overview: Threat

1. Deliver [malicious|undesired] payload1. Exploit app vulnerability2. Exploit OS vulnerability

2. Funnel to [malicious|undesired] destination1. Phishing page2. Premium SMS

3. MiTM1. Clickjacking, framesniffing, etc.2. CSRF, XSS

Overview: Examples

Planning: Goals Evaluate QR code readers’ controls and

default behavior Assess user vulnerability to attacks Educate users

Planning Mediums What to measure Granularity

Planning: Mediums Electronic – web, email, Facebook 1:1 print – mailers, newspaper inserts, flyers 1:n print

Planning: Campaigns Classes

Original Added Overlaid

Original No written URL Written shortened URL Written

Planning: Granularity

Granular Campaign Campaign variants Physical location by GPS coordinates Target action performed Education

Planning: What to measure Count people scanning QR code Count people who perform target action

By choice Automatically

Effectiveness of campaign types Effectiveness of context

Planning: Flow qrcoderisk.com spoofed spoofed => qrcoderisk.com innocuous innocuous => qrcoderisk.com Shortened URL => qrcoderisk.com Shortened URL => qrcoderisk.com => real Shortened URL => innocuous => real Shortened URL => spoofed => real

Planning: Attributes to capture

Campaigns Campaign ID Campaign variant ID Campaign description Flow type (direct, shortened URL) URL display type (none, shortened URL,

Deployments QR code ID Campaign variant ID Physical location GPS coordinates Number deployed Type (original, added, overlaid) Date deployed Picture

Tracked Visit ID QR code ID Campaign variant ID IP address (stripped/purged after 72 hours) User agent Date/time

Surveyed Visit ID QR code reader Knowledge of QR code risk

Data backed up QR code reader behavior

Planning: Hosts and services

Hosts qrcoderisk.com the<word>portal.com qrcode<obfuscated>.com (innocuous) bit.ly/qrcodeNNN

Services Amazon EC2 – LAMP platform bitly QRStuff QR Code Generator GPS Status (Android app) Several Android QR code readers

Deploying: Setup Generate shortened URLs using bitly Create unique QR codes pointing to

unique URLs Print documents and stickers

Deploying: Locations Easy to access High foot traffic Low security Unlikely to be removed quickly

Deploying: Campaigns Original

Suspicious Plausible

Added / overlaid Anything went

Deploying: Campaigns

Deploying: Locations Stores (grocery, department, etc.) Schools Events (sporting, conferences) Vehicles (authorized!)

Analysis: Capturing bitly tracking (when used) Apache access.log MySQL DB populated from access.log,

user actions, user input

66.87.xxx.yyy - - [14/Sep/2012:12:33:52 +0000] "GET /nnn HTTP/1.1" 200 558 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"

Analysis (preliminary): Campaigns

Ranking

Free iPad (20)Work at home (17)Scan me for recipes (13)Catchall of Added (11)Mystery shopper (9)Scan this I dare you (8)Catchall of Overlaid (7)Don’t scan me (6)Only a QR code (5)Scan me (4)

Analysis: Tools for Android

ToolExpand Shortened URL

Warn if Malicious

Default Post-Scan Actions

Edit Post-Scan Actions

Save Scanned QR Codes

QR Droid No No Ask By Type YesMicrosoft tag No No Open No Yes

Quick Barcode Scanner No No Open No No

Scanlife Barcode & QR Reader

No No Open Yes, Global Yes

QuickMark Barcode Scanner

No No Ask No Yes

Education campaign: Components Risks that QR codes can pose What to look for Tool features Tool recommendations

Education campaign: Measurement Knowledge of the risk QR reader used What gained

New knowledge Intent to change behavior

Reducing risk: Publishers Describe in detail what the QR code does Do not use shortened URLs for QR codes

Reducing risk: App developers Give user control over QR code actions Set default settings to lowest risk

Reducing risk: Users Be cautious Use QR code readers with adequate

controls and enable them

Reducing risk: Infosec practitioners Make constituents aware of risk Deploy/configure/recommend adequate

Takeaways

1. QR codes pose risk similar to shortened URLs

2. Not all QR code readers created equal3. People easily socially engineered4. Resource for educating users

Thanks @itandmore for helping come up with the

research idea @tbwerby for assisting with copywriting,

graphics, and deployment Volunteers for deployment assistance wtfqrcodes.com for many of the

interesting QR code examples ConSec for selecting my presentation

Next steps Continue research (volunteers?) Implement qrcoderisk.com as an ongoing

security awareness site (possibly)

Ask now, ||Track me down later ||<EMAIL ADDRESS STRIPPED> ||@stevewerby ||DerbyCon ||SecTor ||Hack3rcon

Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012

Technology