{"id":6489,"date":"2020-11-18T08:52:28","date_gmt":"2020-11-18T03:22:28","guid":{"rendered":"https:\/\/www.hexnode.com\/blogs\/?p=6489"},"modified":"2022-09-16T08:08:35","modified_gmt":"2022-09-16T02:38:35","slug":"why-qr-codes-might-be-the-weakest-link-in-your-enterprise-security","status":"publish","type":"post","link":"https:\/\/www.hexnode.com\/blogs\/why-qr-codes-might-be-the-weakest-link-in-your-enterprise-security\/","title":{"rendered":"Why QR codes might be the weakest link in your enterprise security"},"content":{"rendered":"

Quick Response (QR) codes have always been popular, ever since it was first introduced in 1994 for the automotive industry in Japan. You can simply scan a QR code for code payments, to display text or message to users, to open a website URL, to save a vCard contact to the user\u2019s smartphone, for website login, or even to compose an email by simply scanning a QR code. With the COVID-19 threat looming over our heads, using QR codes for contactless transactions and interactions has become even more popular, adding on to the already large user base of QR codes.<\/span><\/p>\n

\"Scan<\/a><\/center>
Scan now to sign up for Hexnode’s 14-day free trial<\/em><\/center>The question is: Are QR codes really secure?<\/em><\/span><\/p>\n

For a business or an enterprise, cybersecurity<\/a> remains a high priority. While QR codes can make lives simpler, it could also turn out to be a source of malicious attacks. When you scan a QR code, how can you be sure that it is legitimate? What are the threats posed by QR codes?<\/span><\/p>\n

Security risks associated with QR codes<\/b><\/span><\/h2>\n

More than 20 percent of the Trojans and viruses are transmitted via QR codes. The threat posed by QR codes is manageable as it is not possible to hack QR codes. However, creating a QR code with explicit malicious intent is simple with readily available automated QR code generators. The possible attack scenarios can be summarised as: <\/span><\/p>\n

1. Malicious software attack<\/strong> <\/span><\/h3>\n

Cybercriminals often target unsuspecting users by embedding a malware in malicious websites. When the user visits such websites, the malware gets automatically downloaded to the user\u2019s device. This attack is called drive by download attack. Malicious apps could be installed via drive by download attack which would then exploit the device to leak sensitive data. Android smartphones are a particular target for these attacks. If the attacker uses a QR code to point towards the malicious website, the users can be tricked easily since they cannot see the web URL.<\/span><\/p>\n \t\t

\r\n \t\t\t \t\t\t \t\t\t\t

\r\n \t\t\t\t\t<\/p>\n

A true event<\/span><\/h4>\n

In 2011, Russian consumers became the victims of a malicious QR code scam. The QR code was disguised to download an Android app while downloading malware to the smartphone. After the download, the malware sent SMS to premium numbers, thus costing the users 5 USD per SMS.<\/span><\/p>\n

\t\t\t\t<\/p>\r\n \t\t\t \t\t\t\r\n \t\t<\/div>\r\n \t\t\n

2. Links to harmful websites<\/span><\/strong><\/h3>\n

Sometimes, websites can do a lot more harm than simply installing malware on your device. These websites may contain browser exploits – a malicious code that takes advantage of any vulnerabilities in your operating system. Browser exploits may gain access to the device camera or microphone, send emails, access browser data and more. The users would remain blissfully unaware as the attacks take place in the background, while the users just see a harmless website.<\/span><\/p>\n

3. Phishing<\/span><\/strong><\/h3>\n

Any discussion of cyberattacks is incomplete without discussing phishing. Phishing is a very prevalent method for hacking into web accounts. The attacker poses as a legitimate website and tricks the user into entering his\/her\/their login information or other sensitive data. The phishing attacks caused due to QR codes are also known as QRishing amongst researchers. <\/span><\/p>\n \t\t

\r\n \t\t\t \t\t\t \t\t\t\t

\r\n \t\t\t\t\t<\/p>\n

QRLJacking(Quick Response Login Jacking):<\/strong> QRLJacking is an attack vector that uses the \u201cLogin with QR code\u201d feature to gain access to all the applications that utilize it. The user is convinced to scan the attacker\u2019s QR code instead of the secure one.<\/span><\/span><\/p>\n

Attack Flow of QRLJacking<\/b><\/h4>\n
    \n
  1. A client-side QR session is initiated by the attacker. The Login QR code is then cloned to a phishing website. This fraudulent website with a valid and updated QR code is then sent to the victim.<\/li>\n
  2. The victim scans the QR code using the target app.<\/li>\n
  3. The attacker gains control over the victim\u2019s account. All the user data is exchanged with the attacker\u2019s session.<\/li>\n<\/ol>\n

    \t\t\t\t<\/p>\r\n \t\t\t \t\t\t\r\n \t\t<\/div>\r\n \t\t\n

    Login with QR codes – The risk vs utility <\/b><\/h4>\n

    Any authentication method is only usable if it is more secure than it is susceptible to risks. The traditional method of using credentials like username and password to login is still the most prevalent method for login used. This credential-based authentication has many shortcomings, with risks like phishing and issues like password fatigue(the need for the users to remember a large number of passwords for different accounts). The introduction of new approaches like \u201cSingle-Sign-On\u201d has relieved password fatigue by using a single account to authenticate to multiple services. It does come with its own shortcomings as losing one password would mean the loss of all the services associated with the SSO system.
    \nLogin with QR codes is an SSO model that uses QR code-based one-time passwords to login to the required service. At the first glance, this login method seems secure and reliable. However, if the user gets tricked to authenticate a malicious hacker to the target web services (such as in QRLJacking), it defeats the whole purpose of logging in with QR codes.<\/p>\n

    Preventing QR code attacks<\/b><\/span><\/h2>\n

    Caution is the primary step that you can take for preventing QR code attacks. The scope of malicious QR codes is limited but harmful. If you are an IT admin, educate the device users to take the following precautions while using QR codes in their daily lives:<\/span><\/p>\n