Professional Documents
Culture Documents
Abstract — Quick Response (QR) codes are two dimensional pages can contain any needed information and reader
barcodes that can be used to efficiently store small amount of applications can open the smart phone web browser and go the
data. They are increasingly used in all life fields, especially with specified web address. Contact information such as phone
the wide spread of smart phones which are used as QR code numbers, contact names and emails can also be stored in QR
scanners. While QR codes have many advantages that make code labels.
them very popular, there are several security issues and risks
that are associated with them. Running malicious code, stealing There are many specific applications that use QR codes.
users’ sensitive information and violating their privacy and Authors in [6] provide a novel educational system for holy
identity theft are some typical security risks that a user might be Quran using QR codes. Another is one time password
subject to in the background while he/she is just reading the QR authentication protocol using QR code which is presented in
code in the foreground. In this paper, a security system for QR [7]. Furthermore, object identification for blind and visually
codes that guarantees both users and generators security impaired people is proposed in [8]. Finally, a novel security
concerns is implemented. The system is backward compatible system for fish tracking using QR codes and asymmetric key
with current standard used for encoding QR codes. The system is cryptography is demonstrated in [8].
implemented and tested using an Android-based smartphone
application. It was found that the system introduces a little Although QR codes have many advantages, there are
overhead in terms of the delay required for integrity verification several security risks associated with them. Intruders can use
and content validation QR codes to launch several attacks targeting QR scanning
devices (smart phones) and violating users’ privacy. Attackers
Keywords—QR Code; Smart Phones Security; Security can reach sensitive information such as: login passwords of
algorithms, privacy, generator authentication, content validation, emails and social networks, contacts information, photos,
data integrity, threat isolation; videos and banking accounts. Attackers may take full control
of mobile devices, they can enable microphone, camera, GPS
I. INTRODUCTION
and even use smart phone devices in future attacks as a part of
QR code is an image of a matrix barcode that stores data in botnet or DDOS attacks[1, 4]. Example of possible attacks that
two dimensions. Data is presented as square dots with specific can launched using QR codes includes phishing attacks in
pattern in both horizontal and vertical dimensions. Specific which users are redirected into fake web sites, fraud attacks in
imaging devices (QR scanners) can read this image and which attackers can create fake posters and advertise for unreal
retrieve the stored data based on the pattern of square dots. QR commodity or special offers, malware propagation,, command
code was invented in 1994 by Denso Wave for vehicles injection, and SQL injection attacks [4, 9, 10]. Other possible
tracking during manufacture [1]. There are several standards scenarios of attacks can be performed using malicious QR
for data encoding in QR codes, the last standard is ISO/IEC codes. There is increasingly important need for security and
18004:2006 Information technology -- Automatic identification protection techniques to overcome these security threats.
and data capture techniques -- QR Code 2005 bar code
symbology specification [2]. Smart phone devices can be used The main problem of QR codes is that they are not human
as QR code scanners. The embedded camera in the smart readable, they can only be read using specific machines
phone captures an image of the QR code, then an application (scanning devices). In September 2011 the first malicious
analyzes the pattern of square dots to retrieve the encoded data usage of QR codes was detected by Kaspersky Lab. The attack
and display it in a useful form. was performed using malicious link that was encoded in QR
code so that users were directed to a web page with malicious
QR codes can be used in items’ identifications, objects’ file downloaded without their knowledge [3].
tracking, general marketing and advertisements. One common
use of QR codes is web address encoding where a Uniform Since QR codes can be used by intruders to violate users
Resource Locator (URL) is encoded in QR code to provide privacy and launch several attacks targeting smart phone
more information about products. This is important to devices, there is an urgent need for common security rules and
overcome the limited size of data encoded in QR code. Web algorithms that prevent such attacks, maximize smart phones
security, and preserve users’ privacy.
3. Reader application sends a request to the TTP asking To check URLs, our proposed method uses a verification
server. The algorithm steps are shown in Fig. 3:
for generator's public key. The request contains the
generator's ID and it is sent as clear text. 1. QR code scanner sends the QR contents (embodied
URL) to the verification server and request URL
4. If the generator ID is registered in the TTP server, a checking.
message is sent to the client (reader application) with 2. Verification server operations may include visiting
the following fields: these URLs and monitor malicious Javascript codes,
a. Generator ID (ID). verification server will have stronger antivirus,
b. Generator public key (GPU). Intrusion Detection Systems, and firewalls software
c. Current time stamp. programs than the ones found on the mobile phones.,
d. Digital signature (DS): all message contents
are hashed using SHA-1 and signed with the 3. Verification server sends response back to the
TTP private key using DSA algorithm. scanner, with a recommendation whether this URL is
secure to visit or not, with more information such as
the full expanded URL links (note that it is common
5. If the generator ID is not registered in the TTP server,
for QR Code to encode short forms of URLs).
a message is sent to the client (reader application)
with the following fields: For secure communication between the reader application
a. Generator ID. and the verification serve, Secure Hypertext Transfer Protocol
b. "ID IS NOT VALID" message. (HTTPS) on top of the Secure Socket Layer (SSL) protocol is
c. Current time stamp. used. Thus, the verification process can be used as a secure
d. Digital signature: all message contents are web service
hashed using SHA-1 and signed with the
TTP private key using DSA algorithm.
milliseconds
There are several QR code reader implementations,
Delay in
4000
attackers may use any implementation vulnerability to
2000
exploit reader device.
0
The reader application permissions can be used in a
19 17 15 13 11 9 7 5 3 1
malicious way to launch several attacks like buffer
overflow, command and SQL injection. QR Code Number
milliseconds
Time delay in
150 and data capture techniques
[3] A.S. Narayanan. “QR Codes and security solutions,” International
100 Journal of Computer Science and Telecommunications [Volume 3, Issue
50 7, July 2012]
0 [4] P. Kieseberg, M. Leithner, M. Mulazzani, L. Munroe, S. Schrittwieser,
19 17 15 13 11 9 7 5 3 1 M. Sinha, E. Weippl. “QR Code security,” 2010.
[5] Norton Safe Web , Retrieved May, 21, 2014, from
QR Number https://safeweb.norton.com/.
[6] H. A. Wahsheh, Y. A. Wahsheh, R. A. Wahsheh, “; Novel educational
system for holy quran using QR codes, ” Proceedings of Al-Zaytona
Fig. 6. Signature verification delay University International Engineering Conference on Sustainability in
Design an Innovation ' 2014 May 13-15; Amman – Jordan.
Comparing with other barcode security applications, [7] K. Liao, W.Lee. “A Novel user authentication scheme based on QR-
Secure QR code system has additional features. Referring to Code,” Journal of Networks, Vol. 5, No. 8, August 2010.
TABLE I we can add additional row for our QR code security [8] H. S. Al-Khalifa, “Utilizing QR Code and mobile phones for blinds and
visually impaired people,” K. Miesenberger et al. (Eds.): ICCHP 2008,
system as shown in the right part of Table III. In fact, the LNCS 5105, pp. 1065–1069, 2008.
proposed system, in contrast to Norton Snap QR code reader, [9] GoSafeOnline“ QR Code – falling prey to malicious website,” Monthly
can provide malicious content isolation. In addition, it can Newsletter – Issue No. 2013-06.
provide online content verification, generator authentication, [10] Csoonline, Retrieved May, 21, 2014, from
and integrity guarantee which are not provided by QR & http://www.csoonline.com/article/2133890/mobile-security/the-dangers-
of-qr-codes-for-security.html
Barcode reader application.
[11] I. Kapsalis, “Security of QR codes,” Norwegian University of Science
and Technology, Master in Security and Mobile Computing 2013.
[12] L. R. Yin, Z. Zhang, N. Baldwin, “Perceived Security Risks of Using
TABLE III. SECURE QR CODE APPLICATION FEATURES.
Quick Response (QR) Codes in Mobile Computing with Smart Phones,”
2014.
Application
Features [13] Norton Snap QR code reader, Retrieved May, 21, 2014, from
(Secure QR Code)
https://play.google.com/store/apps/details?id=com.symantec.norton.snap
Code Type QR Code [14] QR & barcode reader (Secure) Retrieved May, 21, 2014, from
Online Contents verification Yes https://play.google.com/store/apps/details?id=com.dodo.scannersecure
Isolate Malicious Contents Yes [15] Api.qrserver Retrieved May, 21, 2014, from https://api.qrserver.com.
Generator Authentication Yes [16] Wikipedia, Retrieved May, 21, 2014, from
http://en.wikipedia.org/wiki/HTTP_location
Integrity Guarantee Yes
[17] S Kuwabara, S. Mikami, Y. Takahashi, M. Yoshikawa, H. Narumi, K.
Koganezaki, T. Wakabayashi, A. N. Seino “Development of the
traceability system which secures the safety of fishery products using the
QR code and a digital signature,” IEEE 2004.
VI. CONCLUSION AND FUTURE WORK
In this paper, we have designed a novel security system for
QR codes. Since QR code security is essential and QR codes
are increasingly used in all life fields, this system can protect
users’ privacy and identity in addition to their smart phone
devices. Our security system can detect attacks like: QR code
fabrication, Phishing and fraud attacks. Experiments show that
the average time delay introduced as a result of applying the
security system is acceptable.
The proposed secure QR code application provides more
security level as well as maintains backward compatibility with
QR codes that do not incorporate security features. Even if the
QR code does not contain digital signature, the application can
still verify online contents and malicious contents. However, it
will warn the user about that before giving the users the choice
to continue or not.
We plan to extend this work in the future for other barcode
types, enhance the implementation and add more security
features.