Advertisement

QR Code Security: A Survey of Attacks and Challenges for Usable Security

  • Katharina Krombholz
  • Peter Frühwirt
  • Peter Kieseberg
  • Ioannis Kapsalis
  • Markus Huber
  • Edgar Weippl
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)

Abstract

QR (Quick Response) codes are two-dimensional barcodes with the ability to encode different types of information. Because of their high information density and robustness, QR codes have gained popularity in various fields of application. Even though they offer a broad range of advantages, QR codes pose significant security risks. Attackers can encode malicious links that lead e.g. to phishing sites. Such malicious QR codes can be printed on small stickers and replace benign ones on billboard advertisements. Although many real world examples of QR code based attacks have been reported in the media, only little research has been conducted in this field and almost no attention has been paid on the interplay of security and human-computer interaction. In this work, we describe the manifold use cases of QR codes. Furthermore, we analyze the most significant attack scenarios with respect to the specific use cases. Additionally, we systemize the research that has already been conducted and identified usable security and security awareness as the main research challenges. Finally we propose design requirements with respect to the QR code itself, the reader application and usability aspects in order to support further research into to making QR code processing both secure and usable.

Keywords

qr codes security hci usability 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    The WebKit Open Source Project (2013), http://www.webkit.org (last accessed on July 2, 2014)
  2. 2.
    Agusta, G.M., Hulliyah, K., Bahaweres, R.B., et al.: Qr code augmented reality tracking with merging on conventional marker based backpropagation neural network. In: 2012 International Conference on Advanced Computer Science and Information Systems (ICACSIS), pp. 245–248. IEEE (2012)Google Scholar
  3. 3.
    Akhawe, D., Felt, A.P.: Alice in Warningland: A Large-scale Field Study of Browser Security Warning Effectiveness. In: Proceedings of the 22Nd USENIX Conference on Security (SEC 2013), pp. 257–272 (2013)Google Scholar
  4. 4.
    Bellman, S., Johnson, E.J., Kobrin, S.J., Lohse, G.L.: International differences in information privacy concerns: A global survey of consumers 20(5), 313–324 (2004)Google Scholar
  5. 5.
    Biddle, R., van Oorschot, P.C., Patrick, A.S., Sobey, J., Whalen, T.: Browser interfaces and extended validation ssl certificates: an empirical study. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, pp. 19–30. ACM (2009)Google Scholar
  6. 6.
    Borgaonkar, R.: Dirty use of ussd codes in cellular network (2012), http://www.youtube.com/watch?v=Q2-0B04HPhs (last accessed on July 2, 2014)
  7. 7.
    Dow, C., Lee, Y., Yang, H., Koo, W., Liao, J.: A location-based mobile advertisement publishing system for vendors. In: Eighth International Conference on Information Technology: New Generations, pp. 24–29 (2011)Google Scholar
  8. 8.
    Choi, H., Zhu, B.B., Lee, H.: Detecting Malicious Web Links and Identifying Their Attack Types. In: Proceedings of the 2Nd USENIX Conference on Web Application Development (WebApps 2011), p. 11. USENIX Association, Berkeley (2011)Google Scholar
  9. 9.
    Lorenzi, D.: B Shafiq, J. Vaidya, G. Nabi, S. Chun, V. Atluri. Using QR codes for enhancing the scope of digital government services. In: Proceedings of the 13th Annual International Conference on Digital Government Research, pp. 21–29 (2012)Google Scholar
  10. 10.
    Pirrone, D., Andolina, S., Santangelo, A., Gentile, A., Takizava, M.: Platforms for human-human interaction in large social events. In: Seventh International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 545–551 (2012)Google Scholar
  11. 11.
    Moth, D.: PayPal trials QR code shop in Singapore subway (2012), http://econsultancy.com/at/blog/8983-paypal-trials-qr-code-shop-in-singapore-subway (last accessed on July 2, 2014)
  12. 12.
    DENSO Wave Incorporated. What is a QR Code (2013), http://www.qrcode.com/en/ (last accessed on July 2, 2014)
  13. 13.
    Downs, J.S., Holbrook, M., Cranor, L.F.: Behavioral Response to Phishing Risk. In: Proceedings of the Anti-Phishing Working Groups 2Nd Annual eCrime Researchers Summit (eCrime 2007), pp. 37–44. ACM, New York (2007)CrossRefGoogle Scholar
  14. 14.
    Egelman, S., Cranor, L.F., Hong, J.: You’Ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In: Proceedings of the 2008 SIGCHI Conference on Human Factors in Computing Systems (CHI 2008), pp. 1065–1074 (2008)Google Scholar
  15. 15.
    Esponce. Innovative QR Code campaigns (About QR codes) (2013), http://www.esponce.com/about-qr-codes (last accessed on July 2, 2014)
  16. 16.
    Esponce. Innovative, Q.R.: Esponce. Innovative QR Code campaigns (Real world case studies) (2013), http://www.esponce.com/case-studies (last accessed on July 2, 2014)
  17. 17.
    Hanser, C., Slamanig, D.: Blank digital signatures. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS 2013), pp. 95–106. ACM, New York (2013)CrossRefGoogle Scholar
  18. 18.
    Harbach, M., Fahl, S., Muders, T., Smith, M.: Towards measuring warning readability. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 989–991. ACM (2012)Google Scholar
  19. 19.
    Reed, I., Solomon, G.: Polynomial Codes Over Certain Finite Fields 8(2):300–304 (1960)Google Scholar
  20. 20.
    Gao, J., Kulkarni, V., Ranavat, H.: Lee Chang Hsing Mei. A 2D barcode-based mobile payment system. In: Third International Conference on Multimedia and Ubiquitous Engineering, pp. 320–329 (2009)Google Scholar
  21. 21.
    Wang, J., Shyi, C., Hou, T.-W., Fong, C.P.: Design and implementation of augmented reality system collaborating with QR code. In: International Computer Symposium (ICS), pp. 414–418 (2010)Google Scholar
  22. 22.
    Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., Weippl, E.: Qr code security. In: Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia, pp. 430–435. ACM (2010)Google Scholar
  23. 23.
    Korkidis, J.: The world’s first qr-code hair cut (2014), http://www.complex.com/art-design/2011/11/the-worlds-first-qr-code-hair-cut (last accessed February 4, 2014)
  24. 24.
    Leyden, J.: That square QR barcode on the poster? Check it’s not a stickerGoogle Scholar
  25. 25.
    Ebling, M., Caceres, R.: Bar Codes Everywhere You Look 9(2), 4–5 (2010)Google Scholar
  26. 26.
    Talbot, M.: QR Codes: Scanning For Loyalty And Payment (2013), http://blogs.sap.com/innovation/industries/qr-codes-scanning-for-loyalty-and-payment-3-025064 (last accessed on July 2, 2014)
  27. 27.
    Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., Weippl, E.: Qr code security. In: Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2010), pp. 430–435 (2010)Google Scholar
  28. 28.
    Paterson, K.G., Stebila, D.: One-time-password-authenticated key exchange. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 264–281. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Wagenseil, P.: Anti-Anonymous hacker threatens to expose them (2012), http://www.nbcnews.com/id/46716942/ns/technology_and_science-security/ (accessed July 2, 2014)
  30. 30.
    Pay, Q.: Qr pay - scan, pay, done (2014), http://www.qrpay.com/ (last accessed on July 2, 2014)
  31. 31.
    QRStuff. QR Code Error Correction (2011), http://www.qrstuff.com/blog/2011/12/14/qr-code-error-correction (last accessed on July 2, 2014)
  32. 32.
    QRStuff. What’s a QR Code (2011), http://www.qrstuff.com/qr_codes.html (last accessed on July 2, 2014)
  33. 33.
    Rouillard, J., Laroussi, M.: Perzoovasive: contextual pervasive qr codes as tool to provide an adaptive learning support. In: Proceedings of the 5th International Conference on Soft Computing as Transdisciplinary Science and Technology, pp. 542–548. ACM (2008)Google Scholar
  34. 34.
    Russ Cox. QArt Codes (2012), http://research.swtch.com/qart (last accessed on July 2, 2014)
  35. 35.
    Seeburger, J.: No cure for curiosity: linking physical and digital urban layers. In: Proceedings of the 7th Nordic Conference on Human-Computer Interaction: Making Sense Through Design, pp. 247–256. ACM (2012)Google Scholar
  36. 36.
    Sharma, V.: A study of malicious qr codes 3(3) (May 2012)Google Scholar
  37. 37.
    Steeman, J.: QR code data capacity (2004), http://blog.qr4.nl/page/QR-Code-Data-Capacity.aspx (last accessed on July 2, 2014)
  38. 38.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: An empirical study of ssl warning effectiveness, 399–416 (2009)Google Scholar
  39. 39.
    Moore, T., Edelman, B.: Measuring the perpetrators and funders of typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  40. 40.
    Thonky.com. QR Code Tutorial (2012), http://www.thonky.com/qr-code-tutorial/ (last accessed on July 2, 2014)
  41. 41.
    Ceipidor, U.B., Medaglia, C.M., Perrone, A., De Marsico, M., Di Romano, G.: A museum mobile game for children using QR-codes. In: Proceedings of the 8th International Conference on Interaction Design and Children, IDC 2009, pp. 282–283 (2009)Google Scholar
  42. 42.
    Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N.: QRishing: The susceptibility of smartphone users to QR code phishing attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 52–69. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  43. 43.
    Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.-P.: The Inconvenient Truth about Web Certificates, pp. 79–117 (2013)Google Scholar
  44. 44.
    Kao, Y., Luo, G., Lin, H., Huang, Y., Yuani, S.: Physical access control based on QR code. In: International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 285–288 (2011)Google Scholar
  45. 45.
    Yao, H., Shin, D.: Towards preventing qr code based attacks on android phone using security warnings. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 341–346. ACM (2013)Google Scholar
  46. 46.
    Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding phish: Evaluating anti-phishing tools. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Katharina Krombholz
    • 1
  • Peter Frühwirt
    • 1
  • Peter Kieseberg
    • 1
  • Ioannis Kapsalis
    • 1
  • Markus Huber
    • 1
  • Edgar Weippl
    • 1
  1. 1.SBA ResearchViennaAustria

Personalised recommendations