QR - Inception: Barcode in Barcode Attacks

A. Dabrowski, K. Krombholz, J. Ullrich, E. Weippl:
"QR - Inception: Barcode in Barcode Attacks";
Vortrag: 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), Scottsdale, Arizona, USA; 03.11.2014 - 07.11.2014; in:"ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices", (2014).

[ Publication Database ]


2D barcodes o er many bene ts compared to 1D barcodes,
such as high information density and robustness. Before
their introduction to the mobile phone ecosystem, they have
been widely used in speci c applications, such as logistics or
ticketing. However, there are multiple competing standards
with di erent bene ts and drawbacks. Therefore, reader
applications as well as dedicated devices have to support
multiple standards.
In this paper, we present novel attacks based on deliberately
caused ambiguities when especially crafted barcodes
conform to multiple standards. Implementation details decide
which standard the decoder locks on. This way, two
users scanning the same barcode with di erent phones or
apps will receive di erent content. This potentially opens
way for multiple problems related to security. We describe
how embedding one barcode symbology into another can be
used to perform phishing attacks as well as targeted exploits.
In addition, we evaluate the extent to which popular 2D
barcode reader applications on smartphones are susceptible
to these barcode-in-barcode attacks. We furthermore discuss
mitigation techniques against this type of attack.